diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/policies.json b/eslzArm/managementGroupTemplates/policyDefinitions/policies.json index 4d3438be8f..3b09ef4de8 100644 --- a/eslzArm/managementGroupTemplates/policyDefinitions/policies.json +++ b/eslzArm/managementGroupTemplates/policyDefinitions/policies.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.35.1.17967", - "templateHash": "8629418093770012956" + "version": "0.36.1.42791", + "templateHash": "13190274546226031371" } }, "parameters": { @@ -181,7 +181,7 @@ "$fxv#36": "{\n \"name\": \"Deny-FileServices-InsecureSmbChannel\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"File Services with insecure SMB channel encryption should be denied\",\n \"description\": \"This policy denies the use of insecure channel encryption (AES-128-CCM) when using File Services on a storage account.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"The effect determines what happens when the policy rule is evaluated to match\"\n }\n },\n \"notAllowedChannelEncryption\": {\n \"type\": \"String\",\n \"defaultValue\": \"AES-128-CCM\",\n \"allowedValues\": [\n \"AES-128-CCM\",\n \"AES-128-GCM\",\n \"AES-256-GCM\"\n ],\n \"metadata\": {\n \"displayName\": \"SMB channel encryption supported by server. Valid values are AES-128-CCM, AES-128-GCM, AES-256-GCM.\",\n \"description\": \"The list of channelEncryption not allowed.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts/fileServices\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/fileServices/protocolSettings.smb.channelEncryption\",\n \"contains\": \"[[parameters('notAllowedChannelEncryption')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n }", "$fxv#37": "{\n \"name\": \"Deny-FileServices-InsecureSmbVersions\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"File Services with insecure SMB versions should be denied\",\n \"description\": \"This policy denies the use of insecure versions of SMB (2.1 & 3.0) when using File Services on a storage account.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"The effect determines what happens when the policy rule is evaluated to match\"\n }\n },\n \"allowedSmbVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"SMB3.1.1\",\n \"allowedValues\": [\n \"SMB2.1\",\n \"SMB3.0\",\n \"SMB3.1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Allowed SMB Version\",\n \"description\": \"The allowed SMB version for maximum security\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts/fileServices\"\n },\n {\n \"not\":\n {\n \"field\": \"Microsoft.Storage/storageAccounts/fileServices/protocolSettings.smb.versions\",\n \"contains\": \"[[parameters('allowedSmbVersion')]\"\n }\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n }", "$fxv#38": "{\n \"name\": \"Deny-FileServices-InsecureAuth\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"File Services with insecure authentication methods should be denied\",\n \"description\": \"This policy denies the use of insecure authentication methods (NTLMv2) when using File Services on a storage account.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"The effect determines what happens when the policy rule is evaluated to match\"\n }\n },\n \"notAllowedAuthMethods\": {\n \"type\": \"String\",\n \"defaultValue\": \"NTLMv2\",\n \"allowedValues\": [\n \"NTLMv2\",\n \"Kerberos\"\n ],\n \"metadata\": {\n \"displayName\": \"Authentication methods supported by server. Valid values are NTLMv2, Kerberos.\",\n \"description\": \"The list of channelEncryption not allowed.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Storage/storageAccounts/fileServices/protocolSettings.smb.authenticationMethods\",\n \"contains\": \"[[parameters('notAllowedAuthMethods')]\"\n },\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts/fileServices\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n }", - "$fxv#39": "{\n \"name\": \"Deploy-ASC-SecurityContacts\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud Security Contacts\",\n \"description\": \"Deploy Microsoft Defender for Cloud Security Contacts\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email addresses (semi-colon separated) for Defender for Cloud contact details\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"String\",\n \"defaultValue\": \"High\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Resources/subscriptions\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Security/securityContacts\",\n \"deploymentScope\": \"subscription\",\n \"existenceScope\": \"subscription\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd\"\n ],\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Security/securityContacts/email\",\n \"contains\": \"[[parameters('emailSecurityContact')]\"\n },\n {\n \"field\": \"Microsoft.Security/securityContacts/isEnabled\",\n \"equals\": true\n },\n {\n \"field\": \"Microsoft.Security/securityContacts/notificationsSources[*].Alert.minimalSeverity\",\n \"contains\": \"[[parameters('minimalSeverity')]\"\n }\n ]\n },\n \"deployment\": {\n \"location\": \"northeurope\",\n \"properties\": {\n \"mode\": \"incremental\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\": {\n \"value\": \"[[parameters('minimalSeverity')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"description\": \"Security contacts email address\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"metadata\": {\n \"description\": \"Minimal severity level reported\"\n }\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Security/securityContacts\",\n \"name\": \"default\",\n \"apiVersion\": \"2023-12-01-preview\",\n \"properties\": {\n \"emails\": \"[[parameters('emailSecurityContact')]\",\n \"isEnabled\": true,\n \"notificationsByRole\": {\n \"state\": \"On\",\n \"roles\": [\n \"Owner\"\n ]\n },\n \"notificationsSources\": [\n {\n \"sourceType\": \"Alert\",\n \"minimalSeverity\": \"[[parameters('minimalSeverity')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#39": "{\n \"name\": \"Deploy-ASC-SecurityContacts\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud Security Contacts\",\n \"description\": \"Deploy Microsoft Defender for Cloud Security Contacts\",\n \"metadata\": {\n \"version\": \"2.1.0\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email addresses (semi-colon separated) for Defender for Cloud contact details\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"String\",\n \"defaultValue\": \"High\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Resources/subscriptions\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Security/securityContacts\",\n \"deploymentScope\": \"subscription\",\n \"existenceScope\": \"subscription\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd\"\n ],\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Security/securityContacts/email\",\n \"contains\": \"[[parameters('emailSecurityContact')]\"\n },\n {\n \"field\": \"Microsoft.Security/securityContacts/isEnabled\",\n \"equals\": true\n },\n {\n \"field\": \"Microsoft.Security/securityContacts/notificationsSources[*].Alert.minimalSeverity\",\n \"contains\": \"[[parameters('minimalSeverity')]\"\n },\n {\n \"equals\": \"On\",\n \"field\": \"Microsoft.Security/securityContacts/notificationsByRole.state\"\n },\n {\n \"contains\": \"Owner\",\n \"field\": \"Microsoft.Security/securityContacts/notificationsByRole.roles[*]\"\n }\n ]\n },\n \"deployment\": {\n \"location\": \"northeurope\",\n \"properties\": {\n \"mode\": \"incremental\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\": {\n \"value\": \"[[parameters('minimalSeverity')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"description\": \"Security contacts email address\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"metadata\": {\n \"description\": \"Minimal severity level reported\"\n }\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Security/securityContacts\",\n \"name\": \"default\",\n \"apiVersion\": \"2023-12-01-preview\",\n \"properties\": {\n \"emails\": \"[[parameters('emailSecurityContact')]\",\n \"isEnabled\": true,\n \"notificationsByRole\": {\n \"state\": \"On\",\n \"roles\": [\n \"Owner\"\n ]\n },\n \"notificationsSources\": [\n {\n \"sourceType\": \"Alert\",\n \"minimalSeverity\": \"[[parameters('minimalSeverity')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n }\n }\n }\n }\n }\n }\n }\n}\n", "$fxv#4": "{\n \"name\": \"Append-Redis-sslEnforcement\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Azure Cache for Redis Append a specific min TLS version requirement and enforce TLS.