From de396dd081925fe7fa1b6cca7130bb89f5db6e58 Mon Sep 17 00:00:00 2001 From: VeronicaSea <69697690+VeronicaSea@users.noreply.github.com> Date: Tue, 15 Oct 2024 06:30:58 -0700 Subject: [PATCH 1/5] feat: Add slz library files. (#73) feat: Add slz library files. --- platform/slz/README.md | 126 ++++++++ platform/slz/alz_library_metadata.json | 13 + platform/slz/alz_policy_default_values.json | 76 +++++ ...confidential.alz_archetype_definition.json | 9 + .../global.alz_archetype_definition.json | 9 + .../slz.alz_architecture_definition.json | 89 ++++++ ..._sovereign_conf.alz_policy_assignment.json | 277 ++++++++++++++++++ ...overeign_global.alz_policy_assignment.json | 25 ++ platform/slz/policy_definitions/.gitkeep | 6 + platform/slz/policy_set_definitions/.gitkeep | 6 + platform/slz/role_definitions/.gitkeep | 6 + 11 files changed, 642 insertions(+) create mode 100644 platform/slz/README.md create mode 100644 platform/slz/alz_library_metadata.json create mode 100644 platform/slz/alz_policy_default_values.json create mode 100644 platform/slz/archetype_definitions/confidential.alz_archetype_definition.json create mode 100644 platform/slz/archetype_definitions/global.alz_archetype_definition.json create mode 100644 platform/slz/architecture_definitions/slz.alz_architecture_definition.json create mode 100644 platform/slz/policy_assignments/enforce_sovereign_conf.alz_policy_assignment.json create mode 100644 platform/slz/policy_assignments/enforce_sovereign_global.alz_policy_assignment.json create mode 100644 platform/slz/policy_definitions/.gitkeep create mode 100644 platform/slz/policy_set_definitions/.gitkeep create mode 100644 platform/slz/role_definitions/.gitkeep diff --git a/platform/slz/README.md b/platform/slz/README.md new file mode 100644 index 0000000..0dcaa3a --- /dev/null +++ b/platform/slz/README.md @@ -0,0 +1,126 @@ +# SLZ (Azure Landing Zones) + +This library provides the reference set of Sovereign Landing Zones (SLZ) policies, archetypes, and management group architecture. + +## Usage + +```terraform +provider "slz" { + library_references = [ + { + path = "platform/slz" + tag = "0000.00.0" # Replace with the desired version + } + ] +} +``` + +## Architectures + +The following architectures are available in this library, please note that the diagrams denote the management group display name and, in brackets, the associated archetypes: + +### architecture `slz` + +> [!NOTE] +> This hierarchy will be deployed as a child of the user-supplied root management group. + +```mermaid +flowchart TD + slzroot["SLZ root +(root)"] + slzroot --> decommissioned + decommissioned["Decommissioned +(decommissioned)"] + slzroot --> landingzones + landingzones["Landing zones +(landing_zones)"] + landingzones --> confidential-corp + confidential-corp["Confidential Corp +(confidential-corp)"] +landingzones --> corp + corp["Corp +(corp)"] + landingzones --> confidential-online + confidential-online["Confidential Online +(confidential-online)"] + landingzones --> online + online["Online +(online)"] + slzroot --> platform + platform["Platform +(platform)"] + platform --> connectivity + connectivity["Connectivity +(connectivity)"] + platform --> identity + identity["Identity +(identity)"] + platform --> management + management["Management +(management)"] + slzroot --> sandboxes + sandboxes["Sandboxes +(sandboxes)"] + +``` + +## Archetypes + +### archetype `confidential` + +#### confidential policy assignments + +
1 policy assignments + +- Enforce-Sovereign-Conf +
+ +### archetype `global` + +#### global policy assignments + +
1 policy assignments + +- Enforce-Sovereign-Global +
+ +## Policy Default Values + +The following policy default values are available in this library: + +### default name `allowedLocationsForConfidentialComputing` + +#### assignment `Enforce-Sovereign-Conf` + +
1 parameter names + +- listOfAllowedLocations +
+ +### default name `listOfAllowedLocations` + +#### assignment `Enforce-Sovereign-Global` + +
1 parameter names + +- listOfAllowedLocations +
+ +### default name `policyEffect` + +#### assignment `Enforce-Sovereign-Conf` + +
1 parameter names + +- effect +
+ +#### assignment `Enforce-Sovereign-Global` + +
1 parameter names + +- effect +
+ +> [!NOTE] +> Set the apply_alz_archetypes_via_architecture_definition_template parameter to true in the inputs.yaml file to apply ALZ archetypes to your landing zones. For more details, visit the [Azure Landing Zones Library](https://github.com/Azure/Azure-Landing-Zones-Library/tree/main/platform/alz). \ No newline at end of file diff --git a/platform/slz/alz_library_metadata.json b/platform/slz/alz_library_metadata.json new file mode 100644 index 0000000..fc77399 --- /dev/null +++ b/platform/slz/alz_library_metadata.json @@ -0,0 +1,13 @@ +{ + "$schema": "https://raw.githubusercontent.com/Azure/Azure-Landing-Zones-Library/main/schemas/library_metadata.json", + "name": "SLZ", + "display_name": "Sovereign Landing Zones", + "description": "This library provides the reference set of Sovereign Landing Zones (SLZ) policies, archetypes, and management group architecture.", + "path": "platform/slz", + "dependencies": [ + { + "path": "platform/alz", + "ref": "2024.07.02" + } + ] +} diff --git a/platform/slz/alz_policy_default_values.json b/platform/slz/alz_policy_default_values.json new file mode 100644 index 0000000..0306292 --- /dev/null +++ b/platform/slz/alz_policy_default_values.json @@ -0,0 +1,76 @@ +{ + "defaults": [ + { + "default_name": "allowedLocationsForConfidentialComputing", + "policy_assignments": [ + { + "parameter_names": [ + "listOfAllowedLocations" + ], + "policy_assignment_name": "Enforce-Sovereign-Conf" + } + ] + }, + { + "default_name": "listOfAllowedLocations", + "policy_assignments": [ + { + "parameter_names": [ + "listOfAllowedLocations" + ], + "policy_assignment_name": "Enforce-Sovereign-Global" + } + ] + }, + { + "default_name": "policyEffect", + "policy_assignments": [ + { + "parameter_names": [ + "effect" + ], + "policy_assignment_name": "Enforce-Sovereign-Conf" + }, + { + "parameter_names": [ + "effect" + ], + "policy_assignment_name": "Enforce-Sovereign-Global" + } + ] + }, + { + "default_name": "ddos_protection_plan_id", + "policy_assignments": [ + { + "parameter_names": [ + "ddosPlan" + ], + "policy_assignment_name": "Enable-DDoS-VNET" + } + ] + }, + { + "default_name": "ddos_protection_plan_effect", + "policy_assignments": [ + { + "parameter_names": [ + "effect" + ], + "policy_assignment_name": "Enable-DDoS-VNET" + } + ] + }, + { + "default_name": "emailSecurityContact", + "policy_assignments": [ + { + "parameter_names": [ + "emailSecurityContact" + ], + "policy_assignment_name": "Deploy-MDFC-Config-H224" + } + ] + } + ] +} \ No newline at end of file diff --git a/platform/slz/archetype_definitions/confidential.alz_archetype_definition.json b/platform/slz/archetype_definitions/confidential.alz_archetype_definition.json new file mode 100644 index 0000000..9ce83e9 --- /dev/null +++ b/platform/slz/archetype_definitions/confidential.alz_archetype_definition.json @@ -0,0 +1,9 @@ +{ + "name": "confidential", + "policy_assignments": [ + "Enforce-Sovereign-Conf" + ], + "policy_definitions": [], + "policy_set_definitions": [], + "role_definitions": [] +} diff --git a/platform/slz/archetype_definitions/global.alz_archetype_definition.json b/platform/slz/archetype_definitions/global.alz_archetype_definition.json new file mode 100644 index 0000000..2a6db9f --- /dev/null +++ b/platform/slz/archetype_definitions/global.alz_archetype_definition.json @@ -0,0 +1,9 @@ +{ + "name": "global", + "policy_assignments": [ + "Enforce-Sovereign-Global" + ], + "policy_definitions": [], + "policy_set_definitions": [], + "role_definitions": [] +} diff --git a/platform/slz/architecture_definitions/slz.alz_architecture_definition.json b/platform/slz/architecture_definitions/slz.alz_architecture_definition.json new file mode 100644 index 0000000..e667d2e --- /dev/null +++ b/platform/slz/architecture_definitions/slz.alz_architecture_definition.json @@ -0,0 +1,89 @@ +{ + "name": "slz", + "management_groups": [ + { + "archetypes": ["global", "root"], + "display_name": "Sovereign Landing Zone", + "exists": false, + "id": "mcfs", + "parent_id": null + }, + { + "archetypes": ["landing_zones"], + "display_name": "Landing Zones", + "exists": false, + "id": "mcfs-landingzones", + "parent_id": "mcfs" + }, + { + "archetypes": ["platform"], + "display_name": "Platform", + "exists": false, + "id": "mcfs-platform", + "parent_id": "mcfs" + }, + { + "archetypes": ["identity"], + "display_name": "Identity", + "exists": false, + "id": "mcfs-platform-identity", + "parent_id": "mcfs-platform" + }, + { + "archetypes": ["connectivity"], + "display_name": "Connectivity", + "exists": false, + "id": "mcfs-platform-connectivity", + "parent_id": "mcfs-platform" + }, + { + "archetypes": ["management"], + "display_name": "Management", + "exists": false, + "id": "mcfs-platform-management", + "parent_id": "mcfs-platform" + }, + { + "archetypes": ["corp"], + "display_name": "Corp", + "exists": false, + "id": "mcfs-landingzones-corp", + "parent_id": "mcfs-landingzones" + }, + { + "archetypes": ["confidential", "corp"], + "display_name": "Confidential Corp", + "exists": false, + "id": "mcfs-landingzones-confidential-corp", + "parent_id": "mcfs-landingzones" + }, + { + "archetypes": ["online"], + "display_name": "Online", + "exists": false, + "id": "mcfs-landingzones-online", + "parent_id": "mcfs-landingzones" + }, + { + "archetypes": ["confidential", "online"], + "display_name": "Confidential Online", + "exists": false, + "id": "mcfs-landingzones-confidential-online", + "parent_id": "mcfs-landingzones" + }, + { + "archetypes": ["sandboxes"], + "display_name": "Sandbox", + "exists": false, + "id": "mcfs-sandbox", + "parent_id": "mcfs" + }, + { + "archetypes": ["decommissioned"], + "display_name": "Decommissioned", + "exists": false, + "id": "mcfs-decommissioned", + "parent_id": "mcfs" + } + ] +} diff --git a/platform/slz/policy_assignments/enforce_sovereign_conf.alz_policy_assignment.json b/platform/slz/policy_assignments/enforce_sovereign_conf.alz_policy_assignment.json new file mode 100644 index 0000000..f6289ec --- /dev/null +++ b/platform/slz/policy_assignments/enforce_sovereign_conf.alz_policy_assignment.json @@ -0,0 +1,277 @@ +{ + "name": "Enforce-Sovereign-Conf", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "The Microsoft Cloud for Sovereignty recommends confidential policies to help organizations achieve their sovereignty goals by default denying the creation of resources outside of approved regions, denying resources that are not backed by Azure Confidential Computing, and denying data storage resources that are not using Customer-Managed Keys. More details can be found here: https://aka.ms/SovereigntyBaselinePolicies", + "displayName": "[Preview]: Sovereignty Baseline - Confidential Policies", + "notScopes": [], + "parameters": { + "allowedResourceTypes": { + "value": [ + "Microsoft.Attestation/attestationProviders", + "Microsoft.Compute/availabilitySets", + "Microsoft.Compute/capacityReservationGroups", + "Microsoft.Compute/capacityReservationGroups/capacityReservations", + "Microsoft.Compute/cloudServices", + "Microsoft.Compute/cloudServices/roles", + "Microsoft.Compute/cloudServices/roleInstances", + "Microsoft.Compute/cloudServices/networkInterfaces", + "Microsoft.Compute/cloudServices/roleInstances/networkInterfaces", + "Microsoft.Compute/cloudServices/publicIPAddresses", + "Microsoft.Compute/disks", + "Microsoft.Compute/diskEncryptionSets", + "Microsoft.Compute/diskAccesses", + "Microsoft.Compute/galleries", + "Microsoft.Compute/galleries/images", + "Microsoft.Compute/galleries/images/versions", + "Microsoft.Compute/galleries/applications", + "Microsoft.Compute/galleries/applications/versions", + "Microsoft.Compute/hostGroups", + "Microsoft.Compute/hostGroups/hosts", + "Microsoft.Compute/images", + "Microsoft.Compute/locations", + "Microsoft.Compute/locations/artifactPublishers", + "Microsoft.Compute/locations/csoperations", + "Microsoft.Compute/locations/cloudServiceOsVersions", + "Microsoft.Compute/locations/cloudServiceOsFamilies", + "Microsoft.Compute/locations/capsoperations", + "Microsoft.Compute/locations/communityGalleries", + "Microsoft.Compute/locations/diagnostics", + "Microsoft.Compute/locations/diagnosticOperations", + "Microsoft.Compute/locations/diskoperations", + "Microsoft.Compute/locations/edgeZones", + "Microsoft.Compute/locations/edgeZones/vmimages", + "Microsoft.Compute/locations/edgeZones/publishers", + "Microsoft.Compute/locations/galleries", + "Microsoft.Compute/locations/logAnalytics", + "Microsoft.Compute/locations/