updated latest built-ins

samples/001-builtins/AuthoringAndSubmittingBuiltIns.md

@@ -0,0 +1,123 @@
+# Overview
+
+Built-In blueprints are static blueprint definitions available to **all** customers (ie: global resources) that are intended to be used as "templates" when creating new blueprint definitions via the UI. They cannot be assigned directly, and are read-only due to their global nature.
+
+Built-In blueprints are checked into the Blueprint source repository and deployed with our resource provider, and can be accessed using the REST API via the endpoint "/providers/Microsoft.Blueprint/blueprints". Because they are static embedded resources, the process for introducing new built-in blueprints is highly specific, and is described within this document.
+
+## Prerequisites
+
+ - Read/write access to the Blueprint GIT repository
+ - A local enlistment to the Blueprint GIT repository
+ - Fundamental GIT knowledge
+ - Visual Studio installed locally
+
+# Authoring New Built-In Blueprints
+
+The process for the actual creation of blueprints intended for built-in use is the same as any other blueprint with the following exceptions:
+
+- They CANNOT refer to any scope specific resources (custom policies, etc.)
+- The display name for the blueprint should not exceed 25 characters (ensures optimal UI appearance)
+- The description for the blueprint should not exceed 80 characters (ensures optimal UI appearance)
+
+They can be created in the UI or via the REST API, and as long as the above exceptions hold true, any valid blueprint can be used as a built-in blueprint. They should however be blueprints that show common practices that would be useful as templates for users (highly specific blueprints are discouraged as built-ins).
+
+## Testing Blueprints as Built-Ins
+
+Prior to checking-in blueprint definitions as built-ins it is **required** that they be tested by using a UI feature allowing templates (built-ins) to be pulled from a Management Group instead of the backend. To use this feature it's recommended you create a new MG specifically used for testing potential built-ins (internally the team uses "AzBlueprintBuiltIns") and then store/edit your built-in definitions there. You can then test these templates by using the portal URL format:
+
+*https://<span></span>ms.portal.azure.<span></span>com/?Microsoft_Azure_Policy_privacy=true&Microsoft_Azure_Policy_Blueprints=true&feature.builtInBlueprints_DevMG=**{YOUR_MG_NAME_HERE}**&feature.builtInBlueprints=true#blade/Microsoft_Azure_Policy/BlueprintsMenuBlade/Blueprints*
+
+For example if you were using AzBlueprintBuiltIns for the test MG, you'd use the following link:
+
+https://ms.portal.azure.com/?Microsoft_Azure_Policy_privacy=true&Microsoft_Azure_Policy_Blueprints=true&feature.builtInBlueprints_DevMG=AzBlueprintBuiltIns&feature.builtInBlueprints=true#blade/Microsoft_Azure_Policy/BlueprintsMenuBlade/Blueprints
+
+After navigating to the link, performing a "Create Definition" action under blueprints will show the template selection UI using blueprints pulled from your MG. The following validations must be performed via this feature at a **minimum**:
+
+1. Validate the title/description shown in the sample/built-in selection UI are appropriate for customer use
+2. Validate you can create/edit a new definition using your sample blueprint.
+3. Validate you can successfully assign a blueprint created from your sample blueprint.
+4. Validate the deployment of your blueprint succeeds and all resulting resources are in their expected states.
+5. Validate that you can successfully upgrade/update your blueprint assignment.
+
+If all looks good, you're ready to begin the check-in process.
+
+## Checking-In the Blueprint/Artifact Definitions
+
+The definitions for built-in blueprints and their artifacts are stored under "src\BlueprintSamples\BlueprintSamples\BuiltInBlueprints" within the [Blueprint GIT repository](https://dev.azure.com/msazure/One/_git/Mgmt-Governance-Blueprint). The file/folder structure is:
+
+- BuiltInBlueprints\{blueprintName}
+    - Blueprint definition: BuiltInBlueprints\{blueprintName}\blueprint.json
+    - Artifact definitions:  BuiltInBlueprints\{blueprintName}\artifact.{artifactName}.json
+
+The JSON files are the equivalent to the GET responses returned for the blueprint and artifacts when using the latest API version.
+
+**Note:** Prior to performing the steps to add a new built-in blueprint to the repository, you should sync with the latest master Blueprint branch and create your own local branch specifically for the built-in blueprint addition, for example "youralias/newbuiltins".
+
+## Obtaining and prepping definition JSON for check-in
+
+1. Create a new folder: src\BlueprintSamples\BlueprintSamples\BuiltInBlueprints\{yourBlueprintName}
+
+   **Note:** The folder name must match the name of the blueprint within the definition
+2. Perform an HTTP GET request against your blueprint (you can use [armclient](https://github.com/projectkudu/ARMClient) for this) . For example: "armclient GET /providers/Microsoft.Management/managementGroups/**{YourMGName}**/providers/Microsoft.Blueprint/blueprints/**{YourBlueprintName}**?api-version=2018-11-01-preview"
+   - Modify the returned JSON to have the appropriate ID for the built-in. Basically any MG/subscription scope paths will need stripped out. For example:
+
+     *"id": "<span style='color:red'>/providers/Microsoft.Management/managementGroups/AzBlueprintBuiltIns/</span>providers/Microsoft.Blueprint/blueprints/networking-vnet"*
+
+     Would become:
+
+     *"id": "/providers/Microsoft.Blueprint/blueprints/networking-vnet"*
