diff --git a/.github/workflows/pr-check.yml b/.github/workflows/pr-check.yml index e02f8eb..839f003 100644 --- a/.github/workflows/pr-check.yml +++ b/.github/workflows/pr-check.yml @@ -57,7 +57,7 @@ jobs: go-version: 'stable' - name: Install alzlibtool - run: go install github.com/Azure/alzlib/cmd/alzlibtool@v0.21.5 + run: go install github.com/Azure/alzlib/cmd/alzlibtool@v0.21.7 - name: Azure login uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1 @@ -72,7 +72,7 @@ jobs: if [ -z "$(git status -suno)" ]; then echo "README.md is up to date" else - echo "README.md is out of date" + echo "README.md is out of date, generate using 'alzlibtool document library . >README.md'" git --no-pager diff exit 1 fi diff --git a/.github/workflows/update-alz.yml b/.github/workflows/update-alz.yml index 12a935c..ea3b79f 100644 --- a/.github/workflows/update-alz.yml +++ b/.github/workflows/update-alz.yml @@ -44,7 +44,7 @@ jobs: go-version: 'stable' - name: install alzlibtool - run: go install github.com/Azure/alzlib/cmd/alzlibtool@v0.21.5 + run: go install github.com/Azure/alzlib/cmd/alzlibtool@v0.21.7 - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 id: generate-token diff --git a/platform/slz/README.md b/platform/slz/README.md new file mode 100644 index 0000000..d7dd143 --- /dev/null +++ b/platform/slz/README.md @@ -0,0 +1,859 @@ +# SLZ (Sovereign Landing Zones) + +This library provides the reference set of Sovereign Landing Zones (SLZ) policies, archetypes, and management group architecture. + +## Dependencies + +- platform/alz@2024.07.02 + +## Usage + +```terraform +provider "alz" { + library_references = [ + { + path = "platform/slz" + tag = "0000.00.0" # Replace with the desired version + } + ] +} +``` + +## Architectures + +The following architectures are available in this library, please note that the diagrams denote the management group display name and, in brackets, the associated archetypes: + +### architecture `alz` + +> [!NOTE] +> This hierarchy will be deployed as a child of the user-supplied root management group. + +```mermaid +flowchart TD + alzroot["ALZ root +(root)"] + alzroot --> landingzones + landingzones["Landing zones +(landing_zones)"] + landingzones --> corp + corp["Corp +(corp)"] + landingzones --> online + online["Online +(online)"] + alzroot --> platform + platform["Platform +(platform)"] + platform --> connectivity + connectivity["Connectivity +(connectivity)"] + platform --> identity + identity["Identity +(identity)"] + platform --> management + management["Management +(management)"] + alzroot --> sandboxes + sandboxes["Sandboxes +(sandboxes)"] + +``` + +### architecture `slz` + +> [!NOTE] +> This hierarchy will be deployed as a child of the user-supplied root management group. + +```mermaid +flowchart TD + mcfs["Sovereign Landing Zone +(global, root)"] + mcfs --> mcfs-decommissioned + mcfs-decommissioned["Decommissioned +(decommissioned)"] + mcfs --> mcfs-landingzones + mcfs-landingzones["Landing Zones +(landing_zones)"] + mcfs-landingzones --> mcfs-landingzones-confidential-corp + mcfs-landingzones-confidential-corp["Confidential Corp +(confidential, corp)"] + mcfs-landingzones --> mcfs-landingzones-confidential-online + mcfs-landingzones-confidential-online["Confidential Online +(confidential, online)"] + mcfs-landingzones --> mcfs-landingzones-corp + mcfs-landingzones-corp["Corp +(corp)"] + mcfs-landingzones --> mcfs-landingzones-online + mcfs-landingzones-online["Online +(online)"] + mcfs --> mcfs-platform + mcfs-platform["Platform +(platform)"] + mcfs-platform --> mcfs-platform-connectivity + mcfs-platform-connectivity["Connectivity +(connectivity)"] + mcfs-platform --> mcfs-platform-identity + mcfs-platform-identity["Identity +(identity)"] + mcfs-platform --> mcfs-platform-management + mcfs-platform-management["Management +(management)"] + mcfs --> mcfs-sandbox + mcfs-sandbox["Sandbox +(sandboxes)"] + +``` + +## Archetypes + +### archetype `confidential` + +#### confidential policy assignments + +
1 policy assignments + +- Enforce-Sovereign-Conf +
+ +### archetype `connectivity` + +#### connectivity policy assignments + +
1 policy assignments + +- Enable-DDoS-VNET +
+ +### archetype `corp` + +#### corp policy assignments + +
5 policy assignments + +- Audit-PeDnsZones +- Deny-HybridNetworking +- Deny-Public-Endpoints +- Deny-Public-IP-On-NIC +- Deploy-Private-DNS-Zones +
+ +### archetype `decommissioned` + +#### decommissioned policy assignments + +
1 policy assignments + +- Enforce-ALZ-Decomm +
+ +### archetype `global` + +#### global policy assignments + +
1 policy assignments + +- Enforce-Sovereign-Global +
+ +### archetype `identity` + +#### identity policy assignments + +
4 policy assignments + +- Deny-MgmtPorts-Internet +- Deny-Public-IP +- Deny-Subnet-Without-Nsg +- Deploy-VM-Backup +
+ +### archetype `landing_zones` + +#### landing_zones policy assignments + +
25 policy assignments + +- Audit-AppGW-WAF +- Deny-IP-forwarding +- Deny-MgmtPorts-Internet +- Deny-Priv-Esc-AKS +- Deny-Privileged-AKS +- Deny-Storage-http +- Deny-Subnet-Without-Nsg +- Deploy-AKS-Policy +- Deploy-AzSqlDb-Auditing +- Deploy-MDFC-DefSQL-AMA +- Deploy-SQL-TDE +- Deploy-SQL-Threat +- Deploy-VM-Backup +- Deploy-VM-ChangeTrack +- Deploy-VM-Monitoring +- Deploy-VMSS-ChangeTrack +- Deploy-VMSS-Monitoring +- Deploy-vmArc-ChangeTrack +- Deploy-vmHybr-Monitoring +- Enable-AUM-CheckUpdates +- Enable-DDoS-VNET +- Enforce-AKS-HTTPS +- Enforce-ASR +- Enforce-GR-KeyVault +- Enforce-TLS-SSL-H224 +
