From 4bd235a623a3983f09407f5caa298cf0bcc6bf95 Mon Sep 17 00:00:00 2001 From: Alex Frankel Date: Tue, 30 Mar 2021 15:13:03 -0700 Subject: [PATCH] samples drop for spring 21 --- ....9360c414-c73d-4565-901b-107606917588.json | 51 + samples/001-builtins/ASB/blueprint.json | 322 ++++ .../ASBF/artifact.hub-security-center.json | 216 +++ .../artifact.hub-shared-network-bastion.json | 203 +++ .../artifact.hub-shared-network-firewall.json | 405 +++++ .../artifact.hub-shared-network-gateway.json | 255 +++ .../ASBF/artifact.hub-shared-network-nsg.json | 573 +++++++ .../artifact.hub-shared-network-vnet.json | 395 +++++ .../artifact.hub-shared-network-watcher.json | 67 + .../artifact.hub-shared-security-log.json | 1439 +++++++++++++++++ .../artifact.spoke-workload-network-vnet.json | 352 ++++ samples/001-builtins/ASBF/blueprint.json | 280 ++++ .../artifact.hub-security-center.json | 216 +++ .../artifact.hub-shared-network-bastion.json | 203 +++ .../artifact.hub-shared-network-firewall.json | 405 +++++ .../artifact.hub-shared-network-gateway.json | 255 +++ .../artifact.hub-shared-network-nsg.json | 573 +++++++ .../artifact.hub-shared-network-vnet.json | 385 +++++ .../artifact.hub-shared-network-watcher.json | 67 + .../artifact.hub-shared-security-log.json | 1429 ++++++++++++++++ .../artifact.spoke-workload-network-vnet.json | 342 ++++ samples/001-builtins/ASBF_Gov/blueprint.json | 280 ++++ ....9360c414-c73d-4565-901b-107606917588.json | 51 + samples/001-builtins/ASB_Gov/blueprint.json | 322 ++++ ....95a77cc6-3c46-4602-93b5-608962ae18fb.json | 18 + ....980566d2-be54-4883-a1bf-c019ee0940c3.json | 18 + ....cc6a9858-19d4-4ec7-a02c-3595fe553133.json | 192 +++ .../Australia-IRAP/blueprint.json | 729 +++++++++ ....07420a8e-b772-4d6a-a1f5-27bbb6ba1446.json | 2 +- ....0bf6c09a-e68c-4874-bf64-a568d4f5bc21.json | 212 ++- .../001-builtins/DOD_IL4_Gov/blueprint.json | 1200 +++++++++++--- ....d580751b-2c43-40ce-8e51-34dccadabaef.json | 288 ++++ .../001-builtins/DOD_IL5_Gov/blueprint.json | 1160 +++++++++++++ ....2b55d1eb-b82c-4c1a-89f9-de20d90e9f51.json | 2 +- .../caf-foundation/blueprint.json | 448 +++-- ...policy-costcenter-tag-from-rg--append.json | 18 + ....artifact-policy-costcenter-tag-to-rg.json | 21 + ...licy-enable-monitoring-securitycenter.json | 306 ++++ ...ifact-policy-location-resource--allow.json | 18 + ...policy-locations-resourcegroup--allow.json | 18 + ...rtifact-policy-networkwatcher--deploy.json | 16 + ....artifact-policy-resource-types--deny.json | 18 + ....artifact-policy-storageaccount--xfer.json | 16 + ...act-policy-storageaccount-skus--allow.json | 18 + ...tifact.artifact-policy-vm-skus--allow.json | 18 + ...t.artifact-template-keyvaults--deploy.json | 129 ++ ...rtifact-template-loganalytics--deploy.json | 157 ++ ...act-template-securitycenter--standard.json | 39 + .../caf-foundation_gov/blueprint.json | 415 +++++ ....4d752df6-ddaf-46ae-96fd-7cca6016988e.json | 2 +- ....6bdd6a3d-9fb0-445b-8a7f-effb6646a06a.json | 21 + .../cis_v1_1_0_Gov/blueprint.json | 58 + ....1bd318a6-ddab-4f51-b0eb-0ff2b3d0aa93.json | 2 +- ....1bd318a6-ddab-4f51-b0eb-0ff2b3d0aa93.json | 2 +- ....63b8d309-77f5-4913-a245-6f726f0b8b40.json | 2 +- ....4734ea99-47fc-41c5-a45f-a97d57562d2b.json | 2 +- ....8d253677-61e1-45c5-8b38-61689917c571.json | 107 +- samples/001-builtins/hipaa/blueprint.json | 653 ++++++-- ....369bc69f-4002-4cf2-9a84-ae0ac409faf2.json | 2 +- ....66c1cf59-dc16-4acf-8bf4-6e6ea347853d.json | 2 +- ....d94ecab2-96d3-4c6a-8d3f-fd3b4177341b.json | 2 +- samples/001-builtins/iso_27001/blueprint.json | 2 - ....d94ecab2-96d3-4c6a-8d3f-fd3b4177341b.json | 2 +- .../iso_27001_shared_services/blueprint.json | 2 - ....7c7cea7a-becd-41b9-8f8a-4414927c73e9.json | 51 + .../nist-sp-800-171-r2/blueprint.json | 244 +++ ....7c7cea7a-becd-41b9-8f8a-4414927c73e9.json | 51 + .../nist-sp-800-171-r2_Gov/blueprint.json | 244 +++ ....18e5b847-d4b8-44f6-846a-6698f1af9631.json | 2 +- ....18e5b847-d4b8-44f6-846a-6698f1af9631.json | 2 +- ....a1d69d60-3bc3-46eb-a05e-1abc7f7ef4ba.json | 2 +- ....0d9c470c-a152-4bb6-bb87-45007f6e67a0.json | 2 +- ....97bc436a-1135-41b4-86ff-33e4c0dbe12b.json | 2 +- ....97bc436a-1135-41b4-86ff-33e4c0dbe12b.json | 2 +- 74 files changed, 15539 insertions(+), 486 deletions(-) create mode 100644 samples/001-builtins/ASB/artifact.9360c414-c73d-4565-901b-107606917588.json create mode 100644 samples/001-builtins/ASB/blueprint.json create mode 100644 samples/001-builtins/ASBF/artifact.hub-security-center.json create mode 100644 samples/001-builtins/ASBF/artifact.hub-shared-network-bastion.json create mode 100644 samples/001-builtins/ASBF/artifact.hub-shared-network-firewall.json create mode 100644 samples/001-builtins/ASBF/artifact.hub-shared-network-gateway.json create mode 100644 samples/001-builtins/ASBF/artifact.hub-shared-network-nsg.json create mode 100644 samples/001-builtins/ASBF/artifact.hub-shared-network-vnet.json create mode 100644 samples/001-builtins/ASBF/artifact.hub-shared-network-watcher.json create mode 100644 samples/001-builtins/ASBF/artifact.hub-shared-security-log.json create mode 100644 samples/001-builtins/ASBF/artifact.spoke-workload-network-vnet.json create mode 100644 samples/001-builtins/ASBF/blueprint.json create mode 100644 samples/001-builtins/ASBF_Gov/artifact.hub-security-center.json create mode 100644 samples/001-builtins/ASBF_Gov/artifact.hub-shared-network-bastion.json create mode 100644 samples/001-builtins/ASBF_Gov/artifact.hub-shared-network-firewall.json create mode 100644 samples/001-builtins/ASBF_Gov/artifact.hub-shared-network-gateway.json create mode 100644 samples/001-builtins/ASBF_Gov/artifact.hub-shared-network-nsg.json create mode 100644 samples/001-builtins/ASBF_Gov/artifact.hub-shared-network-vnet.json create mode 100644 samples/001-builtins/ASBF_Gov/artifact.hub-shared-network-watcher.json create mode 100644 samples/001-builtins/ASBF_Gov/artifact.hub-shared-security-log.json create mode 100644 samples/001-builtins/ASBF_Gov/artifact.spoke-workload-network-vnet.json create mode 100644 samples/001-builtins/ASBF_Gov/blueprint.json create mode 100644 samples/001-builtins/ASB_Gov/artifact.9360c414-c73d-4565-901b-107606917588.json create mode 100644 samples/001-builtins/ASB_Gov/blueprint.json create mode 100644 samples/001-builtins/Australia-IRAP/artifact.95a77cc6-3c46-4602-93b5-608962ae18fb.json create mode 100644 samples/001-builtins/Australia-IRAP/artifact.980566d2-be54-4883-a1bf-c019ee0940c3.json create mode 100644 samples/001-builtins/Australia-IRAP/artifact.cc6a9858-19d4-4ec7-a02c-3595fe553133.json create mode 100644 samples/001-builtins/Australia-IRAP/blueprint.json create mode 100644 samples/001-builtins/DOD_IL5_Gov/artifact.d580751b-2c43-40ce-8e51-34dccadabaef.json create mode 100644 samples/001-builtins/DOD_IL5_Gov/blueprint.json create mode 100644 samples/001-builtins/caf-foundation_gov/artifact.artifact-policy-costcenter-tag-from-rg--append.json create mode 100644 samples/001-builtins/caf-foundation_gov/artifact.artifact-policy-costcenter-tag-to-rg.json create mode 100644 samples/001-builtins/caf-foundation_gov/artifact.artifact-policy-enable-monitoring-securitycenter.json create mode 100644 samples/001-builtins/caf-foundation_gov/artifact.artifact-policy-location-resource--allow.json create mode 100644 