recommendations", + "Microsoft.Compute/locations/runCommands", + "Microsoft.Compute/locations/sharedGalleries", + "Microsoft.Compute/locations/spotEvictionRates", + "Microsoft.Compute/locations/spotPriceHistory", + "Microsoft.Compute/locations/operations", + "Microsoft.Compute/locations/publishers", + "Microsoft.Compute/locations/usages", + "Microsoft.Compute/locations/vmSizes", + "Microsoft.Compute/locations/virtualMachines", + "Microsoft.Compute/locations/virtualMachineScaleSets", + "Microsoft.Compute/operations", + "Microsoft.Compute/restorePointCollections/restorePoints/diskRestorePoints", + "Microsoft.Compute/virtualMachines", + "Microsoft.Compute/virtualMachines/applications", + "Microsoft.Compute/virtualMachines/extensions", + "Microsoft.Compute/virtualMachines/metricDefinitions", + "Microsoft.Compute/virtualMachines/runCommands", + "Microsoft.Compute/virtualMachineScaleSets", + "Microsoft.Compute/virtualMachineScaleSets/applications", + "Microsoft.Compute/virtualMachineScaleSets/extensions", + "Microsoft.Compute/virtualMachineScaleSets/networkInterfaces", + "Microsoft.Compute/virtualMachineScaleSets/publicIPAddresses", + "Microsoft.Compute/virtualMachineScaleSets/virtualMachines", + "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/extensions", + "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces", + "Microsoft.Compute/restorePointCollections", + "Microsoft.Compute/restorePointCollections/restorePoints", + "Microsoft.Compute/proximityPlacementGroups", + "Microsoft.Compute/sshPublicKeys", + "Microsoft.Compute/sharedVMImages", + "Microsoft.Compute/sharedVMImages/versions", + "Microsoft.Compute/snapshots", + "Microsoft.ConfidentialLedger/checkNameAvailability", + "Microsoft.ConfidentialLedger/Ledgers", + "Microsoft.ConfidentialLedger/Locations", + "Microsoft.ConfidentialLedger/Locations/operations", + "Microsoft.ConfidentialLedger/Locations/operationstatuses", + "Microsoft.ConfidentialLedger/ManagedCCFs", + "Microsoft.ContainerService/managedClusters", + "Microsoft.ContainerService/managedClusters/agentPools", + "Microsoft.HardwareSecurityModules/dedicatedHSMs", + "Microsoft.HardwareSecurityModules/locations", + "Microsoft.HardwareSecurityModules/locations/operationResults", + "Microsoft.HardwareSecurityModules/operations", + "Microsoft.KeyVault/hsmPools", + "Microsoft.KeyVault/managedHSMs", + "Microsoft.KeyVault/locations/managedHsmOperationResults", + "Microsoft.KeyVault/checkMhsmNameAvailability", + "Microsoft.KeyVault/checkNameAvailability", + "Microsoft.KeyVault/deletedManagedHSMs", + "Microsoft.KeyVault/deletedVaults", + "Microsoft.KeyVault/locations", + "Microsoft.KeyVault/locations/deletedManagedHSMs", + "Microsoft.KeyVault/locations/deletedVaults", + "Microsoft.KeyVault/locations/notifyNetworkSecurityPerimeterUpdatesAvailable", + "Microsoft.KeyVault/locations/operationResults", + "Microsoft.KeyVault/managedHSMs/privateEndpointConnections", + "Microsoft.KeyVault/operations", + "Microsoft.KeyVault/vaults", + "Microsoft.KeyVault/vaults/accessPolicies", + "Microsoft.KeyVault/vaults/eventGridFilters", + "Microsoft.KeyVault/vaults/keys", + "Microsoft.KeyVault/vaults/keys/versions", + "Microsoft.KeyVault/vaults/privateEndpointConnections", + "Microsoft.KeyVault/vaults/secrets", + "Microsoft.Kubernetes/connectedClusters", + "Microsoft.Kubernetes/locations", + "Microsoft.Kubernetes/locations/operationStatuses", + "Microsoft.Kubernetes/registeredSubscriptions", + "Microsoft.Kubernetes/Operations", + "Microsoft.KubernetesConfiguration/sourceControlConfigurations", + "Microsoft.KubernetesConfiguration/extensions", + "Microsoft.KubernetesConfiguration/fluxConfigurations", + "Microsoft.KubernetesConfiguration/operations", + "Microsoft.KubernetesConfiguration/privateLinkScopes", + "Microsoft.KubernetesConfiguration/privateLinkScopes/privateEndpointConnections", + "Microsoft.KubernetesConfiguration/privateLinkScopes/privateEndpointConnectionProxies", + "Microsoft.ManagedIdentity/userAssignedIdentities", + "Microsoft.Network/ddosProtectionPlans", + "Microsoft.Network/loadBalancers", + "Microsoft.Network/networkSecurityGroups", + "Microsoft.Network/networkInterfaces", + "Microsoft.Network/privateDnsZones", + "Microsoft.Network/privateDnsZones/virtualNetworkLinks", + "Microsoft.Network/privateEndpoints", + "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "Microsoft.Network/publicIPAddresses", + "Microsoft.Network/routeTables", + "Microsoft.Network/virtualNetworks", + "Microsoft.Network/virtualNetworks/subnets", + "Microsoft.Resources/deployments", + "Microsoft.Sql/locations/syncDatabaseIds", + "Microsoft.Sql/locations/longTermRetentionServers", + "Microsoft.Sql/locations/longTermRetentionBackups", + "Microsoft.Sql/locations/longTermRetentionPolicyOperationResults", + "Microsoft.Sql/locations/longTermRetentionPolicyAzureAsyncOperation", + "Microsoft.Sql/locations/longTermRetentionBackupOperationResults", + "Microsoft.Sql/locations/longTermRetentionBackupAzureAsyncOperation", + "Microsoft.Sql/locations/shortTermRetentionPolicyOperationResults", + "Microsoft.Sql/locations/shortTermRetentionPolicyAzureAsyncOperation", + "Microsoft.Sql/locations/managedShortTermRetentionPolicyOperationResults", + "Microsoft.Sql/locations/managedShortTermRetentionPolicyAzureAsyncOperation", + "Microsoft.Sql/locations/instanceFailoverGroups", + "Microsoft.Sql/locations/instanceFailoverGroupAzureAsyncOperation", + "Microsoft.Sql/locations/instanceFailoverGroupOperationResults", + "Microsoft.Sql/locations/privateEndpointConnectionProxyOperationResults", + "Microsoft.Sql/locations/privateEndpointConnectionProxyAzureAsyncOperation", + "Microsoft.Sql/locations/privateEndpointConnectionOperationResults", + "Microsoft.Sql/locations/outboundFirewallRulesAzureAsyncOperation", + "Microsoft.Sql/locations/outboundFirewallRulesOperationResults", + "Microsoft.Sql/locations/privateEndpointConnectionAzureAsyncOperation", + "Microsoft.Sql/locations/notifyAzureAsyncOperation", + "Microsoft.Sql/locations/serverTrustGroups", + "Microsoft.Sql/locations/serverTrustGroupOperationResults", + "Microsoft.Sql/locations/serverTrustGroupAzureAsyncOperation", + "Microsoft.Sql/locations/managedDatabaseMoveOperationResults", + "Microsoft.Sql/locations/managedDatabaseMoveAzureAsyncOperation", + "Microsoft.Sql/locations/connectionPoliciesAzureAsyncOperation", + "Microsoft.Sql/locations