+ +### archetype `management` + +#### management policy assignments + +
1 policy assignments + +- Deploy-Log-Analytics +
+ +### archetype `platform` + +#### platform policy assignments + +
11 policy assignments + +- DenyAction-DeleteUAMIAMA +- Deploy-MDFC-DefSQL-AMA +- Deploy-VM-ChangeTrack +- Deploy-VM-Monitoring +- Deploy-VMSS-ChangeTrack +- Deploy-VMSS-Monitoring +- Deploy-vmArc-ChangeTrack +- Deploy-vmHybr-Monitoring +- Enable-AUM-CheckUpdates +- Enforce-ASR +- Enforce-GR-KeyVault +
+ +### archetype `root` + +#### root policy definitions + +
158 policy definitions + +- Append-AppService-httpsonly +- Append-AppService-latestTLS +- Append-KV-SoftDelete +- Append-Redis-disableNonSslPort +- Append-Redis-sslEnforcement +- Audit-AzureHybridBenefit +- Audit-Disks-UnusedResourcesCostOptimization +- Audit-MachineLearning-PrivateEndpointId +- Audit-PrivateLinkDnsZones +- Audit-PublicIpAddresses-UnusedResourcesCostOptimization +- Audit-ServerFarms-UnusedResourcesCostOptimization +- Deny-AA-child-resources +- Deny-APIM-TLS +- Deny-AppGW-Without-WAF +- Deny-AppGw-Without-Tls +- Deny-AppService-without-BYOC +- Deny-AppServiceApiApp-http +- Deny-AppServiceFunctionApp-http +- Deny-AppServiceWebApp-http +- Deny-AzFw-Without-Policy +- Deny-CognitiveServices-NetworkAcls +- Deny-CognitiveServices-Resource-Kinds +- Deny-CognitiveServices-RestrictOutboundNetworkAccess +- Deny-Databricks-NoPublicIp +- Deny-Databricks-Sku +- Deny-Databricks-VirtualNetwork +- Deny-EH-Premium-CMK +- Deny-EH-minTLS +- Deny-FileServices-InsecureAuth +- Deny-FileServices-InsecureKerberos +- Deny-FileServices-InsecureSmbChannel +- Deny-FileServices-InsecureSmbVersions +- Deny-LogicApp-Public-Network +- Deny-LogicApps-Without-Https +- Deny-MachineLearning-Aks +- Deny-MachineLearning-Compute-SubnetId +- Deny-MachineLearning-Compute-VmSize +- Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess +- Deny-MachineLearning-ComputeCluster-Scale +- Deny-MachineLearning-HbiWorkspace +- Deny-MachineLearning-PublicAccessWhenBehindVnet +- Deny-MachineLearning-PublicNetworkAccess +- Deny-MgmtPorts-From-Internet +- Deny-MySql-http +- Deny-PostgreSql-http +- Deny-Private-DNS-Zones +- Deny-PublicEndpoint-MariaDB +- Deny-PublicIP +- Deny-RDP-From-Internet +- Deny-Redis-http +- Deny-Service-Endpoints +- Deny-Sql-minTLS +- Deny-SqlMi-minTLS +- Deny-Storage-ContainerDeleteRetentionPolicy +- Deny-Storage-CopyScope +- Deny-Storage-CorsRules +- Deny-Storage-LocalUser +- Deny-Storage-NetworkAclsBypass +- Deny-Storage-NetworkAclsVirtualNetworkRules +- Deny-Storage-ResourceAccessRulesResourceId +- Deny-Storage-ResourceAccessRulesTenantId +- Deny-Storage-SFTP +- Deny-Storage-ServicesEncryption +- Deny-Storage-minTLS +- Deny-StorageAccount-CustomDomain +- Deny-Subnet-Without-Nsg +- Deny-Subnet-Without-Penp +- Deny-Subnet-Without-Udr +- Deny-UDR-With-Specific-NextHop +- Deny-VNET-Peer-Cross-Sub +- Deny-VNET-Peering-To-Non-Approved-VNETs +- Deny-VNet-Peering +- DenyAction-ActivityLogs +- DenyAction-DeleteResources +- DenyAction-DiagnosticLogs +- Deploy-ASC-SecurityContacts +- Deploy-Budget +- Deploy-Custom-Route-Table +- Deploy-DDoSProtection +- Deploy-Diagnostics-AA +- Deploy-Diagnostics-ACI +- Deploy-Diagnostics-ACR +- Deploy-Diagnostics-APIMgmt +- Deploy-Diagnostics-AVDScalingPlans +- Deploy-Diagnostics-AnalysisService +- Deploy-Diagnostics-ApiForFHIR +- Deploy-Diagnostics-ApplicationGateway +- Deploy-Diagnostics-Bastion +- Deploy-Diagnostics-CDNEndpoints +- Deploy-Diagnostics-CognitiveServices +- Deploy-Diagnostics-CosmosDB +- Deploy-Diagnostics-DLAnalytics +- Deploy-Diagnostics-DataExplorerCluster +- Deploy-Diagnostics-DataFactory +- Deploy-Diagnostics-Databricks +- Deploy-Diagnostics-EventGridSub +- Deploy-Diagnostics-EventGridSystemTopic +- Deploy-Diagnostics-EventGridTopic +- Deploy-Diagnostics-ExpressRoute +- Deploy-Diagnostics-Firewall +- Deploy-Diagnostics-FrontDoor +- Deploy-Diagnostics-Function +- Deploy-Diagnostics-HDInsight +- Deploy-Diagnostics-LoadBalancer +- Deploy-Diagnostics-LogAnalytics +- Deploy-Diagnostics-LogicAppsISE +- Deploy-Diagnostics-MariaDB +- Deploy-Diagnostics-MediaService +- Deploy-Diagnostics-MlWorkspace +- Deploy-Diagnostics-MySQL +- Deploy-Diagnostics-NIC +- Deploy-Diagnostics-NetworkSecurityGroups +- Deploy-Diagnostics-PostgreSQL +- Deploy-Diagnostics-PowerBIEmbedded +- Deploy-Diagnostics-RedisCache +- Deploy-Diagnostics-Relay +- Deploy-Diagnostics-SQLElasticPools +- Deploy-Diagnostics-SQLMI +- Deploy-Diagnostics-SignalR +- Deploy-Diagnostics-TimeSeriesInsights +- Deploy-Diagnostics-TrafficManager +- Deploy-Diagnostics-VM +- Deploy-Diagnostics-VMSS +- Deploy-Diagnostics-VNetGW +- Deploy-Diagnostics-VWanS2SVPNGW +- Deploy-Diagnostics-VirtualNetwork +- Deploy-Diagnostics-WVDAppGroup +- Deploy-Diagnostics-WVDHostPools +- Deploy-Diagnostics-WVDWorkspace +- Deploy-Diagnostics-WebServerFarm +- Deploy-Diagnostics-Website +- Deploy-Diagnostics-iotHub +- Deploy-FirewallPolicy +- Deploy-LogicApp-TLS +- Deploy-MDFC-Arc-SQL-DCR-Association +- Deploy-MDFC-Arc-Sql-DefenderSQL-DCR +- Deploy-MDFC-SQL-AMA +- Deploy-MDFC-SQL-DefenderSQL +- Deploy-MDFC-SQL-DefenderSQL-DCR +- Deploy-MySQL-sslEnforcement +- Deploy-Nsg-FlowLogs +- Deploy-Nsg-FlowLogs-to-LA +- Deploy-PostgreSQL-sslEnforcement +- Deploy-Private-DNS-Generic +- Deploy-SQL-minTLS +- Deploy-Sql-AuditingSettings +- Deploy-Sql-SecurityAlertPolicies +- Deploy-Sql-Tde +- Deploy-Sql-vulnerabilityAssessments +- Deploy-Sql-vulnerabilityAssessments_20230706 +- Deploy-SqlMi-minTLS +- Deploy-Storage-sslEnforcement +- Deploy-UserAssignedManagedIdentity-VMInsights +- Deploy-VNET-HubSpoke +- Deploy-Vm-autoShutdown +- Deploy-Windows-DomainJoin +- Modify-NSG +- Modify-UDR +