+
+   - Save the JSON as BuiltInBlueprints\{blueprintName}\\**blueprint.json**
+
+3.	For each artifact in the blueprint, perform a GET request and obtain the returned JSON
+    -  Modify the ids for each artifact like you did in the previous step for the blueprint definition (strip out any subscription/MG scope information).
+
+    - Save the JSON for each artifact as BuiltInBlueprints\{blueprintName}\**artifact**.{artifactName}.**json**
+    **Note:** The artifactName **must** match the artifact name within the json
+
+At this point you have all the definition files you'll need for the check-in, but you'll still need to trigger a local build to prep the definitions for localization.
+
+## Performing a local build to prep the built-in for localization
+
+When you perform a local build with a new built-in blueprint definition present, a tool will be executed to update the ".resx" file for the built-in blueprints to allow for future localization. This is a step that is **required** prior to submitting your changes to the master branch via a PR.
+
+To perform a local build, open a new Blueprints GIT/repo environment command prompt and from the root execute the following command line: *"msbuild dirs.proj"*
+
+After the build completes, execute a "git status" and you should see that the "src\BlueprintSamples\BlueprintSamples\BuiltInBlueprintResources.resx" file has been modified. It's recommended that you compare the new changes with the previous file state to ensure the expected localizable strings are present within the file.
+
+## Update BuiltInOwnerMappings.md
+
+Within the Blueprints repository is a file that contains a mapping of specific built-in blueprints to their relevant owning team. It is located at "src\BlueprintSamples\BlueprintSamples\BuiltInOwnerMappings.md" and you **must** update it to include your new built-in's team association as part of your PR.
+
+## Local testing
+
+It is **highly recommended** that you load the Blueprint solution within Visual Studio and execute all of the UnitTests prior to submitting a PR. There are numerous tests to validate built-in blueprints can be retrieved as expected. 
+
+If you choose not to run the unit tests locally they will still run as part of the build verification after you create your PR request.
+
+## Submitting the PR
+
+After all the previous steps have been completed you can to submit the PR with your new built-in blueprint! Within the PR text please provide us with the following information as well:
+
+* Whether the built-in is supported in Fairfax (if it is not, the Blueprints team will need to create an additional PR in our UX branch that disables the built-in in Fairfax). **Note**: If you claim support for the blueprint in Fairfax you MUST test it within that environment before submitting your blueprint PR.
+* The Azure resource IDs of one or more successful blueprint assignments created during your validation testing (as described in the "Testing Blueprints as Built-Ins" section of this document). **Alternatively** you can provide us with screenshot(s) of your successful assignment(s), but please note to do this you'll need to create the PR without the screenshots first via DevOps (visualstudio.com) and then immediately edit it afterwards to include the screenshots (pasting screenshots into PRs does not work during PR creation, but *does work* when editing PRs).
+* The names/aliases of the PM(s) on your team who have reviewed and signed off on your blueprint.
+
+### What the PR reviewer will look at
+The following items are a check list of what the reviewer of the Blueprint PR will look at. The code review will go more smoothly if you verify and fix these before submitting the PR.
+* Do the artifacts/blueprints have the "id" property? And are they tenant level IDs that start with `/providers/Microsoft.Blueprint/blueprints/...`? If these are missing it means you have not run the built-in export/preparation script against your blueprints and should do so before submitting the PR.
+* Does the blueprint have an appropriate display name/description present? Are they relatively short? If not, they should be as there is limited space to render them in the Portal.
+* Are the display names for artifacts user friendly? If not, they should be. 
+* Did you specify "Preview" in display names for policies? If yes, please remove it. The blueprint display names for policies will not automatically update when the policy goes out of preview.
+* Have you specified the information necessary for the corresponding UI update in your PR description? Which icons hould be used? Which environments (Public or Fairfax) is the blueprint supported in? What should the aka.ms link be? If not, please provide this information before submitting the PR.
+* Did you update BuiltInOwnerMappings.md to include your new built-in?
+
+## Built-In Availability
+
+New built-ins become available to customers when the Resource Provider binaries built with your changes are deployed to production. If you lack access to create deployments (currently limited to internal Blueprints team members only), you can start a mail thread with the Blueprint team ([email protected]) to track progress of deployments containing your changes. Deployments can also be tracked here:
+
+* **Prod**: https://msazure.visualstudio.com/One/_release?view=mine&definitionId=3583
+* **Dogfood**: https://msazure.visualstudio.com/One/_release?view=mine&definitionId=6851
+
+Prior to production deployments, it is required that new built-ins are verified to work as expected in the dogfood portal/azure environment.
+

