diff --git a/Scripts/CloudAdoptionFramework/Assignments/CAF-CorpMG-Default.json b/Scripts/CloudAdoptionFramework/Assignments/CAF-CorpMG-Default.json deleted file mode 100644 index dcc01af2..00000000 --- a/Scripts/CloudAdoptionFramework/Assignments/CAF-CorpMG-Default.json +++ /dev/null @@ -1,68 +0,0 @@ -{ - "nodeName": "/Corp/", - "scope": { - "tenant1": [ - "/providers/Microsoft.Management/managementGroups/corp" - ] - }, - "children": [ - { - "nodeName": "Networking/", - "children": [ - { - "nodeName": "PublicEndpoint", - "assignment": { - "name": "Deny-Public-Endpoints", - "displayName": "Public network access should be disabled for PaaS services", - "description": "This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints" - }, - "definitionEntry": { - "initiativeName": "Deny-PublicPaaSEndpoints", - "friendlyNameToDocumentIfGuid": "Deny Public PaaS Endpoints" - } - } - ] - }, - { - "nodeName": "Databricks/", - "children": [ - { - "nodeName": "NoDBPIP", - "assignment": { - "name": "Deny-DataB-Pip", - "displayName": "Prevent usage of Databricks with public IP", - "description": "Prevent the deployment of Databricks workspaces that do not use the noPublicIp feature to host Databricks clusters without public IPs." - }, - "definitionEntry": { - "policyName": "Deny-Databricks-NoPublicIp", - "friendlyNameToDocumentIfGuid": "Deny Databricks with Public Ip" - } - }, - { - "nodeName": "DbPremium", - "assignment": { - "name": "Deny-DataB-Sku", - "displayName": "Enforces the use of Premium Databricks workspaces", - "description": "Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for AAD." - }, - "definitionEntry": { - "policyName": "Deny-Databricks-Sku", - "friendlyNameToDocumentIfGuid": "Deny Databricks Sku" - } - }, - { - "nodeName": "DbVnet", - "assignment": { - "name": "Deny-DataB-Vnet", - "displayName": "Enforces the use of vnet injection for Databricks", - "description": "Enforces the use of vnet injection for Databricks workspaces." - }, - "definitionEntry": { - "policyName": "Deny-Databricks-VirtualNetwork", - "friendlyNameToDocumentIfGuid": "Deny Databricks Virtual Network" - } - } - ] - } - ] -} \ No newline at end of file diff --git a/Scripts/CloudAdoptionFramework/Assignments/CAF-CorpMG-Default.jsonc b/Scripts/CloudAdoptionFramework/Assignments/CAF-CorpMG-Default.jsonc new file mode 100644 index 00000000..7733a75f --- /dev/null +++ b/Scripts/CloudAdoptionFramework/Assignments/CAF-CorpMG-Default.jsonc @@ -0,0 +1,107 @@ +{ + "nodeName": "/Corp/", + "scope": { + "tenant1": [ + "/providers/Microsoft.Management/managementGroups/corp" + ] + }, + "children": [ + { + "nodeName": "Networking/", + "children": [ + { + "nodeName": "PublicEndpoint", + "assignment": { + "name": "Deny-Public-Endpoints", + "displayName": "Public network access should be disabled for PaaS services", + "description": "This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints" + }, + "definitionEntry": { + "initiativeName": "Deny-PublicPaaSEndpoints", + "friendlyNameToDocumentIfGuid": "Deny Public PaaS Endpoints" + } + }, + { + "nodeName": "DNZZones", + "assignment": { + "name": "Deploy-Private-DNS-Zones", + "displayName": "Configure Azure PaaS services to use private DNS