+ +#### root policy set definitions + +
45 policy set definitions + +- Audit-TrustedLaunch +- Audit-UnusedResourcesCostOptimization +- Deny-PublicPaaSEndpoints +- DenyAction-DeleteProtection +- Deploy-AUM-CheckUpdates +- Deploy-Diagnostics-LogAnalytics +- Deploy-MDFC-Config +- Deploy-MDFC-Config_20240319 +- Deploy-MDFC-DefenderSQL-AMA +- Deploy-Private-DNS-Zones +- Deploy-Sql-Security +- Deploy-Sql-Security_20240529 +- Enforce-ACSB +- Enforce-ALZ-Decomm +- Enforce-ALZ-Sandbox +- Enforce-Backup +- Enforce-EncryptTransit +- Enforce-EncryptTransit_20240509 +- Enforce-Encryption-CMK +- Enforce-Guardrails-APIM +- Enforce-Guardrails-AppServices +- Enforce-Guardrails-Automation +- Enforce-Guardrails-CognitiveServices +- Enforce-Guardrails-Compute +- Enforce-Guardrails-ContainerApps +- Enforce-Guardrails-ContainerInstance +- Enforce-Guardrails-ContainerRegistry +- Enforce-Guardrails-CosmosDb +- Enforce-Guardrails-DataExplorer +- Enforce-Guardrails-DataFactory +- Enforce-Guardrails-EventGrid +- Enforce-Guardrails-EventHub +- Enforce-Guardrails-KeyVault +- Enforce-Guardrails-KeyVault-Sup +- Enforce-Guardrails-Kubernetes +- Enforce-Guardrails-MachineLearning +- Enforce-Guardrails-MySQL +- Enforce-Guardrails-Network +- Enforce-Guardrails-OpenAI +- Enforce-Guardrails-PostgreSQL +- Enforce-Guardrails-SQL +- Enforce-Guardrails-ServiceBus +- Enforce-Guardrails-Storage +- Enforce-Guardrails-Synapse +- Enforce-Guardrails-VirtualDesktop +
+ +#### root policy assignments + +
15 policy assignments + +- Audit-ResourceRGLocation +- Audit-TrustedLaunch +- Audit-UnusedResources +- Audit-ZoneResiliency +- Deny-Classic-Resources +- Deny-UnmanagedDisk +- Deploy-ASC-Monitoring +- Deploy-AzActivity-Log +- Deploy-Diag-Logs +- Deploy-MDEndpoints +- Deploy-MDEndpointsAMA +- Deploy-MDFC-Config-H224 +- Deploy-MDFC-OssDb +- Deploy-MDFC-SqlAtp +- Enforce-ACSB +
+ +#### root role definitions + +
5 role definitions + +- Application-Owners +- Network-Management +- Network-Subnet-Contributor +- Security-Operations +- Subscription-Owner +
+ +### archetype `sandboxes` + +#### sandboxes policy assignments + +
1 policy assignments + +- Enforce-ALZ-Sandbox +
+ +## Policy Default Values + +The following policy default values are available in this library: + +### default name `allowedLocationsForConfidentialComputing` + +#### assignment `Enforce-Sovereign-Conf` + +
1 parameter names + +- listOfAllowedLocations +
+ +### default name `ddos_protection_plan_effect` + +#### assignment `Enable-DDoS-VNET` + +
1 parameter names + +- effect +
+ +### default name `ddos_protection_plan_id` + +#### assignment `Enable-DDoS-VNET` + +
1 parameter names + +- ddosPlan +
+ +### default name `emailSecurityContact` + +#### assignment `Deploy-MDFC-Config-H224` + +
1 parameter names + +- emailSecurityContact +
+ +### default name `listOfAllowedLocations` + +#### assignment `Enforce-Sovereign-Global` + +
1 parameter names + +- listOfAllowedLocations +
+ +### default name `policyEffect` + +#### assignment `Enforce-Sovereign-Conf` + +
1 parameter names + +- effect +
+ +#### assignment `Enforce-Sovereign-Global` + +
1 parameter names + +- effect +
+ +--- +## Contents + +### all policy definitions + +
158 policy definitions + +- Append-AppService-httpsonly +- Append-AppService-latestTLS +- Append-KV-SoftDelete +- Append-Redis-disableNonSslPort +- Append-Redis-sslEnforcement +- Audit-AzureHybridBenefit +- Audit-Disks-UnusedResourcesCostOptimization +- Audit-MachineLearning-PrivateEndpointId +- Audit-PrivateLinkDnsZones +- Audit-PublicIpAddresses-UnusedResourcesCostOptimization +- Audit-ServerFarms-UnusedResourcesCostOptimization +- Deny-AA-child-resources +- Deny-APIM-TLS +- Deny-AppGW-Without-WAF +- Deny-AppGw-Without-Tls +- Deny-AppService-without-BYOC +- Deny-AppServiceApiApp-http +- Deny-AppServiceFunctionApp-http +- Deny-AppServiceWebApp-http +- Deny-AzFw-Without-Policy +- Deny-CognitiveServices-NetworkAcls +- Deny-CognitiveServices-Resource-Kinds +- Deny-CognitiveServices-RestrictOutboundNetworkAccess +- Deny-Databricks-NoPublicIp +- Deny-Databricks-Sku +- Deny-Databricks-VirtualNetwork +- Deny-EH-Premium-CMK +- Deny-EH-minTLS +- Deny-FileServices-InsecureAuth +- Deny-FileServices-InsecureKerberos +- Deny-FileServices-InsecureSmbChannel +- Deny-FileServices-InsecureSmbVersions +- Deny-LogicApp-Public-Network +- Deny-LogicApps-Without-Https +- Deny-MachineLearning-Aks +- Deny-MachineLearning-Compute-SubnetId +- Deny-MachineLearning-Compute-VmSize +- Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess +- Deny-MachineLearning-ComputeCluster-Scale +- Deny-MachineLearning-HbiWorkspace +- Deny-MachineLearning-PublicAccessWhenBehindVnet +- Deny-MachineLearning-PublicNetworkAccess +- Deny-MgmtPorts-From-Internet +- Deny-MySql-http +- Deny-PostgreSql-http +- Deny-Private-DNS-Zones +- Deny-PublicEndpoint-MariaDB +- Deny-PublicIP +- Deny-RDP-From-Internet +- Deny-Redis-http +- Deny-Service-Endpoints +- Deny-Sql-minTLS +- Deny-SqlMi-minTLS +- Deny-Storage-ContainerDeleteRetentionPolicy +- Deny-Storage-CopyScope +- Deny-Storage-CorsRules +- Deny-Storage-LocalUser +- Deny-Storage-NetworkAclsBypass +- Deny-Storage-NetworkAclsVirtualNetworkRules +- Deny-Storage-ResourceAccessRulesResourceId +- Deny-Storage-ResourceAccessRulesTenantId +- Deny-Storage-SFTP +- Deny-Storage-ServicesEncryption +- Deny-Storage-minTLS +- Deny-StorageAccount-CustomDomain +- Deny-Subnet-Without-Nsg +- Deny-Subnet-Without-Penp +- Deny-Subnet-Without-Udr +- Deny-UDR-With-Specific-NextHop +- Deny-VNET-Peer-Cross-Sub +- Deny-VNET-Peering-To-Non-Approved-VNETs +- Deny-VNet-Peering +- DenyAction-ActivityLogs +- DenyAction-DeleteResources +- DenyAction-DiagnosticLogs +- Deploy-ASC-SecurityContacts +- Deploy-Budget +- Deploy-Custom-Route-Table +- Deploy-DDoSProtection +- Deploy-Diagnostics-AA +- Deploy-Diagnostics-ACI +- Deploy-Diagnostics-ACR +- Deploy-Diagnostics-APIMgmt +- Deploy-Diagnostics-AVDScalingPlans +- Deploy-Diagnostics-AnalysisService +- Deploy-Diagnostics-ApiForFHIR +- Deploy-Diagnostics-ApplicationGateway +- Deploy-Diagnostics-Bastion +- Deploy-Diagnostics-CDNEndpoints +- Deploy-Diagnostics-CognitiveServices +- Deploy-Diagnostics-CosmosDB +- Deploy-Diagnostics-DLAnalytics +- Deploy-Diagnostics-DataExplorerCluster +- Deploy-Diagnostics-DataFactory +- Deploy-Diagnostics-Databricks +- Deploy-Diagnostics-EventGridSub +- Deploy-Diagnostics-EventGridSystemTopic +- Deploy-Diagnostics-EventGridTopic +- Deploy-Diagnostics-ExpressRoute +- Deploy-Diagnostics-Firewall +- Deploy-Diagnostics-FrontDoor +- Deploy-Diagnostics-Function +- Deploy-Diagnostics-HDInsight +- Deploy-Diagnostics-LoadBalancer +- Deploy-Diagnostics-LogAnalytics +- Deploy-Diagnostics-LogicAppsISE +- Deploy-Diagnostics-MariaDB +- Deploy-Diagnostics-MediaService +- Deploy-Diagnostics-MlWorkspace +- Deploy-Diagnostics-MySQL +- Deploy-Diagnostics-NIC +- Deploy-Diagnostics-NetworkSecurityGroups +- Deploy-Diagnostics-PostgreSQL +- Deploy-Diagnostics-PowerBIEmbedded +- Deploy-Diagnostics-RedisCache +- Deploy-Diagnostics-Relay +- Deploy-Diagnostics-SQLElasticPools +- Deploy-Diagnostics-SQLMI +- Deploy-Diagnostics-SignalR +- Deploy-Diagnostics-TimeSeriesInsights +- Deploy-Diagnostics-TrafficManager +- Deploy-Diagnostics-VM +- Deploy-Diagnostics-VMSS +- Deploy-Diagnostics-VNetGW +- Deploy-Diagnostics-VWanS2SVPNGW +- Deploy-Diagnostics-VirtualNetwork +- Deploy-Diagnostics-WVDAppGroup +- Deploy-Diagnostics-WVDHostPools +- Deploy-Diagnostics-WVDWorkspace +- Deploy-Diagnostics-WebServerFarm +- Deploy-Diagnostics-Website +- Deploy-Diagnostics-iotHub +- Deploy-FirewallPolicy +- Deploy-LogicApp-TLS +- Deploy-MDFC-Arc-SQL-DCR-Association +- Deploy-MDFC-Arc-Sql-DefenderSQL-DCR +- Deploy-MDFC-SQL-AMA +- Deploy-MDFC-SQL-DefenderSQL +- Deploy-MDFC-SQL-DefenderSQL-DCR +- Deploy-MySQL-sslEnforcement +- Deploy-Nsg-FlowLogs +- Deploy-Nsg-FlowLogs-to-LA +- Deploy-PostgreSQL-sslEnforcement +- Deploy-Private-DNS-Generic +- Deploy-SQL-minTLS +- Deploy-Sql-AuditingSettings +- Deploy-Sql-SecurityAlertPolicies +- Deploy-Sql-Tde +- Deploy-Sql-vulnerabilityAssessments +- Deploy-Sql-vulnerabilityAssessments_20230706 +- Deploy-SqlMi-minTLS +- Deploy-Storage-sslEnforcement +- Deploy-UserAssignedManagedIdentity-VMInsights +- Deploy-VNET-HubSpoke +- Deploy-Vm-autoShutdown +- Deploy-Windows-DomainJoin +- Modify-NSG +- Modify-UDR +
+ +### all policy set definitions + +
45 policy set definitions + +- Audit-TrustedLaunch +- Audit-UnusedResourcesCostOptimization +- Deny-PublicPaaSEndpoints +- DenyAction-DeleteProtection +- Deploy-AUM-CheckUpdates +- Deploy-Diagnostics-LogAnalytics +- Deploy-MDFC-Config +- Deploy-MDFC-Config_20240319 +- Deploy-MDFC-DefenderSQL-AMA +- Deploy-Private-DNS-Zones +- Deploy-Sql-Security +- Deploy-Sql-Security_20240529 +- Enforce-ACSB +- Enforce-ALZ-Decomm +- Enforce-ALZ-Sandbox +- Enforce-Backup +- Enforce-EncryptTransit +- Enforce-EncryptTransit_20240509 +- Enforce-Encryption-CMK +- Enforce-Guardrails-APIM +- Enforce-Guardrails-AppServices +- Enforce-Guardrails-Automation +- Enforce-Guardrails-CognitiveServices +- Enforce-Guardrails-Compute +- Enforce-Guardrails-ContainerApps +- Enforce-Guardrails-ContainerInstance +- Enforce-Guardrails-ContainerRegistry +- Enforce-Guardrails-CosmosDb +- Enforce-Guardrails-DataExplorer +- Enforce-Guardrails-DataFactory +- Enforce-Guardrails-EventGrid +- Enforce-Guardrails-EventHub +- Enforce-Guardrails-KeyVault +- Enforce-Guardrails-KeyVault-Sup +- Enforce-Guardrails-Kubernetes +- Enforce-Guardrails-MachineLearning +- Enforce-Guardrails-MySQL +- Enforce-Guardrails-Network +- Enforce-Guardrails-OpenAI +- Enforce-Guardrails-PostgreSQL +- Enforce-Guardrails-SQL +- Enforce-Guardrails-ServiceBus +- Enforce-Guardrails-Storage +- Enforce-Guardrails-Synapse +- Enforce-Guardrails-VirtualDesktop +
+ +### all policy assignments + +