/connectionPoliciesOperationResults", + "Microsoft.Sql/locations/notifyNetworkSecurityPerimeterUpdatesAvailable", + "Microsoft.Sql/locations/replicationLinksAzureAsyncOperation", + "Microsoft.Sql/locations/replicationLinksOperationResults", + "Microsoft.Sql/locations/managedInstanceDtcAzureAsyncOperation", + "Microsoft.Sql/servers", + "Microsoft.Sql/servers/advancedThreatProtectionSettings", + "Microsoft.Sql/servers/advisors", + "Microsoft.Sql/servers/auditingPolicies", + "Microsoft.Sql/servers/auditingSettings", + "Microsoft.Sql/servers/connectionPolicies", + "Microsoft.Sql/servers/databases", + "Microsoft.Sql/servers/databases/advisors", + "Microsoft.Sql/servers/databases/advancedThreatProtectionSettings", + "Microsoft.Sql/servers/databases/auditingPolicies", + "Microsoft.Sql/servers/databases/auditingSettings", + "Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies", + "Microsoft.Sql/servers/databases/extendedAuditingSettings", + "Microsoft.Sql/servers/databases/geoBackupPolicies", + "Microsoft.Sql/servers/databases/ledgerDigestUploads", + "Microsoft.Sql/servers/databases/securityAlertPolicies", + "Microsoft.Sql/servers/databases/transparentDataEncryption", + "Microsoft.Sql/servers/databases/transparentDataEncryption", + "Microsoft.Sql/servers/databases/vulnerabilityAssessments", + "Microsoft.Sql/servers/devOpsAuditingSettings", + "Microsoft.Sql/servers/databases/advancedThreatProtectionSettings", + "Microsoft.Sql/servers/encryptionProtector", + "Microsoft.Sql/servers/extendedAuditingSettings", + "Microsoft.Sql/servers/firewallRules", + "Microsoft.Sql/servers/keys", + "Microsoft.Sql/servers/securityAlertPolicies", + "Microsoft.Sql/servers/sqlVulnerabilityAssessments", + "Microsoft.Sql/servers/vulnerabilityAssessments" + ] + }, + "allowedVirtualMachineSKUs": { + "value": [ + "Standard_DC1s_v2", + "Standard_DC2s_v2", + "Standard_DC4s_v2", + "Standard_DC8_v2", + "Standard_DC1s_v3", + "Standard_DC2s_v3", + "Standard_DC4s_v3", + "Standard_DC8s_v3", + "Standard_DC16s_v3", + "Standard_DC24s_v3", + "Standard_DC32s_v3", + "Standard_DC48s_v3", + "Standard_DC1ds_v3", + "Standard_DC2ds_v3", + "Standard_DC4ds_v3", + "Standard_DC8ds_v3", + "Standard_DC16ds_v3", + "Standard_DC24ds_v3", + "Standard_DC32ds_v3", + "Standard_DC48ds_v3", + "Standard_DC2ads_v5", + "Standard_DC2as_v5", + "Standard_DC4ads_v5", + "Standard_DC4as_v5", + "Standard_DC8ads_v5", + "Standard_DC8as_v5", + "Standard_DC16ads_v5", + "Standard_DC16as_v5", + "Standard_DC32ads_v5", + "Standard_DC32as_v5", + "Standard_DC48ads_v5", + "Standard_DC48as_v5", + "Standard_DC64ads_v5", + "Standard_DC64as_v5", + "Standard_DC96ads_v5", + "Standard_DC96as_v5", + "Standard_EC2ads_v5", + "Standard_EC2as_v5", + "Standard_EC4ads_v5", + "Standard_EC4as_v5", + "Standard_EC8ads_v5", + "Standard_EC8as_v5", + "Standard_EC16ads_v5", + "Standard_EC16as_v5", + "Standard_EC20ads_v5", + "Standard_EC20as_v5", + "Standard_EC32ads_v5", + "Standard_EC32as_v5", + "Standard_EC48ads_v5", + "Standard_EC48as_v5", + "Standard_EC64ads_v5", + "Standard_EC64as_v5", + "Standard_EC96ads_v5", + "Standard_EC96as_v5", + "Standard_EC96iads_v5", + "Standard_EC96ias_v5" + ] + }, + "effect": { + "value": "Deny" + }, + "listOfAllowedLocations": { + "value": [] + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/03de05a4-c324-4ccd-882f-a814ea8ab9ea", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/platform/slz/policy_assignments/enforce_sovereign_global.alz_policy_assignment.json b/platform/slz/policy_assignments/enforce_sovereign_global.alz_policy_assignment.json new file mode 100644 index 0000000..fc85caf --- /dev/null +++ b/platform/slz/policy_assignments/enforce_sovereign_global.alz_policy_assignment.json @@ -0,0 +1,25 @@ +{ + "name": "Enforce-Sovereign-Global", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "The Microsoft Cloud for Sovereignty recommends global policies to help organizations achieve their sovereignty goals by default denying the creation of resources outside of approved regions. More details can be found here: https://aka.ms/SovereigntyBaselinePolicies", + "displayName": "[Preview]: Sovereignty Baseline - Global Policies", + "notScopes": [], + "parameters": { + "effect": { + "value": "Deny" + }, + "listOfAllowedLocations": { + "value": [] + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/c1cbff38-87c0-4b9f-9f70-035c7a3b5523", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/platform/slz/policy_definitions/.gitkeep b/platform/slz/policy_definitions/.gitkeep new file mode 100644 index 0000000..133e542 --- /dev/null +++ b/platform/slz/policy_definitions/.gitkeep @@ -0,0 +1,6 @@ +# adding .gitignore to maintain lib folder structure, remove after adding files to the folder +# Ignore all files in this dir... +* + +# ... except for this one. +!.gitignore \ No newline at end of file diff --git a/platform/slz/policy_set_definitions/.gitkeep b/platform/slz/policy_set_definitions/.gitkeep new file mode 100644 index 0000000..133e542 --- /dev/null +++ b/platform/slz/policy_set_definitions/.gitkeep @@ -0,0 +1,6 @@ +# adding .gitignore to maintain lib folder structure, remove after adding files to the folder +# Ignore all files in this dir... +* + +# ... except for this one. +!.gitignore \ No newline at end of file diff --git a/platform/slz/role_definitions/.gitkeep b/platform/slz/role_definitions/.gitkeep new file mode 100644 index 0000000..133e542 --- /dev/null +++ b/platform/slz/role_definitions/.gitkeep @@ -0,0 +1,6 @@ +# adding .gitignore to maintain lib folder structure, remove after adding files to the folder +# Ignore all files in this dir... +* + +# ... except for this one. +!.gitignore \ No newline at end of file From f3447867850a81455dbfd5e13d7713ec9d8649be Mon Sep 17 00:00:00 2001 From: Matt White <16320656+matt-FFFFFF@users.noreply.github.com> Date: Tue, 15 Oct 2024 14:32:02 +0100 Subject: [PATCH 2/5] ci: update alzlibtool in workflows --- .github/workflows/pr-check.yml | 4 +- .github/workflows/update-alz.yml | 2 +- platform/slz/README.md | 859 +++++++++++++++++++++++++++++++ 3 files changed, 862 insertions(+), 3 deletions(-) create mode 100644 platform/slz/README.md diff --git a/.github/workflows/pr-check.yml b/.github/workflows/pr-check.yml index e02f8eb..228c901 100644 --- a/.github/workflows/pr-check.yml +++ b/.github/workflows/pr-check.yml @@ -57,7 +57,7 @@ jobs: go-version: 