\",\n \"description\": \"Append a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Cache\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect Azure Cache for Redis\",\n \"description\": \"Enable or disable the execution of the policy minimum TLS version Azure Cache for Redis\"\n }\n },\n \"minimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.1\",\n \"1.0\"\n ],\n \"metadata\": {\n \"displayName\": \"Select version for Redis server\",\n \"description\": \"Select version minimum TLS version Azure Cache for Redis to enforce\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Cache/redis\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Cache/Redis/minimumTlsVersion\",\n \"less\": \"[[parameters('minimumTlsVersion')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": [\n {\n \"field\": \"Microsoft.Cache/Redis/minimumTlsVersion\",\n \"value\": \"[[parameters('minimumTlsVersion')]\"\n }\n ]\n }\n }\n }\n}\n", "$fxv#40": "{\n \"name\": \"Deploy-Custom-Route-Table\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy a route table with specific user defined routes\",\n \"description\": \"Deploys a route table with specific user defined routes when one does not exist. The route table deployed by the policy must be manually associated to subnet(s)\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"requiredRoutes\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"requiredRoutes\",\n \"description\": \"Routes that must exist in compliant route tables deployed by this policy\"\n }\n },\n \"vnetRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"vnetRegion\",\n \"description\": \"Only VNets in this region will be evaluated against this policy\"\n }\n },\n \"routeTableName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"routeTableName\",\n \"description\": \"Name of the route table automatically deployed by this policy\"\n }\n },\n \"disableBgpPropagation\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"DisableBgpPropagation\",\n \"description\": \"Disable BGP Propagation\"\n },\n \"defaultValue\": false\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/virtualNetworks\"\n },\n {\n \"field\": \"location\",\n \"equals\": \"[[parameters('vnetRegion')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/routeTables\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"name\",\n \"equals\": \"[[parameters('routeTableName')]\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/routeTables/routes[*]\",\n \"where\": {\n \"value\": \"[[concat(current('Microsoft.Network/routeTables/routes[*].addressPrefix'), ';', current('Microsoft.Network/routeTables/routes[*].nextHopType'), if(equals(toLower(current('Microsoft.Network/routeTables/routes[*].nextHopType')),'virtualappliance'), concat(';', current('Microsoft.Network/routeTables/routes[*].nextHopIpAddress')), ''))]\",\n \"in\": \"[[parameters('requiredRoutes')]\"\n }\n },\n \"equals\": \"[[length(parameters('requiredRoutes'))]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/subscriptions/e867a45d-e513-44ac-931e-4741cef80b24/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"routeTableName\": {\n \"type\": \"string\"\n },\n \"vnetRegion\": {\n \"type\": \"string\"\n },\n \"requiredRoutes\": {\n \"type\": \"array\"\n },\n \"disableBgpPropagation\": {\n \"type\": \"bool\"\n }\n },\n \"variables\": {\n \"copyLoop\": [\n {\n \"name\": \"routes\",\n \"count\": \"[[[length(parameters('requiredRoutes'))]\",\n \"input\": {\n \"name\": \"[[[concat('route-',copyIndex('routes'))]\",\n \"properties\": {\n \"addressPrefix\": \"[[[split(parameters('requiredRoutes')[copyIndex('routes')], ';')[0]]\",\n \"nextHopType\": \"[[[split(parameters('requiredRoutes')[copyIndex('routes')], ';')[1]]\",\n \"nextHopIpAddress\": \"[[[if(equals(toLower(split(parameters('requiredRoutes')[copyIndex('routes')], ';')[1]),'virtualappliance'),split(parameters('requiredRoutes')[copyIndex('routes')], ';')[2], null())]\"\n }\n }\n }\n ]\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"apiVersion\": \"2021-04-01\",\n \"name\": \"routeTableDepl\",\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"routeTableName\": {\n \"type\": \"string\"\n },\n \"vnetRegion\": {\n \"type\": \"string\"\n },\n \"requiredRoutes\": {\n \"type\": \"array\"\n },\n \"disableBgpPropagation\": {\n \"type\": \"bool\"\n }\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/routeTables\",\n \"apiVersion\": \"2021-02-01\",\n \"name\": \"[[[parameters('routeTableName')]\",\n \"location\": \"[[[parameters('vnetRegion')]\",\n \"properties\": {\n \"disableBgpRoutePropagation\": \"[[[parameters('disableBgpPropagation')]\",\n \"copy\": \"[[variables('copyLoop')]\"\n }\n }\n ]\n },\n \"parameters\": {\n \"routeTableName\": {\n \"value\": \"[[parameters('routeTableName')]\"\n },\n \"vnetRegion\": {\n \"value\": \"[[parameters('vnetRegion')]\"\n },\n \"requiredRoutes\": {\n \"value\": \"[[parameters('requiredRoutes')]\"\n },\n \"disableBgpPropagation\": {\n \"value\": \"[[parameters('disableBgpPropagation')]\"\n }\n }\n }\n }\n ]\n },\n \"parameters\": {\n \"routeTableName\": {\n \"value\": \"[[parameters('routeTableName')]\"\n },\n \"vnetRegion\": {\n \"value\": \"[[parameters('vnetRegion')]\"\n },\n \"requiredRoutes\": {\n \"value\": \"[[parameters('requiredRoutes')]\"\n },\n \"disableBgpPropagation\": {\n \"value\": \"[[parameters('disableBgpPropagation')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", "$fxv#41": "{\n \"name\": \"Deploy-DDoSProtection\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy an Azure DDoS Network Protection\",\n \"description\": \"Deploys an Azure DDoS Network Protection\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"ddosName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"ddosName\",\n \"description\": \"DDoSVnet\"\n }\n },\n \"ddosRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"ddosRegion\",\n \"description\": \"DDoSVnet location\",\n \"strongType\": \"location\"\n }\n },\n \"rgName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"rgName\",\n \"description\": \"Provide name for resource group.\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Resources/subscriptions\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/ddosProtectionPlans\",\n \"deploymentScope\": \"subscription\",\n \"existenceScope\": \"resourceGroup\",\n \"resourceGroupName\": \"[[parameters('rgName')]\",\n \"name\": \"[[parameters('ddosName')]\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"deployment\": {\n \"location\": \"northeurope\",\n \"properties\": {\n \"mode\": \"Incremental\",\n \"parameters\": {\n \"rgName\": {\n \"value\": \"[[parameters('rgName')]\"\n },\n \"ddosname\": {\n \"value\": \"[[parameters('ddosname')]\"\n },\n \"ddosregion\": {\n \"value\": \"[[parameters('ddosRegion')]\"\n }\n },\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"rgName\": {\n \"type\": \"String\"\n },\n \"ddosname\": {\n \"type\": \"String\"\n },\n \"ddosRegion\": {\n \"type\": \"String\"\n }\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Resources/resourceGroups\",\n \"apiVersion\": \"2018-05-01\",\n \"name\": \"[[parameters('rgName')]\",\n \"location\": \"[[deployment().location]\",\n \"properties\": {}\n },\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"apiVersion\": \"2018-05-01\",\n \"name\": \"ddosprotection\",\n \"resourceGroup\": \"[[parameters('rgName')]\",\n \"dependsOn\": [\n \"[[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/ddosProtectionPlans\",\n \"apiVersion\": \"2019-12-01\",\n \"name\": \"[[parameters('ddosName')]\",\n \"location\": \"[[parameters('ddosRegion')]\",\n \"properties\": {}\n }\n ],\n \"outputs\": {}\n }\n }\n }\n ],\n \"outputs\": {}\n }\n }\n }\n }\n }\n }\n }\n}\n", diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts.json index 0b86bfaa49..a5451b6159 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts.json @@ -9,7 +9,7 @@ "displayName": "Deploy Microsoft Defender for Cloud Security Contacts", "description": "Deploy Microsoft Defender for Cloud Security Contacts", "metadata": { - "version": "2.0.0", + "version": "2.1.0", "category": "Security Center", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -83,6 +83,14 @@ { "field": "Microsoft.Security/securityContacts/notificationsSources[*].Alert.minimalSeverity", "contains": "[[parameters('minimalSeverity')]" + }, + { + "equals": "On", + "field": "Microsoft.Security/securityContacts/notificationsByRole.state" + }, + { + "contains": "Owner", + "field": "Microsoft.Security/securityContacts/notificationsByRole.roles[*]" } ] },