samples/001-builtins/BuiltInOwnerMappings.md

@@ -0,0 +1,48 @@
+# Ownership of Built-In Blueprints
+
+Note: Submitters of new built-ins are **required** to update this document with the built-in name/team mapping for their new built-in.
+
+##Enterprise Control Plane (ECP) Team
+------------------------
+
+**ICM**: [Incidents](https://icm.ad.msft.net/imp/v3/incidents/search/advanced?serviceCategories=1&services=23444&teams=42819) | Team Name: Enterprise Control Plane (ECP) escalations  
+**Email**: [email protected]
+
+### Built-Ins:
+
+* Canada Federal PBMM (India Dev Team)
+* CIS Microsoft Azure Foundations Benchmark v1.1
+* FedRAMP (India Dev Team)
+* HIPAA
+* IRS 1075
+* ISO 27001
+* NIST
+* PCI-DSS
+* SWIFT CSP-CSCF v2020
+* UK OFFICIAL
+* UKNHS
+
+
+## Fast Track Infra Team
+------------------------
+
+**ICM**: Not yet live  
+**Email**: [email protected]
+
+### Built-Ins:
+
+* CAF Foundation
+* CAF Migration Landing Zone
+
+
+##Blueprint PM Team
+------------------------
+
+**ICM**: [Incidents](https://icm.ad.msft.net/imp/v3/incidents/search/advanced?serviceCategories=1&services=22937&teams=44739) | Team Name: Blueprint  
+**Email**: [email protected]
+
+### Built-Ins:
+
+* Basic Networking (VNET)
+* Common Policies
+* Resource Groups with RBAC

samples/001-builtins/Canada-Federal-PBMM/artifact.07420a8e-b772-4d6a-a1f5-27bbb6ba1077.json

@@ -0,0 +1,21 @@
+{
+  "properties": {
+    "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988",
+    "parameters": {
+      "listOfAllowedLocations": {
+        "value": [
+        "canadacentral",
+        "canadaeast"
+        ]
+      }
+    },
+    "dependsOn": [
+
+    ],
+    "displayName": "Allowed locations for resource groups"
+  },
+  "kind": "policyAssignment",
+  "id": "/providers/Microsoft.Blueprint/blueprints/CanadaFederalPBMMBlueprint4/artifacts/07420a8e-b772-4d6a-a1f5-27bbb6ba1077",
+  "type": "Microsoft.Blueprint/blueprints/artifacts",
+  "name": "07420a8e-b772-4d6a-a1f5-27bbb6ba1077"
+}

samples/001-builtins/Canada-Federal-PBMM/artifact.07420a8e-b772-4d6a-a1f5-27bbb6ba1446.json