zones", + "description": "This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones." + }, + "definitionEntry": { + "initiativeName": "Deploy-Private-DNS-Zones", + "friendlyNameToDocumentIfGuid": "Deploy Private DNS Zones" + }, + "parameters": { + // Replace DNSZonePrefix with a value similar to + // "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myorg-dns/providers/Microsoft.Network/privateDnsZones/" + // but modify to reference your connectivity subscription. + // Replace location with the default deployment location. + // If you don't require this then remove the assignment block. + "azureFilePrivateDnsZoneId": "DNSZonePrefix.privatelink.afs.azure.net", + "azureWebPrivateDnsZoneId": "DNSZonePrefix.privatelink.webpubsub.azure.com", + "azureBatchPrivateDnsZoneId": "DNSZonePrefix.privatelink.location.batch.azure.com", + "azureAppPrivateDnsZoneId": "DNSZonePrefix.privatelink.azconfig.io", + "azureAsrPrivateDnsZoneId": "DNSZonePrefixlocation.privatelink.siterecovery.windowsazure.com", + "azureIoTPrivateDnsZoneId": "DNSZonePrefix.privatelink.azure-devices-provisioning.net", + "azureKeyVaultPrivateDnsZoneId": "DNSZonePrefix.privatelink.vaultcore.azure.net", + "azureSignalRPrivateDnsZoneId": "DNSZonePrefix.privatelink.service.signalr.net", + "azureAppServicesPrivateDnsZoneId": "DNSZonePrefix.privatelink.azurewebsites.net", + "azureEventGridTopicsPrivateDnsZoneId": "DNSZonePrefix.privatelink.eventgrid.azure.net", + "azureDiskAccessPrivateDnsZoneId": "DNSZonePrefix.privatelink.blob.core.windows.net", + "azureCognitiveServicesPrivateDnsZoneId": "DNSZonePrefix.privatelink.cognitiveservices.azure.com", + "azureIotHubsPrivateDnsZoneId": "DNSZonePrefix.privatelink.azure-devices.net", + "azureEventGridDomainsPrivateDnsZoneId": "DNSZonePrefix.privatelink.eventgrid.azure.net", + "azureRedisCachePrivateDnsZoneId": "DNSZonePrefix.privatelink.redis.cache.windows.net", + "azureAcrPrivateDnsZoneId": "DNSZonePrefix.privatelink.azurecr.io", + "azureEventHubNamespacePrivateDnsZoneId": "DNSZonePrefix.privatelink.servicebus.windows.net", + "azureMachineLearningWorkspacePrivateDnsZoneId": "DNSZonePrefix.privatelink.api.azureml.ms", + "azureServiceBusNamespacePrivateDnsZoneId": "DNSZonePrefix.privatelink.servicebus.windows.net", + "azureCognitiveSearchPrivateDnsZoneId": "DNSZonePrefix.privatelink.search.windows.net" + } + } + ] + }, + { + "nodeName": "Databricks/", + "children": [ + { + "nodeName": "NoDBPIP", + "assignment": { + "name": "Deny-DataB-Pip", + "displayName": "Prevent usage of Databricks with public IP", + "description": "Prevent the deployment of Databricks workspaces that do not use the noPublicIp feature to host Databricks clusters without public IPs." + }, + "definitionEntry": { + "policyName": "Deny-Databricks-NoPublicIp", + "friendlyNameToDocumentIfGuid": "Deny Databricks with Public Ip" + } + }, + { + "nodeName": "DbPremium", + "assignment": { + "name": "Deny-DataB-Sku", + "displayName": "Enforces the use of Premium Databricks workspaces", + "description": "Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for AAD." + }, + "definitionEntry": { + "policyName": "Deny-Databricks-Sku", + "friendlyNameToDocumentIfGuid": "Deny Databricks Sku" + } + }, + { + "nodeName": "DbVnet", + "assignment": { + "name": "Deny-DataB-Vnet", + "displayName": "Enforces