samples/001-builtins/caf-foundation_gov/artifact.artifact-policy-locations-resourcegroup--allow.json create mode 100644 samples/001-builtins/caf-foundation_gov/artifact.artifact-policy-networkwatcher--deploy.json create mode 100644 samples/001-builtins/caf-foundation_gov/artifact.artifact-policy-resource-types--deny.json create mode 100644 samples/001-builtins/caf-foundation_gov/artifact.artifact-policy-storageaccount--xfer.json create mode 100644 samples/001-builtins/caf-foundation_gov/artifact.artifact-policy-storageaccount-skus--allow.json create mode 100644 samples/001-builtins/caf-foundation_gov/artifact.artifact-policy-vm-skus--allow.json create mode 100644 samples/001-builtins/caf-foundation_gov/artifact.artifact-template-keyvaults--deploy.json create mode 100644 samples/001-builtins/caf-foundation_gov/artifact.artifact-template-loganalytics--deploy.json create mode 100644 samples/001-builtins/caf-foundation_gov/artifact.artifact-template-securitycenter--standard.json create mode 100644 samples/001-builtins/caf-foundation_gov/blueprint.json create mode 100644 samples/001-builtins/cis_v1_1_0_Gov/artifact.6bdd6a3d-9fb0-445b-8a7f-effb6646a06a.json create mode 100644 samples/001-builtins/cis_v1_1_0_Gov/blueprint.json create mode 100644 samples/001-builtins/nist-sp-800-171-r2/artifact.7c7cea7a-becd-41b9-8f8a-4414927c73e9.json create mode 100644 samples/001-builtins/nist-sp-800-171-r2/blueprint.json create mode 100644 samples/001-builtins/nist-sp-800-171-r2_Gov/artifact.7c7cea7a-becd-41b9-8f8a-4414927c73e9.json create mode 100644 samples/001-builtins/nist-sp-800-171-r2_Gov/blueprint.json diff --git a/samples/001-builtins/ASB/artifact.9360c414-c73d-4565-901b-107606917588.json b/samples/001-builtins/ASB/artifact.9360c414-c73d-4565-901b-107606917588.json new file mode 100644 index 0000000..cc9754f --- /dev/null +++ b/samples/001-builtins/ASB/artifact.9360c414-c73d-4565-901b-107606917588.json @@ -0,0 +1,51 @@ +{ + "properties": { + "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92", + "parameters": { + "listOfMembersToExcludeFromWindowsVMAdministratorsGroup": { + "value": "[parameters('listOfMembersToExcludeFromWindowsVMAdministratorsGroup')]" + }, + "listOfMembersToIncludeInWindowsVMAdministratorsGroup": { + "value": "[parameters('listOfMembersToIncludeInWindowsVMAdministratorsGroup')]" + }, + "listOfOnlyMembersInWindowsVMAdministratorsGroup": { + "value": "[parameters('listOfOnlyMembersInWindowsVMAdministratorsGroup')]" + }, + "listOfRegionsWhereNetworkWatcherShouldBeEnabled": { + "value": "[parameters('listOfRegionsWhereNetworkWatcherShouldBeEnabled')]" + }, + "approvedVirtualNetworkForVMs": { + "value": "[parameters('approvedVirtualNetworkForVMs')]" + }, + "approvedNetworkGatewayforVirtualNetworks": { + "value": "[parameters('approvedNetworkGatewayforVirtualNetworks')]" + }, + "listOfWorkspaceIDsForLogAnalyticsAgent": { + "value": "[parameters('listOfWorkspaceIDsForLogAnalyticsAgent')]" + }, + "listOfResourceTypesWithDiagnosticLogsEnabled": { + "value": "[parameters('listOfResourceTypesWithDiagnosticLogsEnabled')]" + }, + "PHPLatestVersion": { + "value": "[parameters('PHPLatestVersion')]" + }, + "JavaLatestVersion": { + "value": "[parameters('JavaLatestVersion')]" + }, + "WindowsPythonLatestVersion": { + "value": "[parameters('WindowsPythonLatestVersion')]" + }, + "LinuxPythonLatestVersion": { + "value": "[parameters('LinuxPythonLatestVersion')]" + } + }, + "dependsOn": [ + + ], + "displayName": "Azure Security Benchmark" + }, + "kind": "policyAssignment", + "id": "/providers/Microsoft.Blueprint/blueprints/ASB/artifacts/9360c414-c73d-4565-901b-107606917588", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "9360c414-c73d-4565-901b-107606917588" +} diff --git a/samples/001-builtins/ASB/blueprint.json b/samples/001-builtins/ASB/blueprint.json new file mode 100644 index 0000000..625cda3 --- /dev/null +++ b/samples/001-builtins/ASB/blueprint.json @@ -0,0 +1,322 @@ +{ + "properties": { + "parameters": { + "listOfMembersToExcludeFromWindowsVMAdministratorsGroup": { + "type": "string", + "metadata": { + "displayName": "List of users excluded from Windows VM Administrators group", + "description": "A semicolon-separated list of members that should be excluded in the Administrators local group. Ex: Administrator; myUser1; myUser2" + }, + "allowedValues": [ + + ] + }, + "listOfMembersToIncludeInWindowsVMAdministratorsGroup": { + "type": "string", + "metadata": { + "displayName": "List of users that must be included in Windows VM Administrators group", + "description": "A semicolon-separated list of members that should be included in the Administrators local group. Ex: Administrator; myUser1; myUser2" + }, + "allowedValues": [ + + ] + }, + "listOfOnlyMembersInWindowsVMAdministratorsGroup": { + "type": "string", + "metadata": { + "displayName": "List of users that Windows VM Administrators group must *only* include", + "description": "A semicolon-separated list of all the expected members of the Administrators local group. Ex: Administrator; myUser1; myUser2" + }, + "allowedValues": [ + + ] + }, + "listOfRegionsWhereNetworkWatcherShouldBeEnabled": { + "type": "array", + "metadata": { + "displayName": "List of regions where Network Watcher should be enabled", + "description": "To see a complete list of regions use Get-AzLocation", + "strongType": "location" + }, + "defaultValue": [ + "australiacentral", + "australiacentral2", + "australiaeast", + "australiasoutheast", + "brazilsouth", + "canadacentral", + "canadaeast", + "centralindia", + "centralus", + "eastasia", + "eastus", + "eastus2", + "francecentral", + "francesouth", + "germanynorth", + "germanywestcentral", + "global", + "japaneast", + "japanwest", + "koreacentral", + "koreasouth", + "northcentralus", + "northeurope", + "norwayeast", + "norwaywest", + "southafricanorth", + "southafricawest", + "southcentralus", + "southeastasia", + "southindia", + "switzerlandnorth", + "switzerlandwest", + "uaecentral", + "uaenorth", + "uksouth", + "ukwest", + "westcentralus", + "westeurope", + "westindia", + "westus", + "westus2" + ], + "allowedValues": [ + "australiacentral", + "australiacentral2", + "australiaeast", + "australiasoutheast", + "brazilsouth", + "canadacentral", + "canadaeast", + "centralindia", + "centralus", + "eastasia", + "eastus", + "eastus2", + "francecentral", + "francesouth", + "germanynorth", + "germanywestcentral", + "global", + "japaneast", + "japanwest", + "koreacentral", + "koreasouth", + "northcentralus", + "northeurope", + "norwayeast", + "norwaywest", + "southafricanorth", + "southafricawest", + "southcentralus", + "southeastasia", + "southindia", + "switzerlandnorth", + "switzerlandwest", + "uaecentral", + "uaenorth", + "uksouth", + "ukwest", + "westcentralus", + "westeurope", + "westindia", + "westus", + "westus2" + ] + }, + "approvedVirtualNetworkForVMs": { + "type": "string", + "metadata": { + "displayName": "Virtual network where VMs should be connected", + "description": "Example: /subscriptions/YourSubscriptionId/resourceGroups/YourResourceGroupName/providers/Microsoft.Network/virtualNetworks/Name", + "strongType": "Microsoft.Network/virtualNetworks" + }, + "allowedValues": [ + + ] + }, + "approvedNetworkGatewayforVirtualNetworks": { + "type": "string", + "metadata": { + "displayName": "Network