'stable' - name: Install alzlibtool - run: go install github.com/Azure/alzlib/cmd/alzlibtool@v0.21.5 + run: go install github.com/Azure/alzlib/cmd/alzlibtool@v0.21.6 - name: Azure login uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1 @@ -72,7 +72,7 @@ jobs: if [ -z "$(git status -suno)" ]; then echo "README.md is up to date" else - echo "README.md is out of date" + echo "README.md is out of date, generate using `alzlibtool document library . >README.md`" git --no-pager diff exit 1 fi diff --git a/.github/workflows/update-alz.yml b/.github/workflows/update-alz.yml index 12a935c..0702daa 100644 --- a/.github/workflows/update-alz.yml +++ b/.github/workflows/update-alz.yml @@ -44,7 +44,7 @@ jobs: go-version: 'stable' - name: install alzlibtool - run: go install github.com/Azure/alzlib/cmd/alzlibtool@v0.21.5 + run: go install github.com/Azure/alzlib/cmd/alzlibtool@v0.21.6 - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 id: generate-token diff --git a/platform/slz/README.md b/platform/slz/README.md new file mode 100644 index 0000000..b218833 --- /dev/null +++ b/platform/slz/README.md @@ -0,0 +1,859 @@ +# SLZ (Sovereign Landing Zones) + +This library provides the reference set of Sovereign Landing Zones (SLZ) policies, archetypes, and management group architecture. + +## Dependencies + +- platform/alz@2024.07.02 + +## Usage + +```terraform +provider "alz" { + library_references = [ + { + path = "platform/slz" + tag = "0000.00.0" # Replace with the desired version + } + ] +} +``` + +## Architectures + +The following architectures are available in this library, please note that the diagrams denote the management group display name and, in brackets, the associated archetypes: + +### architecture `alz` + +> [!NOTE] +> This hierarchy will be deployed as a child of the user-supplied root management group. + +```mermaid +flowchart TD + alzroot["ALZ root +(root)"] + alzroot --> landingzones + landingzones["Landing zones +(landing_zones)"] + landingzones --> corp + corp["Corp +(corp)"] + landingzones --> online + online["Online +(online)"] + alzroot --> platform + platform["Platform +(platform)"] + platform --> connectivity + connectivity["Connectivity +(connectivity)"] + platform --> identity + identity["Identity +(identity)"] + platform --> management + management["Management +(management)"] + alzroot --> sandboxes + sandboxes["Sandboxes +(sandboxes)"] + +``` + +### architecture `slz` + +> [!NOTE] +> This hierarchy will be deployed as a child of the user-supplied root management group. + +```mermaid +flowchart TD + mcfs["Sovereign Landing Zone +(global, root)"] + mcfs --> mcfs-decommissioned + mcfs-decommissioned["Decommissioned +(decommissioned)"] + mcfs --> mcfs-landingzones + mcfs-landingzones["Landing Zones +(landing_zones)"] + mcfs-landingzones --> mcfs-landingzones-confidential-corp + mcfs-landingzones-confidential-corp["Confidential Corp +(corp, confidential)"] + mcfs-landingzones --> mcfs-landingzones-confidential-online + mcfs-landingzones-confidential-online["Confidential Online +(confidential, online)"] + mcfs-landingzones --> mcfs-landingzones-corp + mcfs-landingzones-corp["Corp +(corp)"] + mcfs-landingzones --> mcfs-landingzones-online + mcfs-landingzones-online["Online +(online)"] + mcfs --> mcfs-platform + mcfs-platform["Platform +(platform)"] + mcfs-platform --> mcfs-platform-connectivity + mcfs-platform-connectivity["Connectivity +(connectivity)"] + mcfs-platform --> mcfs-platform-identity + mcfs-platform-identity["Identity +(identity)"] + mcfs-platform --> mcfs-platform-management + mcfs-platform-management["Management +(management)"] + mcfs --> mcfs-sandbox + mcfs-sandbox["Sandbox +(sandboxes)"] + +``` + +## Archetypes + +### archetype `confidential` + +#### confidential policy assignments + +
1 policy assignments + +- Enforce-Sovereign-Conf +
+ +### archetype `connectivity` + +#### connectivity policy assignments + +
1 policy assignments + +- Enable-DDoS-VNET +
+ +### archetype `corp` + +#### corp policy assignments + +
5 policy assignments + +- Audit-PeDnsZones +- Deny-HybridNetworking +- Deny-Public-Endpoints +- Deny-Public-IP-On-NIC +- Deploy-Private-DNS-Zones +
+ +### archetype `decommissioned` + +#### decommissioned policy assignments + +
1 policy assignments + +- Enforce-ALZ-Decomm +
+ +### archetype `global` + +#### global policy assignments + +
1 policy assignments + +- Enforce-Sovereign-Global +
+ +### archetype `identity` + +#### identity policy assignments + +
4 policy assignments + +- Deny-MgmtPorts-Internet +- Deny-Public-IP +- Deny-Subnet-Without-Nsg +- Deploy-VM-Backup +
+ +### archetype `landing_zones` + +#### landing_zones policy assignments + +
25 policy assignments + +- Audit-AppGW-WAF +- Deny-IP-forwarding +- Deny-MgmtPorts-Internet +- Deny-Priv-Esc-AKS +- Deny-Privileged-AKS +- Deny-Storage-http +- Deny-Subnet-Without-Nsg +- Deploy-AKS-Policy +- Deploy-AzSqlDb-Auditing +- Deploy-MDFC-DefSQL-AMA +- Deploy-SQL-TDE +- Deploy-SQL-Threat +- Deploy-VM-Backup +- Deploy-VM-ChangeTrack +- Deploy-VM-Monitoring +- Deploy-VMSS-ChangeTrack +- Deploy-VMSS-Monitoring +- Deploy-vmArc-ChangeTrack +- Deploy-vmHybr-Monitoring +- Enable-AUM-CheckUpdates +- Enable-DDoS-VNET +- Enforce-AKS-HTTPS +- Enforce-ASR +- Enforce-GR-KeyVault +- Enforce-TLS-SSL-H224 +
+ +### archetype `management` + +#### management policy assignments + +
1 policy assignments + +- Deploy-Log-Analytics +
+ +### archetype `platform` + +#### platform policy assignments + +
11 policy assignments + +- DenyAction-DeleteUAMIAMA +- Deploy-MDFC-DefSQL-AMA +- Deploy-VM-ChangeTrack +- Deploy-VM-Monitoring +- Deploy-VMSS-ChangeTrack +- Deploy-VMSS-Monitoring +- Deploy-vmArc-ChangeTrack +- Deploy-vmHybr-Monitoring +- Enable-AUM-CheckUpdates +- Enforce-ASR +- Enforce-GR-KeyVault +
+ +### archetype `root` + +#### root policy definitions + +