@@ -0,0 +1,27 @@
+{
+  "properties": {
+    "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/4c4a5f27-de81-430b-b4e5-9cbd50595a87",
+    "parameters": {
+      "logAnalyticsWorkspaceIdforVMReporting": {
+        "value": "[parameters('logAnalyticsWorkspaceIdforVMReporting')]"
+      },
+      "listOfResourceTypesWithDiagnosticLogsEnabled": {
+        "value": "[parameters('listOfResourceTypesWithDiagnosticLogsEnabled')]"
+      },
+      "listOfMembersToExcludeFromWindowsVMAdministratorsGroup": {
+        "value": "[parameters('listOfMembersToExcludeFromWindowsVMAdministratorsGroup')]"
+      },
+      "listOfMembersToIncludeInWindowsVMAdministratorsGroup": {
+        "value": "[parameters('listOfMembersToIncludeInWindowsVMAdministratorsGroup')]"
+      }
+    },
+    "dependsOn": [
+
+    ],
+    "displayName": "[Preview]: Audit Canada Federal PBMM controls and deploy specific VM Extensions to support audit requirements"
+  },
+  "kind": "policyAssignment",
+  "id": "/providers/Microsoft.Blueprint/blueprints/CanadaFederalPBMMBlueprint4/artifacts/07420a8e-b772-4d6a-a1f5-27bbb6ba1446",
+  "type": "Microsoft.Blueprint/blueprints/artifacts",
+  "name": "07420a8e-b772-4d6a-a1f5-27bbb6ba1446"
+}

samples/001-builtins/Canada-Federal-PBMM/artifact.1dfbc723-4fbb-4b7e-81e1-8284a8d2bef4.json

@@ -0,0 +1,16 @@
+{
+  "properties": {
+    "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a9b99dd8-06c5-4317-8629-9d86a3c6e7d9",
+    "parameters": {
+
+    },
+    "dependsOn": [
+
+    ],
+    "displayName": "Deploy network watcher when virtual networks are created"
+  },
+  "kind": "policyAssignment",
+  "id": "/providers/Microsoft.Blueprint/blueprints/CanadaFederalPBMMBlueprint4/artifacts/1dfbc723-4fbb-4b7e-81e1-8284a8d2bef4",
+  "type": "Microsoft.Blueprint/blueprints/artifacts",
+  "name": "1dfbc723-4fbb-4b7e-81e1-8284a8d2bef4"
+}

samples/001-builtins/Canada-Federal-PBMM/artifact.23d3a93b-96f4-44d6-a1e8-f4fc2a51a2c3.json

@@ -0,0 +1,16 @@
+{
+  "properties": {
+    "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5",
+    "parameters": {
+
+    },
+    "dependsOn": [
+
+    ],
+    "displayName": "Deploy Threat Detection on SQL servers"
+  },
+  "kind": "policyAssignment",
+  "id": "/providers/Microsoft.Blueprint/blueprints/CanadaFederalPBMMBlueprint4/artifacts/23d3a93b-96f4-44d6-a1e8-f4fc2a51a2c3",
+  "type": "Microsoft.Blueprint/blueprints/artifacts",
+  "name": "23d3a93b-96f4-44d6-a1e8-f4fc2a51a2c3"
+}

samples/001-builtins/Canada-Federal-PBMM/artifact.23d3a93b-96f4-44d6-a1e8-f4fc2a51a692.json

@@ -0,0 +1,16 @@
+{
+  "properties": {
+    "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f",
+    "parameters": {
+
+    },
+    "dependsOn": [
+
+    ],
+    "displayName": "Deploy SQL DB transparent data encryption"
+  },
+  "kind": "policyAssignment",
+  "id": "/providers/Microsoft.Blueprint/blueprints/CanadaFederalPBMMBlueprint4/artifacts/23d3a93b-96f4-44d6-a1e8-f4fc2a51a692",
+  "type": "Microsoft.Blueprint/blueprints/artifacts",
+  "name": "23d3a93b-96f4-44d6-a1e8-f4fc2a51a692"
+}

samples/001-builtins/Canada-Federal-PBMM/artifact.23d3a93b-96f4-44d6-a1e8-f4fc2a51aa61.json

@@ -0,0 +1,16 @@
+{
+  "properties": {
+    "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2835b622-407b-4114-9198-6f7064cbe0dc",
+    "parameters": {
+
+    },
+    "dependsOn": [
+
+    ],
+    "displayName": "Deploy default Microsoft IaaSAntimalware extension for Windows Server"
+  },
+  "kind": "policyAssignment",
+  "id": "/providers/Microsoft.Blueprint/blueprints/CanadaFederalPBMMBlueprint4/artifacts/23d3a93b-96f4-44d6-a1e8-f4fc2a51aa61",
+  "type": "Microsoft.Blueprint/blueprints/artifacts",
+  "name": "23d3a93b-96f4-44d6-a1e8-f4fc2a51aa61"
+}

samples/001-builtins/Canada-Federal-PBMM/artifact.23d3a93b-96f4-44d6-a1e8-f4fc2a51ae30.json