gateway that virtual networks should use", + "description": "Example: /subscriptions/YourSubscriptionId/resourceGroups/YourResourceGroup/providers/Microsoft.Network/virtualNetworkGateways/Name", + "strongType": "Microsoft.Network/virtualNetworkGateways" + }, + "allowedValues": [ + + ] + }, + "listOfWorkspaceIDsForLogAnalyticsAgent": { + "type": "string", + "metadata": { + "displayName": "List of workspace IDs where Log Analytics agents should connect", + "description": "A semicolon-separated list of the workspace IDs that the Log Analytics agent should be connected to" + }, + "allowedValues": [ + + ] + }, + "listOfResourceTypesWithDiagnosticLogsEnabled": { + "type": "array", + "metadata": { + "displayName": "List of resource types that should have diagnostic logs enabled", + "description": "Audit diagnostic setting for selected resource types" + }, + "defaultValue": [ + "Microsoft.AnalysisServices/servers", + "Microsoft.ApiManagement/service", + "Microsoft.Network/applicationGateways", + "Microsoft.Automation/automationAccounts", + "Microsoft.ContainerInstance/containerGroups", + "Microsoft.ContainerRegistry/registries", + "Microsoft.ContainerService/managedClusters", + "Microsoft.Batch/batchAccounts", + "Microsoft.Cdn/profiles/endpoints", + "Microsoft.CognitiveServices/accounts", + "Microsoft.DocumentDB/databaseAccounts", + "Microsoft.DataFactory/factories", + "Microsoft.DataLakeAnalytics/accounts", + "Microsoft.DataLakeStore/accounts", + "Microsoft.EventGrid/eventSubscriptions", + "Microsoft.EventGrid/topics", + "Microsoft.EventHub/namespaces", + "Microsoft.Network/expressRouteCircuits", + "Microsoft.Network/azureFirewalls", + "Microsoft.HDInsight/clusters", + "Microsoft.Devices/IotHubs", + "Microsoft.KeyVault/vaults", + "Microsoft.Network/loadBalancers", + "Microsoft.Logic/integrationAccounts", + "Microsoft.Logic/workflows", + "Microsoft.DBforMySQL/servers", + "Microsoft.Network/networkInterfaces", + "Microsoft.Network/networkSecurityGroups", + "Microsoft.DBforPostgreSQL/servers", + "Microsoft.PowerBIDedicated/capacities", + "Microsoft.Network/publicIPAddresses", + "Microsoft.RecoveryServices/vaults", + "Microsoft.Cache/redis", + "Microsoft.Relay/namespaces", + "Microsoft.Search/searchServices", + "Microsoft.ServiceBus/namespaces", + "Microsoft.SignalRService/SignalR", + "Microsoft.Sql/servers/databases", + "Microsoft.Sql/servers/elasticPools", + "Microsoft.StreamAnalytics/streamingjobs", + "Microsoft.TimeSeriesInsights/environments", + "Microsoft.Network/trafficManagerProfiles", + "Microsoft.Compute/virtualMachines", + "Microsoft.Compute/virtualMachineScaleSets", + "Microsoft.Network/virtualNetworks", + "Microsoft.Network/virtualNetworkGateways" + ], + "allowedValues": [ + "Microsoft.AnalysisServices/servers", + "Microsoft.ApiManagement/service", + "Microsoft.Network/applicationGateways", + "Microsoft.Automation/automationAccounts", + "Microsoft.ContainerInstance/containerGroups", + "Microsoft.ContainerRegistry/registries", + "Microsoft.ContainerService/managedClusters", + "Microsoft.Batch/batchAccounts", + "Microsoft.Cdn/profiles/endpoints", + "Microsoft.CognitiveServices/accounts", + "Microsoft.DocumentDB/databaseAccounts", + "Microsoft.DataFactory/factories", + "Microsoft.DataLakeAnalytics/accounts", + "Microsoft.DataLakeStore/accounts", + "Microsoft.EventGrid/eventSubscriptions", + "Microsoft.EventGrid/topics", + "Microsoft.EventHub/namespaces", + "Microsoft.Network/expressRouteCircuits", + "Microsoft.Network/azureFirewalls", + "Microsoft.HDInsight/clusters", + "Microsoft.Devices/IotHubs", + "Microsoft.KeyVault/vaults", + "Microsoft.Network