158 policy definitions + +- Append-AppService-httpsonly +- Append-AppService-latestTLS +- Append-KV-SoftDelete +- Append-Redis-disableNonSslPort +- Append-Redis-sslEnforcement +- Audit-AzureHybridBenefit +- Audit-Disks-UnusedResourcesCostOptimization +- Audit-MachineLearning-PrivateEndpointId +- Audit-PrivateLinkDnsZones +- Audit-PublicIpAddresses-UnusedResourcesCostOptimization +- Audit-ServerFarms-UnusedResourcesCostOptimization +- Deny-AA-child-resources +- Deny-APIM-TLS +- Deny-AppGW-Without-WAF +- Deny-AppGw-Without-Tls +- Deny-AppService-without-BYOC +- Deny-AppServiceApiApp-http +- Deny-AppServiceFunctionApp-http +- Deny-AppServiceWebApp-http +- Deny-AzFw-Without-Policy +- Deny-CognitiveServices-NetworkAcls +- Deny-CognitiveServices-Resource-Kinds +- Deny-CognitiveServices-RestrictOutboundNetworkAccess +- Deny-Databricks-NoPublicIp +- Deny-Databricks-Sku +- Deny-Databricks-VirtualNetwork +- Deny-EH-Premium-CMK +- Deny-EH-minTLS +- Deny-FileServices-InsecureAuth +- Deny-FileServices-InsecureKerberos +- Deny-FileServices-InsecureSmbChannel +- Deny-FileServices-InsecureSmbVersions +- Deny-LogicApp-Public-Network +- Deny-LogicApps-Without-Https +- Deny-MachineLearning-Aks +- Deny-MachineLearning-Compute-SubnetId +- Deny-MachineLearning-Compute-VmSize +- Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess +- Deny-MachineLearning-ComputeCluster-Scale +- Deny-MachineLearning-HbiWorkspace +- Deny-MachineLearning-PublicAccessWhenBehindVnet +- Deny-MachineLearning-PublicNetworkAccess +- Deny-MgmtPorts-From-Internet +- Deny-MySql-http +- Deny-PostgreSql-http +- Deny-Private-DNS-Zones +- Deny-PublicEndpoint-MariaDB +- Deny-PublicIP +- Deny-RDP-From-Internet +- Deny-Redis-http +- Deny-Service-Endpoints +- Deny-Sql-minTLS +- Deny-SqlMi-minTLS +- Deny-Storage-ContainerDeleteRetentionPolicy +- Deny-Storage-CopyScope +- Deny-Storage-CorsRules +- Deny-Storage-LocalUser +- Deny-Storage-NetworkAclsBypass +- Deny-Storage-NetworkAclsVirtualNetworkRules +- Deny-Storage-ResourceAccessRulesResourceId +- Deny-Storage-ResourceAccessRulesTenantId +- Deny-Storage-SFTP +- Deny-Storage-ServicesEncryption +- Deny-Storage-minTLS +- Deny-StorageAccount-CustomDomain +- Deny-Subnet-Without-Nsg +- Deny-Subnet-Without-Penp +- Deny-Subnet-Without-Udr +- Deny-UDR-With-Specific-NextHop +- Deny-VNET-Peer-Cross-Sub +- Deny-VNET-Peering-To-Non-Approved-VNETs +- Deny-VNet-Peering +- DenyAction-ActivityLogs +- DenyAction-DeleteResources +- DenyAction-DiagnosticLogs +- Deploy-ASC-SecurityContacts +- Deploy-Budget +- Deploy-Custom-Route-Table +- Deploy-DDoSProtection +- Deploy-Diagnostics-AA +- Deploy-Diagnostics-ACI +- Deploy-Diagnostics-ACR +- Deploy-Diagnostics-APIMgmt +- Deploy-Diagnostics-AVDScalingPlans +- Deploy-Diagnostics-AnalysisService +- Deploy-Diagnostics-ApiForFHIR +- Deploy-Diagnostics-ApplicationGateway +- Deploy-Diagnostics-Bastion +- Deploy-Diagnostics-CDNEndpoints +- Deploy-Diagnostics-CognitiveServices +- Deploy-Diagnostics-CosmosDB +- Deploy-Diagnostics-DLAnalytics +- Deploy-Diagnostics-DataExplorerCluster +- Deploy-Diagnostics-DataFactory +- Deploy-Diagnostics-Databricks +- Deploy-Diagnostics-EventGridSub +- Deploy-Diagnostics-EventGridSystemTopic +- Deploy-Diagnostics-EventGridTopic +- Deploy-Diagnostics-ExpressRoute +- Deploy-Diagnostics-Firewall +- Deploy-Diagnostics-FrontDoor +- Deploy-Diagnostics-Function +- Deploy-Diagnostics-HDInsight +- Deploy-Diagnostics-LoadBalancer +- Deploy-Diagnostics-LogAnalytics +- Deploy-Diagnostics-LogicAppsISE +- Deploy-Diagnostics-MariaDB +- Deploy-Diagnostics-MediaService +- Deploy-Diagnostics-MlWorkspace +- Deploy-Diagnostics-MySQL +- Deploy-Diagnostics-NIC +- Deploy-Diagnostics-NetworkSecurityGroups +- Deploy-Diagnostics-PostgreSQL +- Deploy-Diagnostics-PowerBIEmbedded +- Deploy-Diagnostics-RedisCache +- Deploy-Diagnostics-Relay +- Deploy-Diagnostics-SQLElasticPools +- Deploy-Diagnostics-SQLMI +- Deploy-Diagnostics-SignalR +- Deploy-Diagnostics-TimeSeriesInsights +- Deploy-Diagnostics-TrafficManager +- Deploy-Diagnostics-VM +- Deploy-Diagnostics-VMSS +- Deploy-Diagnostics-VNetGW +- Deploy-Diagnostics-VWanS2SVPNGW +- Deploy-Diagnostics-VirtualNetwork +- Deploy-Diagnostics-WVDAppGroup +- Deploy-Diagnostics-WVDHostPools +- Deploy-Diagnostics-WVDWorkspace +- Deploy-Diagnostics-WebServerFarm +- Deploy-Diagnostics-Website +- Deploy-Diagnostics-iotHub +- Deploy-FirewallPolicy +- Deploy-LogicApp-TLS +- Deploy-MDFC-Arc-SQL-DCR-Association +- Deploy-MDFC-Arc-Sql-DefenderSQL-DCR +- Deploy-MDFC-SQL-AMA +- Deploy-MDFC-SQL-DefenderSQL +- Deploy-MDFC-SQL-DefenderSQL-DCR +- Deploy-MySQL-sslEnforcement +- Deploy-Nsg-FlowLogs +- Deploy-Nsg-FlowLogs-to-LA +- Deploy-PostgreSQL-sslEnforcement +- Deploy-Private-DNS-Generic +- Deploy-SQL-minTLS +- Deploy-Sql-AuditingSettings +- Deploy-Sql-SecurityAlertPolicies +- Deploy-Sql-Tde +- Deploy-Sql-vulnerabilityAssessments +- Deploy-Sql-vulnerabilityAssessments_20230706 +- Deploy-SqlMi-minTLS +- Deploy-Storage-sslEnforcement +- Deploy-UserAssignedManagedIdentity-VMInsights +- Deploy-VNET-HubSpoke +- Deploy-Vm-autoShutdown +- Deploy-Windows-DomainJoin +- Modify-NSG +- Modify-UDR +
+ +#### root policy set definitions + +
45 policy set definitions + +- Audit-TrustedLaunch +- Audit-UnusedResourcesCostOptimization +- Deny-PublicPaaSEndpoints +- DenyAction-DeleteProtection +- Deploy-AUM-CheckUpdates +- Deploy-Diagnostics-LogAnalytics +- Deploy-MDFC-Config +- Deploy-MDFC-Config_20240319 +- Deploy-MDFC-DefenderSQL-AMA +- Deploy-Private-DNS-Zones +- Deploy-Sql-Security +- Deploy-Sql-Security_20240529 +- Enforce-ACSB +- Enforce-ALZ-Decomm +- Enforce-ALZ-Sandbox +- Enforce-Backup +- Enforce-EncryptTransit +- Enforce-EncryptTransit_20240509 +- Enforce-Encryption-CMK +- Enforce-Guardrails-APIM +- Enforce-Guardrails-AppServices +- Enforce-Guardrails-Automation +- Enforce-Guardrails-CognitiveServices +- Enforce-Guardrails-Compute +- Enforce-Guardrails-ContainerApps +- Enforce-Guardrails-ContainerInstance +- Enforce-Guardrails-ContainerRegistry +- Enforce-Guardrails-CosmosDb +- Enforce-Guardrails-DataExplorer +- Enforce-Guardrails-DataFactory +- Enforce-Guardrails-EventGrid +- Enforce-Guardrails-EventHub +- Enforce-Guardrails-KeyVault +- Enforce-Guardrails-KeyVault-Sup +- Enforce-Guardrails-Kubernetes +- Enforce-Guardrails-MachineLearning +- Enforce-Guardrails-MySQL +- Enforce-Guardrails-Network +- Enforce-Guardrails-OpenAI +- Enforce-Guardrails-PostgreSQL +- Enforce-Guardrails-SQL +- Enforce-Guardrails-ServiceBus +- Enforce-Guardrails-Storage +- Enforce-Guardrails-Synapse +- Enforce-Guardrails-VirtualDesktop +
+ +#### root policy assignments + +
15 policy assignments + +- Audit-ResourceRGLocation +- Audit-TrustedLaunch +- Audit-UnusedResources +- Audit-ZoneResiliency +- Deny-Classic-Resources +- Deny-UnmanagedDisk +- Deploy-ASC-Monitoring +- Deploy-AzActivity-Log +- Deploy-Diag-Logs +- Deploy-MDEndpoints +- Deploy-MDEndpointsAMA +- Deploy-MDFC-Config-H224 +- Deploy-MDFC-OssDb +- Deploy-MDFC-SqlAtp +- Enforce-ACSB +