71 policy assignments + +- Audit-AppGW-WAF +- Audit-PeDnsZones +- Audit-ResourceRGLocation +- Audit-TrustedLaunch +- Audit-UnusedResources +- Audit-ZoneResiliency +- Deny-AppGW-Without-WAF +- Deny-Classic-Resources +- Deny-DataB-Pip +- Deny-DataB-Sku +- Deny-DataB-Vnet +- Deny-HybridNetworking +- Deny-IP-forwarding +- Deny-MgmtPorts-Internet +- Deny-Priv-Esc-AKS +- Deny-Private-DNS-Zones +- Deny-Privileged-AKS +- Deny-Public-Endpoints +- Deny-Public-IP +- Deny-Public-IP-On-NIC +- Deny-RDP-From-Internet +- Deny-RSG-Locations +- Deny-Resource-Locations +- Deny-Resource-Types +- Deny-Storage-http +- Deny-Subnet-Without-Nsg +- Deny-Subnet-Without-Udr +- Deny-UnmanagedDisk +- DenyAction-DeleteUAMIAMA +- Deploy-AKS-Policy +- Deploy-ASC-Monitoring +- Deploy-AzActivity-Log +- Deploy-AzSqlDb-Auditing +- Deploy-Diag-Logs +- Deploy-Log-Analytics +- Deploy-MDEndpoints +- Deploy-MDEndpointsAMA +- Deploy-MDFC-Config +- Deploy-MDFC-Config-H224 +- Deploy-MDFC-DefSQL-AMA +- Deploy-MDFC-DefenSQL-AMA +- Deploy-MDFC-OssDb +- Deploy-MDFC-SqlAtp +- Deploy-Private-DNS-Zones +- Deploy-Resource-Diag +- Deploy-SQL-DB-Auditing +- Deploy-SQL-Security +- Deploy-SQL-TDE +- Deploy-SQL-Threat +- Deploy-UAMI-VMInsights +- Deploy-VM-Backup +- Deploy-VM-ChangeTrack +- Deploy-VM-Monitoring +- Deploy-VMSS-ChangeTrack +- Deploy-VMSS-Monitoring +- Deploy-vmArc-ChangeTrack +- Deploy-vmHybr-Monitoring +- Enable-AUM-CheckUpdates +- Enable-AUM-VM-Windows +- Enable-AUM-VMHyb-Windows +- Enable-DDoS-VNET +- Enforce-ACSB +- Enforce-AKS-HTTPS +- Enforce-ALZ-Decomm +- Enforce-ALZ-Sandbox +- Enforce-ASR +- Enforce-GR-KeyVault +- Enforce-Sovereign-Conf +- Enforce-Sovereign-Global +- Enforce-TLS-SSL +- Enforce-TLS-SSL-H224 +
+ +### all role definitions + +
5 role definitions + +- Application-Owners +- Network-Management +- Network-Subnet-Contributor +- Security-Operations +- Subscription-Owner +
+ \ No newline at end of file diff --git a/platform/slz/alz_library_metadata.json b/platform/slz/alz_library_metadata.json new file mode 100644 index 0000000..fc77399 --- /dev/null +++ b/platform/slz/alz_library_metadata.json @@ -0,0 +1,13 @@ +{ + "$schema": "https://raw.githubusercontent.com/Azure/Azure-Landing-Zones-Library/main/schemas/library_metadata.json", + "name": "SLZ", + "display_name": "Sovereign Landing Zones", + "description": "This library provides the reference set of Sovereign Landing Zones (SLZ) policies, archetypes, and management group architecture.", + "path": "platform/slz", + "dependencies": [ + { + "path": "platform/alz", + "ref": "2024.07.02" + } + ] +} diff --git a/platform/slz/alz_policy_default_values.json b/platform/slz/alz_policy_default_values.json new file mode 100644 index 0000000..0306292 --- /dev/null +++ b/platform/slz/alz_policy_default_values.json @@ -0,0 +1,76 @@ +{ + "defaults": [ + { + "default_name": "allowedLocationsForConfidentialComputing", + "policy_assignments": [ + { + "parameter_names": [ + "listOfAllowedLocations" + ], + "policy_assignment_name": "Enforce-Sovereign-Conf" + } + ] + }, + { + "default_name": "listOfAllowedLocations", + "policy_assignments": [ + { + "parameter_names": [ + "listOfAllowedLocations" + ], + "policy_assignment_name": "Enforce-Sovereign-Global" + } + ] + }, + { + "default_name": "policyEffect", + "policy_assignments": [ + { + "parameter_names": [ + "effect" + ], + "policy_assignment_name": "Enforce-Sovereign-Conf" + }, + { + "parameter_names": [ + "effect" + ], + "policy_assignment_name": "Enforce-Sovereign-Global" + } + ] + }, + { + "default_name": "ddos_protection_plan_id", + "policy_assignments": [ + { + "parameter_names": [ + "ddosPlan" + ], + "policy_assignment_name": "Enable-DDoS-VNET" + } + ] + }, + { + "default_name": "ddos_protection_plan_effect", + "policy_assignments": [ + { + "parameter_names": [ + "effect" + ], + "policy_assignment_name": "Enable-DDoS-VNET" + } + ] + }, + { + "default_name": "emailSecurityContact", + "policy_assignments": [ + { + "parameter_names": [ + "emailSecurityContact" + ], + "policy_assignment_name": "Deploy-MDFC-Config-H224" + } + ] + } + ] +} \ No newline at end of file diff --git a/platform/slz/archetype_definitions/confidential.alz_archetype_definition.json b/platform/slz/archetype_definitions/confidential.alz_archetype_definition.json new file mode 100644 index 0000000..9ce83e9 --- /dev/null +++ b/platform/slz/archetype_definitions/confidential.alz_archetype_definition.json @@ -0,0 +1,9 @@ +{ + "name": "confidential", + "policy_assignments": [ + "Enforce-Sovereign-Conf" + ], + "policy_definitions": [], + "policy_set_definitions": [], + "role_definitions": [] +} diff --git a/platform/slz/archetype_definitions/global.alz_archetype_definition.json b/platform/slz/archetype_definitions/global.alz_archetype_definition.json new file mode 100644 index 0000000..2a6db9f --- /dev/null +++ b/platform/slz/archetype_definitions/global.alz_archetype_definition.json @@ -0,0 +1,9 @@ +{ + "name": "global", + "policy_assignments": [ + "Enforce-Sovereign-Global" + ], + "policy_definitions": [], + "policy_set_definitions": [], + "role_definitions": [] +} diff --git a/platform/slz/architecture_definitions/slz.alz_architecture_definition.json b/platform/slz/architecture_definitions/slz.alz_architecture_definition.json new file mode 100644 index 0000000..e667d2e --- /dev/null +++ b/platform/slz/architecture_definitions/slz.alz_architecture_definition.json @@ -0,0 +1,89 @@ +{ + "name": "slz", + "management_groups": [ + { + "archetypes": ["global", "root"], + "display_name": "Sovereign Landing Zone", + "exists": false, + "id": "mcfs", + "parent_id": null + }, + { + "archetypes": ["landing_zones"], + "display_name": "Landing