@@ -0,0 +1,16 @@
+{
+  "properties": {
+    "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/465f0161-0087-490a-9ad9-ad6217f4f43a",
+    "parameters": {
+
+    },
+    "dependsOn": [
+
+    ],
+    "displayName": "Require automatic OS image patching on Virtual Machine Scale Sets"
+  },
+  "kind": "policyAssignment",
+  "id": "/providers/Microsoft.Blueprint/blueprints/CanadaFederalPBMMBlueprint4/artifacts/23d3a93b-96f4-44d6-a1e8-f4fc2a51ae30",
+  "type": "Microsoft.Blueprint/blueprints/artifacts",
+  "name": "23d3a93b-96f4-44d6-a1e8-f4fc2a51ae30"
+}

samples/001-builtins/Canada-Federal-PBMM/artifact.494eda7e-ca5c-40d1-b8f3-1ceaa975913b.json

@@ -0,0 +1,16 @@
+{
+  "properties": {
+    "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6134c3db-786f-471e-87bc-8f479dc890f6",
+    "parameters": {
+
+    },
+    "dependsOn": [
+
+    ],
+    "displayName": "Deploy Advanced Data Security on SQL servers"
+  },
+  "kind": "policyAssignment",
+  "id": "/providers/Microsoft.Blueprint/blueprints/CanadaFederalPBMMBlueprint4/artifacts/494eda7e-ca5c-40d1-b8f3-1ceaa975913b",
+  "type": "Microsoft.Blueprint/blueprints/artifacts",
+  "name": "494eda7e-ca5c-40d1-b8f3-1ceaa975913b"
+}

samples/001-builtins/Canada-Federal-PBMM/artifact.494eda7e-ca5c-40d1-b8f3-1ceaa975950a.json

@@ -0,0 +1,18 @@
+{
+  "properties": {
+    "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c",
+    "parameters": {
+      "effect": {
+        "value": "[parameters('deployAdvancedThreatProtectiononStorageAccounts_effect')]"
+      }
+    },
+    "dependsOn": [
+
+    ],
+    "displayName": "Deploy Advanced Threat Protection on Storage Accounts"
+  },
+  "kind": "policyAssignment",
+  "id": "/providers/Microsoft.Blueprint/blueprints/CanadaFederalPBMMBlueprint4/artifacts/494eda7e-ca5c-40d1-b8f3-1ceaa975950a",
+  "type": "Microsoft.Blueprint/blueprints/artifacts",
+  "name": "494eda7e-ca5c-40d1-b8f3-1ceaa975950a"
+}

samples/001-builtins/Canada-Federal-PBMM/artifact.494eda7e-ca5c-40d1-b8f3-1ceaa97598d9.json

@@ -0,0 +1,21 @@
+{
+  "properties": {
+    "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f4c68484-132f-41f9-9b6d-3e4b1cb55036",
+    "parameters": {
+      "retentionDays": {
+        "value": "[parameters('retentionDaysforSQLServerauditing')]"
+      },
+      "storageAccountsResourceGroup": {
+        "value": "[parameters('storageAccountsResourceGroupforSQLServerauditing')]"
+      }
+    },
+    "dependsOn": [
+
+    ],
+    "displayName": "Deploy Auditing on SQL servers"
+  },
+  "kind": "policyAssignment",
+  "id": "/providers/Microsoft.Blueprint/blueprints/CanadaFederalPBMMBlueprint4/artifacts/494eda7e-ca5c-40d1-b8f3-1ceaa97598d9",
+  "type": "Microsoft.Blueprint/blueprints/artifacts",
+  "name": "494eda7e-ca5c-40d1-b8f3-1ceaa97598d9"
+}

samples/001-builtins/Canada-Federal-PBMM/artifact.494eda7e-ca5c-40d1-b8f3-1ceaa9759ca8.json

@@ -0,0 +1,21 @@
+{
+  "properties": {
+    "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c",
+    "parameters": {
+      "listOfAllowedLocations": {
+        "value": [
+        "canadacentral",
+        "canadaeast"
+        ]
+      }
+    },
+    "dependsOn": [
+
+    ],
+    "displayName": "Allowed locations"
+  },
+  "kind": "policyAssignment",
+  "id": "/providers/Microsoft.Blueprint/blueprints/CanadaFederalPBMMBlueprint4/artifacts/494eda7e-ca5c-40d1-b8f3-1ceaa9759ca8",
+  "type": "Microsoft.Blueprint/blueprints/artifacts",
+  "name": "494eda7e-ca5c-40d1-b8f3-1ceaa9759ca8"
+}