the use of vnet injection for Databricks", + "description": "Enforces the use of vnet injection for Databricks workspaces." + }, + "definitionEntry": { + "policyName": "Deny-Databricks-VirtualNetwork", + "friendlyNameToDocumentIfGuid": "Deny Databricks Virtual Network" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Scripts/CloudAdoptionFramework/Assignments/CAF-RootMG-Default.json b/Scripts/CloudAdoptionFramework/Assignments/CAF-RootMG-Default.json index d4db369c..90e6720b 100644 --- a/Scripts/CloudAdoptionFramework/Assignments/CAF-RootMG-Default.json +++ b/Scripts/CloudAdoptionFramework/Assignments/CAF-RootMG-Default.json @@ -20,12 +20,12 @@ "nodeName": "ASB", "assignment": { "name": "Deploy-ASC-Monitoring", - "displayName": "Azure Security Benchmark", - "description": "Azure Security Benchmark policy initiative" + "displayName": "Microsoft Cloud Security Benchmark", + "description": "Microsoft Cloud Security Benchmark policy initiative" }, "definitionEntry": { "initiativeName": "1f3afdf9-d0c9-4c3d-847f-89da613e70a8", - "friendlyNameToDocumentIfGuid": "Azure Security Benchmark" + "friendlyNameToDocumentIfGuid": "Microsoft Cloud Security Benchmark" }, "parameters": { "identityDesignateLessThanOwnersMonitoringEffect": "Disabled", @@ -77,10 +77,7 @@ "policyName": "2465583e-4e78-4c15-b6be-a36cbc7c8b0f", "friendlyNameToDocumentIfGuid": "Activity Logs" }, - "parameters": { - "effect": "DeployIfNotExists", - "logsEnabled": "True" - } + "parameters": {} }, { "nodeName": "ResourceDiagnostics", @@ -93,9 +90,7 @@ "initiativeName": "Deploy-Diagnostics-LogAnalytics", "friendlyNameToDocumentIfGuid": "Resource Diagnostics" }, - "parameters": { - "effect": "DeployIfNotExists" - } + "parameters": {} }, { "nodeName": "VMMonitoring", @@ -122,35 +117,6 @@ } } ] - }, - { - "nodeName": "Compute", - "children": [ - { - "nodeName": "Arc-Linux-Monitoring", - "assignment": { - "name": "Deploy-LX-Arc-Monitoring", - "displayName": "Deploy-Linux-Arc-Monitoring", - "description": "Deploy-Linux-Arc-Monitoring" - }, - "definitionEntry": { - "policyName": "9d2b61b4-1d14-4a63-be30-d4498e7ad2cf", - "friendlyNameToDocumentIfGuid": "Arc Linux Monitoring" - } - }, - { - "nodeName": "Arc-Windows-Monitoring", - "assignment": { - "name": "Deploy-Arc-Monitoring", - "displayName": "Deploy-Windows-Arc-Monitoring", - "description": "Deploy-Windows-Arc-Monitoring" - }, - "definitionEntry": { - "policyName": "69af7d4a-7b18-4044-93a9-2651498ef203", - "friendlyNameToDocumentIfGuid": "Arc Windows Monitoring" - } - } - ] } ] } \ No newline at end of file diff --git a/Scripts/CloudAdoptionFramework/Sync-CAFPolicies.ps1 b/Scripts/CloudAdoptionFramework/Sync-CAFPolicies.ps1 index 3b72d33a..b44532ae 100644 --- a/Scripts/CloudAdoptionFramework/Sync-CAFPolicies.ps1 +++ b/Scripts/CloudAdoptionFramework/Sync-CAFPolicies.ps1 @@ -80,5 +80,5 @@ foreach ($initiativeFile in Get-ChildItem $definitionsRootFolder\Initiatives\CAF $jsonContent | ConvertTo-Json -Depth 20 | Set-Content $initiativeFile } -Copy-Item -Path .\Scripts\CloudAdoptionFramework\Assignments\*.json -Destination "$definitionsRootFolder\assignments\CAF\" -Force +Copy-Item -Path .\Scripts\CloudAdoptionFramework\Assignments\*.* -Destination "$definitionsRootFolder\assignments\CAF\" -Force