+ +#### root role definitions + +
5 role definitions + +- Application-Owners +- Network-Management +- Network-Subnet-Contributor +- Security-Operations +- Subscription-Owner +
+ +### archetype `sandboxes` + +#### sandboxes policy assignments + +
1 policy assignments + +- Enforce-ALZ-Sandbox +
+ +## Policy Default Values + +The following policy default values are available in this library: + +### default name `allowedLocationsForConfidentialComputing` + +#### assignment `Enforce-Sovereign-Conf` + +
1 parameter names + +- listOfAllowedLocations +
+ +### default name `ddos_protection_plan_effect` + +#### assignment `Enable-DDoS-VNET` + +
1 parameter names + +- effect +
+ +### default name `ddos_protection_plan_id` + +#### assignment `Enable-DDoS-VNET` + +
1 parameter names + +- ddosPlan +
+ +### default name `emailSecurityContact` + +#### assignment `Deploy-MDFC-Config-H224` + +
1 parameter names + +- emailSecurityContact +
+ +### default name `listOfAllowedLocations` + +#### assignment `Enforce-Sovereign-Global` + +
1 parameter names + +- listOfAllowedLocations +
+ +### default name `policyEffect` + +#### assignment `Enforce-Sovereign-Conf` + +
1 parameter names + +- effect +
+ +#### assignment `Enforce-Sovereign-Global` + +
1 parameter names + +- effect +
+ +--- +## Contents + +### all policy definitions + +
158 policy definitions + +- Append-AppService-httpsonly +- Append-AppService-latestTLS +- Append-KV-SoftDelete +- Append-Redis-disableNonSslPort +- Append-Redis-sslEnforcement +- Audit-AzureHybridBenefit +- Audit-Disks-UnusedResourcesCostOptimization +- Audit-MachineLearning-PrivateEndpointId +- Audit-PrivateLinkDnsZones +- Audit-PublicIpAddresses-UnusedResourcesCostOptimization +- Audit-ServerFarms-UnusedResourcesCostOptimization +- Deny-AA-child-resources +- Deny-APIM-TLS +- Deny-AppGW-Without-WAF +- Deny-AppGw-Without-Tls +- Deny-AppService-without-BYOC +- Deny-AppServiceApiApp-http +- Deny-AppServiceFunctionApp-http +- Deny-AppServiceWebApp-http +- Deny-AzFw-Without-Policy +- Deny-CognitiveServices-NetworkAcls +- Deny-CognitiveServices-Resource-Kinds +- Deny-CognitiveServices-RestrictOutboundNetworkAccess +- Deny-Databricks-NoPublicIp +- Deny-Databricks-Sku +- Deny-Databricks-VirtualNetwork +- Deny-EH-Premium-CMK +- Deny-EH-minTLS +- Deny-FileServices-InsecureAuth +- Deny-FileServices-InsecureKerberos +- Deny-FileServices-InsecureSmbChannel +- Deny-FileServices-InsecureSmbVersions +- Deny-LogicApp-Public-Network +- Deny-LogicApps-Without-Https +- Deny-MachineLearning-Aks +- Deny-MachineLearning-Compute-SubnetId +- Deny-MachineLearning-Compute-VmSize +- Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess +- Deny-MachineLearning-ComputeCluster-Scale +- Deny-MachineLearning-HbiWorkspace +- Deny-MachineLearning-PublicAccessWhenBehindVnet +- Deny-MachineLearning-PublicNetworkAccess +- Deny-MgmtPorts-From-Internet +- Deny-MySql-http +- Deny-PostgreSql-http +- Deny-Private-DNS-Zones +- Deny-PublicEndpoint-MariaDB +- Deny-PublicIP +- Deny-RDP-From-Internet +- Deny-Redis-http +- Deny-Service-Endpoints +- Deny-Sql-minTLS +- Deny-SqlMi-minTLS +- Deny-Storage-ContainerDeleteRetentionPolicy +- Deny-Storage-CopyScope +- Deny-Storage-CorsRules +- Deny-Storage-LocalUser +- Deny-Storage-NetworkAclsBypass +- Deny-Storage-NetworkAclsVirtualNetworkRules +- Deny-Storage-ResourceAccessRulesResourceId +- Deny-Storage-ResourceAccessRulesTenantId +- Deny-Storage-SFTP +- Deny-Storage-ServicesEncryption +- Deny-Storage-minTLS +- Deny-StorageAccount-CustomDomain +- Deny-Subnet-Without-Nsg +- Deny-Subnet-Without-Penp +- Deny-Subnet-Without-Udr +- Deny-UDR-With-Specific-NextHop +- Deny-VNET-Peer-Cross-Sub +- Deny-VNET-Peering-To-Non-Approved-VNETs +- Deny-VNet-Peering +- DenyAction-ActivityLogs +- DenyAction-DeleteResources +- DenyAction-DiagnosticLogs +- Deploy-ASC-SecurityContacts +- Deploy-Budget +- Deploy-Custom-Route-Table +- Deploy-DDoSProtection +- Deploy-Diagnostics-AA +- Deploy-Diagnostics-ACI +- Deploy-Diagnostics-ACR +- Deploy-Diagnostics-APIMgmt +- Deploy-Diagnostics-AVDScalingPlans +- Deploy-Diagnostics-AnalysisService +- Deploy-Diagnostics-ApiForFHIR +- Deploy-Diagnostics-ApplicationGateway +- Deploy-Diagnostics-Bastion +- Deploy-Diagnostics-CDNEndpoints +- Deploy-Diagnostics-CognitiveServices +- Deploy-Diagnostics-CosmosDB +- Deploy-Diagnostics-DLAnalytics +- Deploy-Diagnostics-DataExplorerCluster +- Deploy-Diagnostics-DataFactory +- Deploy-Diagnostics-Databricks +- Deploy-Diagnostics-EventGridSub +- Deploy-Diagnostics-EventGridSystemTopic +- Deploy-Diagnostics-EventGridTopic +- Deploy-Diagnostics-ExpressRoute +- Deploy-Diagnostics-Firewall +- Deploy-Diagnostics-FrontDoor +- Deploy-Diagnostics-Function +- Deploy-Diagnostics-HDInsight +- Deploy-Diagnostics-LoadBalancer +- Deploy-Diagnostics-LogAnalytics +- Deploy-Diagnostics-LogicAppsISE +- Deploy-Diagnostics-MariaDB +- Deploy-Diagnostics-MediaService +- Deploy-Diagnostics-MlWorkspace +- Deploy-Diagnostics-MySQL +- Deploy-Diagnostics-NIC +- Deploy-Diagnostics-NetworkSecurityGroups +- Deploy-Diagnostics-PostgreSQL +- Deploy-Diagnostics-PowerBIEmbedded +- Deploy-Diagnostics-RedisCache +- Deploy-Diagnostics-Relay +- Deploy-Diagnostics-SQLElasticPools +- Deploy-Diagnostics-SQLMI +- Deploy-Diagnostics-SignalR +- Deploy-Diagnostics-TimeSeriesInsights +- Deploy-Diagnostics-TrafficManager +- Deploy-Diagnostics-VM +- Deploy-Diagnostics-VMSS +- Deploy-Diagnostics-VNetGW +- Deploy-Diagnostics-VWanS2SVPNGW +- Deploy-Diagnostics-VirtualNetwork +- Deploy-Diagnostics-WVDAppGroup +- Deploy-Diagnostics-WVDHostPools +- Deploy-Diagnostics-WVDWorkspace +- Deploy-Diagnostics-WebServerFarm +- Deploy-Diagnostics-Website +- Deploy-Diagnostics-iotHub +- Deploy-FirewallPolicy +- Deploy-LogicApp-TLS +- Deploy-MDFC-Arc-SQL-DCR-Association +- Deploy-MDFC-Arc-Sql-DefenderSQL-DCR +- Deploy-MDFC-SQL-AMA +- Deploy-MDFC-SQL-DefenderSQL +- Deploy-MDFC-SQL-DefenderSQL-DCR +- Deploy-MySQL-sslEnforcement +- Deploy-Nsg-FlowLogs +- Deploy-Nsg-FlowLogs-to-LA +- Deploy-PostgreSQL-sslEnforcement +- Deploy-Private-DNS-Generic +- Deploy-SQL-minTLS +- Deploy-Sql-AuditingSettings +- Deploy-Sql-SecurityAlertPolicies +- Deploy-Sql-Tde +- Deploy-Sql-vulnerabilityAssessments +- Deploy-Sql-vulnerabilityAssessments_20230706 +- Deploy-SqlMi-minTLS +- Deploy-Storage-sslEnforcement +- Deploy-UserAssignedManagedIdentity-VMInsights +- Deploy-VNET-HubSpoke +- Deploy-Vm-autoShutdown +- Deploy-Windows-DomainJoin +- Modify-NSG +- Modify-UDR +