Zones", + "exists": false, + "id": "mcfs-landingzones", + "parent_id": "mcfs" + }, + { + "archetypes": ["platform"], + "display_name": "Platform", + "exists": false, + "id": "mcfs-platform", + "parent_id": "mcfs" + }, + { + "archetypes": ["identity"], + "display_name": "Identity", + "exists": false, + "id": "mcfs-platform-identity", + "parent_id": "mcfs-platform" + }, + { + "archetypes": ["connectivity"], + "display_name": "Connectivity", + "exists": false, + "id": "mcfs-platform-connectivity", + "parent_id": "mcfs-platform" + }, + { + "archetypes": ["management"], + "display_name": "Management", + "exists": false, + "id": "mcfs-platform-management", + "parent_id": "mcfs-platform" + }, + { + "archetypes": ["corp"], + "display_name": "Corp", + "exists": false, + "id": "mcfs-landingzones-corp", + "parent_id": "mcfs-landingzones" + }, + { + "archetypes": ["confidential", "corp"], + "display_name": "Confidential Corp", + "exists": false, + "id": "mcfs-landingzones-confidential-corp", + "parent_id": "mcfs-landingzones" + }, + { + "archetypes": ["online"], + "display_name": "Online", + "exists": false, + "id": "mcfs-landingzones-online", + "parent_id": "mcfs-landingzones" + }, + { + "archetypes": ["confidential", "online"], + "display_name": "Confidential Online", + "exists": false, + "id": "mcfs-landingzones-confidential-online", + "parent_id": "mcfs-landingzones" + }, + { + "archetypes": ["sandboxes"], + "display_name": "Sandbox", + "exists": false, + "id": "mcfs-sandbox", + "parent_id": "mcfs" + }, + { + "archetypes": ["decommissioned"], + "display_name": "Decommissioned", + "exists": false, + "id": "mcfs-decommissioned", + "parent_id": "mcfs" + } + ] +} diff --git a/platform/slz/policy_assignments/enforce_sovereign_conf.alz_policy_assignment.json b/platform/slz/policy_assignments/enforce_sovereign_conf.alz_policy_assignment.json new file mode 100644 index 0000000..f6289ec --- /dev/null +++ b/platform/slz/policy_assignments/enforce_sovereign_conf.alz_policy_assignment.json @@ -0,0 +1,277 @@ +{ + "name": "Enforce-Sovereign-Conf", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "The Microsoft Cloud for Sovereignty recommends confidential policies to help organizations achieve their sovereignty goals by default denying the creation of resources outside of approved regions, denying resources that are not backed by Azure Confidential Computing, and denying data storage resources that are not using Customer-Managed Keys. More details can be found here: https://aka.ms/SovereigntyBaselinePolicies", + "displayName": "[Preview]: Sovereignty Baseline - Confidential Policies", + "notScopes": [], + "parameters": { + "allowedResourceTypes": { + "value": [ + "Microsoft.Attestation/attestationProviders", + "Microsoft.Compute/availabilitySets", + "Microsoft.Compute/capacityReservationGroups", + "Microsoft.Compute/capacityReservationGroups/capacityReservations", + "Microsoft.Compute/cloudServices", + "Microsoft.Compute/cloudServices/roles", + "Microsoft.Compute/cloudServices/roleInstances", + "Microsoft.Compute/cloudServices/networkInterfaces", + "Microsoft.Compute/cloudServices/roleInstances/networkInterfaces", + "Microsoft.Compute/cloudServices/publicIPAddresses", + "Microsoft.Compute/disks", + "Microsoft.Compute/diskEncryptionSets", + "Microsoft.Compute/diskAccesses", + "Microsoft.Compute/galleries", + "Microsoft.Compute/galleries/images", + "Microsoft.Compute/galleries/images/versions", + "Microsoft.Compute/galleries/applications", + "Microsoft.Compute/galleries/applications/versions", + "Microsoft.Compute/hostGroups", + "Microsoft.Compute/hostGroups/hosts", + "Microsoft.Compute/images", + "Microsoft.Compute/locations", + "Microsoft.Compute/locations/artifactPublishers", + "Microsoft.Compute/locations/csoperations", + "Microsoft.Compute/locations/cloudServiceOsVersions", + "Microsoft.Compute/locations/cloudServiceOsFamilies", + "Microsoft.Compute/locations/capsoperations", + "Microsoft.Compute/locations/communityGalleries", + "Microsoft.Compute/locations/diagnostics", + "Microsoft.Compute/locations/diagnosticOperations", + "Microsoft.Compute/locations/diskoperations", + "Microsoft.Compute/locations/edgeZones", + "Microsoft.Compute/locations/edgeZones/vmimages", + "Microsoft.Compute/locations/edgeZones/publishers", + "Microsoft.Compute/locations/galleries", + "Microsoft.Compute/locations/logAnalytics", + "Microsoft.Compute/locations/recommendations", + "Microsoft.Compute/locations/runCommands", + "Microsoft.Compute/locations/sharedGalleries", + "Microsoft.Compute/locations/spotEvictionRates", + "Microsoft.Compute/locations/spotPriceHistory", + "Microsoft.Compute/locations/operations", + "Microsoft.Compute/locations/publishers", + "Microsoft.Compute/locations/usages", + "Microsoft.Compute/locations/vmSizes", + "Microsoft.Compute/locations/virtualMachines", + "Microsoft.Compute/locations/virtualMachineScaleSets", + "Microsoft.Compute/operations", + "Microsoft.Compute/restorePointCollections/restorePoints/diskRestorePoints", + "Microsoft.Compute/virtualMachines", + "Microsoft.Compute/virtualMachines/applications", + "Microsoft.Compute/virtualMachines/extensions", + "Microsoft.Compute/virtualMachines/metricDefinitions", + "Microsoft.Compute/virtualMachines/runCommands", + "Microsoft.Compute/virtualMachineScaleSets", + "Microsoft.Compute/virtualMachineScaleSets/applications", + "Microsoft.Compute/virtualMachineScaleSets/extensions", + "Microsoft.Compute/virtualMachineScaleSets/networkInterfaces", + "Microsoft.Compute/virtualMachineScaleSets/publicIPAddresses", + "Microsoft.Compute/virtualMachineScaleSets/virtualMachines", + "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/extensions", + "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces", + "Microsoft.Compute/restorePointCollections", + "Microsoft.Compute/restorePointCollections/restorePoints", + "Microsoft.Compute/proximityPlacementGroups", + "Microsoft.Compute/sshPublicKeys", + "Microsoft.Compute/sharedVMImages", + "Microsoft.Compute/sharedVMImages/versions", + "Microsoft.Compute/snapshots", + "Microsoft.ConfidentialLedger/checkNameAvailability", + "Microsoft.ConfidentialLedger/Ledgers", + "Microsoft.ConfidentialLedger/Locations", + "Microsoft.ConfidentialLedger/Locations/operations", + "Microsoft.ConfidentialLedger/Locations/operationstatuses", + "Microsoft.ConfidentialLedger/ManagedCCFs", + "Microsoft.ContainerService/managedClusters", + "Microsoft.ContainerService/managedClusters/agentPools", + "Microsoft.HardwareSecurityModules/dedicatedHSMs", + "Microsoft.HardwareSecurityModules/locations", + "Microsoft.HardwareSecurityModules/locations/operationResults", + "Microsoft.HardwareSecurityModules/operations", + "Microsoft.KeyVault/hsmPools", + "Microsoft.KeyVault/managedHSMs", + "Microsoft.KeyVault/locations/managedHsmOperationResults", + "Microsoft.KeyVault/checkMhsmNameAvailability", + "Microsoft.KeyVault/checkNameAvailability", + "Microsoft.KeyVault/deletedManagedHSMs", + "Microsoft.KeyVault/deletedVaults", + "Microsoft.KeyVault/locations", + "Microsoft.KeyVault/locations/deletedManagedHSMs", + "Microsoft.KeyVault/locations/deletedVaults", + "Microsoft.KeyVault/locations/notifyNetworkSecurityPerimeterUpdatesAvailable", + "Microsoft.KeyVault/locations/operationResults", + "Microsoft.KeyVault/managedHSMs/privateEndpointConnections", + "Microsoft.KeyVault/operations", + "Microsoft.KeyVault/vaults", + "Microsoft.KeyVault/vaults/accessPolicies", + "Microsoft.KeyVault/vaults/eventGridFilters", + "Microsoft.KeyVault/vaults/keys", + "Microsoft.KeyVault/vaults/keys/versions", + "Microsoft.KeyVault/vaults/privateEndpointConnections", + "Microsoft.KeyVault/vaults/secrets", + "Microsoft.Kubernetes/connectedClusters", + "Microsoft.Kubernetes/locations", + "Microsoft.Kubernetes/locations/operationStatuses", + "Microsoft.Kubernetes/registeredSubscriptions", + "Microsoft.Kubernetes/Operations", + "Microsoft.KubernetesConfiguration/sourceControlConfigurations", + "Microsoft.KubernetesConfiguration/extensions", + "Microsoft.KubernetesConfiguration/fluxConfigurations", + "Microsoft.KubernetesConfiguration/operations", + "Microsoft.KubernetesConfiguration/privateLinkScopes", + "Microsoft.KubernetesConfiguration/privateLinkScopes/privateEndpointConnections", + "Microsoft.KubernetesConfiguration/privateLinkScopes/privateEndpointConnectionProxies", + "Microsoft.ManagedIdentity/userAssignedIdentities", + "Microsoft.Network/ddosProtectionPlans", + "Microsoft.Network/loadBalancers", + "Microsoft.Network/networkSecurityGroups", + "Microsoft.Network/networkInterfaces", + "Microsoft.Network/privateDnsZones", + "Microsoft.Network/privateDnsZones/virtualNetworkLinks", + "Microsoft.Network/privateEndpoints", + "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "Microsoft.Network/publicIPAddresses", + "Microsoft.Network/routeTables", + "Microsoft.Network/virtualNetworks", + "Microsoft.Network/virtualNetworks/subnets", + "Microsoft.Resources/deployments", + "Microsoft.Sql/locations/syncDatabaseIds", + "Microsoft.Sql/locations/longTermRetentionServers", + "Microsoft.Sql/locations/longTermRetentionBackups", + "Microsoft.Sql/locations/longTermRetentionPolicyOperationResults", + "Microsoft.Sql/locations/longTermRetentionPolicyAzureAsyncOperation", + "Microsoft.Sql/locations/longTermRetentionBackupOperationResults", + "Microsoft.Sql/locations/longTermRetentionBackupAzureAsyncOperation", + "Microsoft.Sql/locations/shortTermRetentionPolicyOperationResults", + "Microsoft.Sql/locations/shortTermRetentionPolicyAzureAsyncOperation", + "Microsoft.Sql/locations/managedShortTermRetentionPolicyOperationResults", + "Microsoft.Sql/locations/managedShortTermRetentionPolicyAzureAsyncOperation", + "Microsoft.Sql/locations/instanceFailoverGroups", + "Microsoft.Sql/locations/instanceFailoverGroupAzureAsyncOperation", + "Microsoft.Sql/locations/instanceFailoverGroupOperationResults", + "Microsoft.Sql/locations/privateEndpointConnectionProxyOperationResults", + "Microsoft.Sql/locations/privateEndpointConnectionProxyAzureAsyncOperation", + "Microsoft.Sql/locations/privateEndpointConnectionOperationResults", + "Microsoft.Sql/locations/outboundFirewallRulesAzureAsyncOperation", + "Microsoft.Sql/locations/outboundFirewallRulesOperationResults", + "Microsoft.Sql/locations/privateEndpointConnectionAzureAsyncOperation", + "Microsoft.Sql/locations/notifyAzureAsyncOperation", + "Microsoft.Sql/locations/serverTrustGroups", + "Microsoft.Sql/locations/serverTrustGroupOperationResults", + "Microsoft.Sql/locations/serverTrustGroupAzureAsyncOperation", + "Microsoft.Sql/locations/managedDatabaseMoveOperationResults", + "Microsoft.Sql/locations/managedDatabaseMoveAzureAsyncOperation", + "Microsoft.Sql/locations/connectionPoliciesAzureAsyncOperation", + "Microsoft.Sql/locations/connectionPoliciesOperationResults", + "Microsoft.Sql/locations/notifyNetworkSecurityPerimeterUpdatesAvailable", + "Microsoft.Sql/locations/replicationLinksAzureAsyncOperation", + "Microsoft.Sql/locations/replicationLinksOperationResults", + "Microsoft.Sql/locations/managedInstanceDtcAzureAsyncOperation", + "Microsoft.Sql/servers", + "Microsoft.Sql/servers/advancedThreatProtectionSettings", + "Microsoft.Sql/servers/advisors", + "Microsoft.Sql/servers/auditingPolicies", + "Microsoft.Sql/servers/auditingSettings", + "Microsoft.Sql/servers/connectionPolicies", + "Microsoft.Sql/servers/databases", + "Microsoft.Sql/servers/databases/advisors", + "Microsoft.Sql/servers/databases/advancedThreatProtectionSettings", + "Microsoft.Sql/servers/databases/auditingPolicies", + "Microsoft.Sql/servers/databases/auditingSettings", + "Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies", + "Microsoft.Sql/servers/databases/extendedAuditingSettings", + "Microsoft.Sql/servers/databases/geoBackupPolicies", + "Microsoft.Sql/servers/databases/ledgerDigestUploads", + "Microsoft.Sql/servers/databases/securityAlertPolicies", + "Microsoft.Sql/servers/databases/transparentDataEncryption", + "Microsoft.Sql/servers/databases/transparentDataEncryption", + "Microsoft.Sql/servers/databases/vulnerabilityAssessments", + "Microsoft.Sql/servers/devOpsAuditingSettings", + "Microsoft.Sql/servers/databases/advancedThreatProtectionSettings", + "Microsoft.Sql/servers/encryptionProtector", + "Microsoft.Sql/servers/extendedAuditingSettings", + "Microsoft.Sql/servers/firewallRules", + "Microsoft.Sql/servers/keys", + "Microsoft.Sql/servers/securityAlertPolicies", + "Microsoft.Sql/servers/sqlVulnerabilityAssessments", + "Microsoft.Sql/servers/vulnerabilityAssessments" + ] + }, + "allowedVirtualMachineSKUs": { + "value": [ + "Standard_DC1s_v2", + "Standard_DC2s_v2", + "Standard_DC4s_v2", + "Standard_DC8_v2", + "Standard_DC1s_v3", + "Standard_DC2s_v3", + "Standard_DC4s_v3", + "Standard_DC8s_v3", + "Standard_DC16s_v3", + "Standard_DC24s_v3", + "Standard_DC32s_v3", + "Standard_DC48s_v3", + "Standard_DC1ds_v3", + "Standard_DC2ds_v3", + "Standard_DC4ds_v3", + "Standard_DC8ds_v3", + "Standard_DC16ds_v3", + "Standard_DC24ds_v3", + "Standard_DC32ds_v3", + "Standard_DC48ds_v3", + "Standard_DC2ads_v5", + "Standard_DC2as_v5", + "Standard_DC4ads_v5", + "Standard_DC4as_v5", + "Standard_DC8ads_v5", + "Standard_DC8as_v5", + "Standard_DC16ads_v5", + "Standard_DC16as_v5", + "Standard_DC32ads_v5", + "Standard_DC32as_v5", + "Standard_DC48ads_v5", + "Standard_DC48as_v5", + "Standard_DC64ads_v5", + "Standard_DC64as_v5", + "Standard_DC96ads_v5", + "Standard_DC96as_v5", + "Standard_EC2ads_v5", + "Standard_EC2as_v5", + "Standard_EC4ads_v5", + "Standard_EC4as_v5", + "Standard_EC8ads_v5", + "Standard_EC8as_v5", + "Standard_EC16ads_v5", + "Standard_EC16as_v5", + "Standard_EC20ads_v5", + "Standard_EC20as_v5", + "Standard_EC32ads_v5", + "Standard_EC32as_v5", + "Standard_EC48ads_v5", + "Standard_EC48as_v5", + "Standard_EC64ads_v5", + "Standard_EC64as_v5", + "Standard_EC96ads_v5", + "Standard_EC96as_v5", + "Standard_EC96iads_v5", + "Standard_EC96ias_v5" + ] + }, + "effect": { + "value": "Deny" + }, + "listOfAllowedLocations": { + "value": [] + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/03de05a4-c324-4ccd-882f-a814ea8ab9ea", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/platform/slz/policy_assignments/enforce_sovereign_global.alz_policy_assignment.json b/platform/slz/policy_assignments/enforce_sovereign_global.alz_policy_assignment.json new file mode 100644 index 0000000..fc85caf --- /dev/null +++ b/platform/slz/policy_assignments/enforce_sovereign_global.alz_policy_assignment.json @@ -0,0 +1,25 @@ +{ + "name": "Enforce-Sovereign-Global", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "The Microsoft Cloud for Sovereignty recommends global policies to help organizations achieve their sovereignty goals by default denying the creation of resources outside of approved regions. More details can be found here: https://aka.ms/SovereigntyBaselinePolicies", + "displayName": "[Preview]: Sovereignty Baseline - Global Policies", + "notScopes": [], + "parameters": { + "effect": { + "value": "Deny" + }, + "listOfAllowedLocations": { + "value": [] + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/c1cbff38-87c0-4b9f-9f70-035c7a3b5523", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/platform/slz/policy_definitions/.gitkeep b/platform/slz/policy_definitions/.gitkeep new file mode 100644 index 0000000..133e542 --- /dev/null +++ b/platform/slz/policy_definitions/.gitkeep @@ -0,0 +1,6 @@ +# adding .gitignore to maintain lib folder structure, remove after adding files to the folder +# Ignore all files in this dir... +* + +# ... except for this one. +!.gitignore \ No newline at end of file diff --git a/platform/slz/policy_set_definitions/.gitkeep b/platform/slz/policy_set_definitions/.gitkeep new file mode 100644 index 0000000..133e542 --- /dev/null +++ b/platform/slz/policy_set_definitions/.gitkeep @@ -0,0 +1,6 @@ +# adding .gitignore to maintain lib folder structure, remove after adding files to the folder +# Ignore all files in this dir... +* + +# ... except for this one. +!.gitignore \ No newline at end of file diff --git a/platform/slz/role_definitions/.gitkeep b/platform/slz/role_definitions/.gitkeep new file mode 100644 index 0000000..133e542 --- /dev/null +++ b/platform/slz/role_definitions/.gitkeep @@ -0,0 +1,6 @@ +# adding .gitignore to maintain lib folder structure, remove after adding files to the folder +# Ignore all files in this dir... +* + +# ... except for this one. +!.gitignore \ No newline at end of file