diff --git a/modules/archetypes/lib/archetype_definitions/archetype_definition_es_landing_zones.tmpl.json b/modules/archetypes/lib/archetype_definitions/archetype_definition_es_landing_zones.tmpl.json index fcd0af1cd..4891d51b1 100644 --- a/modules/archetypes/lib/archetype_definitions/archetype_definition_es_landing_zones.tmpl.json +++ b/modules/archetypes/lib/archetype_definitions/archetype_definition_es_landing_zones.tmpl.json @@ -17,11 +17,13 @@ "Deploy-VM-ChangeTrack", "Deploy-VM-Monitoring", "Deploy-vmArc-ChangeTrack", + "Deploy-vmHybr-Monitoring", "Deploy-VMSS-ChangeTrack", "Deploy-VMSS-Monitoring", "Enable-AUM-CheckUpdates", "Enable-DDoS-VNET", "Enforce-AKS-HTTPS", + "Enforce-ASR", "Enforce-GR-KeyVault", "Enforce-TLS-SSL-H224" ], diff --git a/modules/archetypes/lib/archetype_definitions/archetype_definition_es_platform.tmpl.json b/modules/archetypes/lib/archetype_definitions/archetype_definition_es_platform.tmpl.json index 8d99feab9..8d6f4e472 100644 --- a/modules/archetypes/lib/archetype_definitions/archetype_definition_es_platform.tmpl.json +++ b/modules/archetypes/lib/archetype_definitions/archetype_definition_es_platform.tmpl.json @@ -6,9 +6,11 @@ "Deploy-VM-ChangeTrack", "Deploy-VM-Monitoring", "Deploy-vmArc-ChangeTrack", + "Deploy-vmHybr-Monitoring", "Deploy-VMSS-ChangeTrack", "Deploy-VMSS-Monitoring", "Enable-AUM-CheckUpdates", + "Enforce-ASR", "Enforce-GR-KeyVault" ], "policy_definitions": [], diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vmhybr_monitoring.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vmhybr_monitoring.tmpl.json new file mode 100644 index 000000000..da73e9e78 --- /dev/null +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vmhybr_monitoring.tmpl.json @@ -0,0 +1,31 @@ +{ + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "Deploy-vmHybr-Monitoring", + "location": "${default_location}", + "dependsOn": [], + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "Enable Azure Monitor for Hybrid Virtual Machines in the specified scope (Management group, Subscription or resource group).", + "displayName": "Enable Azure Monitor for Hybrid Virtual Machines", + "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/2b00397d-c309-49c4-aa5a-f0b2c5bc6321", + "enforcementMode": "Default", + "nonComplianceMessages": [ + { + "message": "Azure Monitor {enforcementMode} be enabled for Hybrid Virtual Machines." + } + ], + "parameters": { + "dcrResourceId": { + "value": "${azure_monitor_data_collection_rule_vm_insights_resource_id}" + }, + "enableProcessesAndDependencies": { + "value": true + } + }, + "scope": "${current_scope_resource_id}", + "notScopes": [] + } +} diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_enforce_asr.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_enforce_asr.tmpl.json new file mode 100644 index 000000000..8a4191b0c --- /dev/null +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_enforce_asr.tmpl.json @@ -0,0 +1,24 @@ +{ + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "Enforce-ASR", + "dependsOn": [], + "properties": { + "description": "This initiative assignment enables recommended ALZ guardrails for Azure Recovery Services.", + "displayName": "Enforce enhanced recovery and backup policies", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Backup", + "enforcementMode": "Default", + "nonComplianceMessages": [ + { + "message": "Recommended guardrails {enforcementMode} be enforced for Azure Recovery Services (Backup and Site Recovery)." + } + ], + "scope": "${current_scope_resource_id}", + "notScopes": [], + "parameters": {} + }, + "location": "${default_location}", + "identity": { + "type": "None" + } +}