+ +### all policy set definitions + +
45 policy set definitions + +- Audit-TrustedLaunch +- Audit-UnusedResourcesCostOptimization +- Deny-PublicPaaSEndpoints +- DenyAction-DeleteProtection +- Deploy-AUM-CheckUpdates +- Deploy-Diagnostics-LogAnalytics +- Deploy-MDFC-Config +- Deploy-MDFC-Config_20240319 +- Deploy-MDFC-DefenderSQL-AMA +- Deploy-Private-DNS-Zones +- Deploy-Sql-Security +- Deploy-Sql-Security_20240529 +- Enforce-ACSB +- Enforce-ALZ-Decomm +- Enforce-ALZ-Sandbox +- Enforce-Backup +- Enforce-EncryptTransit +- Enforce-EncryptTransit_20240509 +- Enforce-Encryption-CMK +- Enforce-Guardrails-APIM +- Enforce-Guardrails-AppServices +- Enforce-Guardrails-Automation +- Enforce-Guardrails-CognitiveServices +- Enforce-Guardrails-Compute +- Enforce-Guardrails-ContainerApps +- Enforce-Guardrails-ContainerInstance +- Enforce-Guardrails-ContainerRegistry +- Enforce-Guardrails-CosmosDb +- Enforce-Guardrails-DataExplorer +- Enforce-Guardrails-DataFactory +- Enforce-Guardrails-EventGrid +- Enforce-Guardrails-EventHub +- Enforce-Guardrails-KeyVault +- Enforce-Guardrails-KeyVault-Sup +- Enforce-Guardrails-Kubernetes +- Enforce-Guardrails-MachineLearning +- Enforce-Guardrails-MySQL +- Enforce-Guardrails-Network +- Enforce-Guardrails-OpenAI +- Enforce-Guardrails-PostgreSQL +- Enforce-Guardrails-SQL +- Enforce-Guardrails-ServiceBus +- Enforce-Guardrails-Storage +- Enforce-Guardrails-Synapse +- Enforce-Guardrails-VirtualDesktop +
+ +### all policy assignments + +
71 policy assignments + +- Audit-AppGW-WAF +- Audit-PeDnsZones +- Audit-ResourceRGLocation +- Audit-TrustedLaunch +- Audit-UnusedResources +- Audit-ZoneResiliency +- Deny-AppGW-Without-WAF +- Deny-Classic-Resources +- Deny-DataB-Pip +- Deny-DataB-Sku +- Deny-DataB-Vnet +- Deny-HybridNetworking +- Deny-IP-forwarding +- Deny-MgmtPorts-Internet +- Deny-Priv-Esc-AKS +- Deny-Private-DNS-Zones +- Deny-Privileged-AKS +- Deny-Public-Endpoints +- Deny-Public-IP +- Deny-Public-IP-On-NIC +- Deny-RDP-From-Internet +- Deny-RSG-Locations +- Deny-Resource-Locations +- Deny-Resource-Types +- Deny-Storage-http +- Deny-Subnet-Without-Nsg +- Deny-Subnet-Without-Udr +- Deny-UnmanagedDisk +- DenyAction-DeleteUAMIAMA +- Deploy-AKS-Policy +- Deploy-ASC-Monitoring +- Deploy-AzActivity-Log +- Deploy-AzSqlDb-Auditing +- Deploy-Diag-Logs +- Deploy-Log-Analytics +- Deploy-MDEndpoints +- Deploy-MDEndpointsAMA +- Deploy-MDFC-Config +- Deploy-MDFC-Config-H224 +- Deploy-MDFC-DefSQL-AMA +- Deploy-MDFC-DefenSQL-AMA +- Deploy-MDFC-OssDb +- Deploy-MDFC-SqlAtp +- Deploy-Private-DNS-Zones +- Deploy-Resource-Diag +- Deploy-SQL-DB-Auditing +- Deploy-SQL-Security +- Deploy-SQL-TDE +- Deploy-SQL-Threat +- Deploy-UAMI-VMInsights +- Deploy-VM-Backup +- Deploy-VM-ChangeTrack +- Deploy-VM-Monitoring +- Deploy-VMSS-ChangeTrack +- Deploy-VMSS-Monitoring +- Deploy-vmArc-ChangeTrack +- Deploy-vmHybr-Monitoring +- Enable-AUM-CheckUpdates +- Enable-AUM-VM-Windows +- Enable-AUM-VMHyb-Windows +- Enable-DDoS-VNET +- Enforce-ACSB +- Enforce-AKS-HTTPS +- Enforce-ALZ-Decomm +- Enforce-ALZ-Sandbox +- Enforce-ASR +- Enforce-GR-KeyVault +- Enforce-Sovereign-Conf +- Enforce-Sovereign-Global +- Enforce-TLS-SSL +- Enforce-TLS-SSL-H224 +
+ +### all role definitions + +
5 role definitions + +- Application-Owners +- Network-Management +- Network-Subnet-Contributor +- Security-Operations +- Subscription-Owner +
+ \ No newline at end of file From e214502d641117a11a10a86c5957ddb2e097ef4f Mon Sep 17 00:00:00 2001 From: Matt White <16320656+matt-FFFFFF@users.noreply.github.com> Date: Tue, 15 Oct 2024 14:36:10 +0100 Subject: [PATCH 3/5] doc(slz): generate docs again --- platform/slz/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/platform/slz/README.md b/platform/slz/README.md index b218833..d7dd143 100644 --- a/platform/slz/README.md +++ b/platform/slz/README.md @@ -76,7 +76,7 @@ flowchart TD (landing_zones)"] mcfs-landingzones --> mcfs-landingzones-confidential-corp mcfs-landingzones-confidential-corp["Confidential Corp -(corp, confidential)"] +(confidential, corp)"] mcfs-landingzones --> mcfs-landingzones-confidential-online mcfs-landingzones-confidential-online["Confidential Online (confidential, online)"] From a555d806b0abf1660ecef597c517dbd5605eb4c5 Mon Sep 17 00:00:00 2001 From: Matt White <16320656+matt-FFFFFF@users.noreply.github.com> Date: Tue, 15 Oct 2024 14:40:18 +0100 Subject: [PATCH 4/5] ci: update check workflow --- .github/workflows/pr-check.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr-check.yml b/.github/workflows/pr-check.yml index 228c901..da32d4c 100644 --- a/.github/workflows/pr-check.yml +++ b/.github/workflows/pr-check.yml @@ -72,7 +72,7 @@ jobs: if [ -z "$(git status -suno)" ]; then echo "README.md is up to date" else - echo "README.md is out of date, generate using `alzlibtool document library . >README.md`" + echo "README.md is out of date, generate using 'alzlibtool document library . >README.md'" git --no-pager diff exit 1 fi From f4657c148bdc434d40275a90d09d1531069a70ab Mon Sep 17 00:00:00 2001 From: Matt White <16320656+matt-FFFFFF@users.noreply.github.com> Date: Tue, 15 Oct 2024 14:57:18 +0100 Subject: [PATCH 5/5] chore: alzlib 0.21.7 --- .github/workflows/pr-check.yml | 2 +- .github/workflows/update-alz.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pr-check.yml b/.github/workflows/pr-check.yml index da32d4c..839f003 100644 --- a/.github/workflows/pr-check.yml +++ b/.github/workflows/pr-check.yml @@ -57,7 +57,7 @@ jobs: go-version: 'stable' - name: Install alzlibtool - run: go install github.com/Azure/alzlib/cmd/alzlibtool@v0.21.6 + run: go install github.com/Azure/alzlib/cmd/alzlibtool@v0.21.7 - name: Azure login uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1 diff --git a/.github/workflows/update-alz.yml b/.github/workflows/update-alz.yml index 0702daa..ea3b79f 100644 --- a/.github/workflows/update-alz.yml +++ b/.github/workflows/update-alz.yml @@ -44,7 +44,7 @@ jobs: go-version: 'stable' - name: install alzlibtool - run: go install github.com/Azure/alzlib/cmd/alzlibtool@v0.21.6 + run: go install github.com/Azure/alzlib/cmd/alzlibtool@v0.21.7 - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 id: generate-token