/loadBalancers", + "Microsoft.Logic/integrationAccounts", + "Microsoft.Logic/workflows", + "Microsoft.DBforMySQL/servers", + "Microsoft.Network/networkInterfaces", + "Microsoft.Network/networkSecurityGroups", + "Microsoft.DBforPostgreSQL/servers", + "Microsoft.PowerBIDedicated/capacities", + "Microsoft.Network/publicIPAddresses", + "Microsoft.RecoveryServices/vaults", + "Microsoft.Cache/redis", + "Microsoft.Relay/namespaces", + "Microsoft.Search/searchServices", + "Microsoft.ServiceBus/namespaces", + "Microsoft.SignalRService/SignalR", + "Microsoft.Sql/servers/databases", + "Microsoft.Sql/servers/elasticPools", + "Microsoft.StreamAnalytics/streamingjobs", + "Microsoft.TimeSeriesInsights/environments", + "Microsoft.Network/trafficManagerProfiles", + "Microsoft.Compute/virtualMachines", + "Microsoft.Compute/virtualMachineScaleSets", + "Microsoft.Network/virtualNetworks", + "Microsoft.Network/virtualNetworkGateways" + ] + }, + "PHPLatestVersion": { + "type": "string", + "metadata": { + "displayName": "Latest PHP version", + "description": "Latest supported PHP version for App Services" + }, + "defaultValue": "7.3", + "allowedValues": [ + + ] + }, + "JavaLatestVersion": { + "type": "string", + "metadata": { + "displayName": "Latest Java version", + "description": "Latest supported Java version for App Services" + }, + "defaultValue": "11", + "allowedValues": [ + + ] + }, + "WindowsPythonLatestVersion": { + "type": "string", + "metadata": { + "displayName": "Latest Windows Python version", + "description": "Latest supported Python version for App Services" + }, + "defaultValue": "3.6", + "allowedValues": [ + + ] + }, + "LinuxPythonLatestVersion": { + "type": "string", + "metadata": { + "displayName": "Latest Linux Python version", + "description": "Latest supported Python version for App Services" + }, + "defaultValue": "3.8", + "allowedValues": [ + + ] + } + }, + "resourceGroups": { + + }, + "targetScope": "subscription", + "status": { + "timeCreated": "2020-04-15T07:47:59+00:00", + "lastModified": "2020-04-15T07:47:59.3837912+00:00" + }, + "displayName": "Azure Security Benchmark", + "description": "Assigns policies to address specific recommendations from the Azure Security Benchmark." + }, + "id": "/providers/Microsoft.Blueprint/blueprints/ASB", + "type": "Microsoft.Blueprint/blueprints", + "name": "ASB" +} \ No newline at end of file diff --git a/samples/001-builtins/ASBF/artifact.hub-security-center.json b/samples/001-builtins/ASBF/artifact.hub-security-center.json new file mode 100644 index 0000000..a2e53c1 --- /dev/null +++ b/samples/001-builtins/ASBF/artifact.hub-security-center.json @@ -0,0 +1,216 @@ +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.1", + "parameters": { + "namePrefix": { + "type": "string", + "metadata": { + "displayName": "Prefix for resources and resource groups", + "description": "This string will be used as a prefix for all resource and resource group names." + } + }, + "hubName": { + "type": "string", + "defaultValue": "hub-shared", + "metadata": { + "displayName": "Hub name", + "description": "Name for the hub." + } + }, + "logsRetentionInDays": { + "type": "int", + "defaultValue": 365, + "minValue": 0, + "maxValue": 365, + "metadata": { + "displayName": "Log retention (days)", + "description": "Number of days that logs will be retained; entering '0' will retain logs indefinitely." + } + }, + "deployHub": { + "type": "bool", + "defaultValue": true, + "metadata": { + "displayName": "Deploy hub", + "description": "Enter 'true' or 'false' to specify whether the assignment will deploy the hub components of the architecture." + } + } + }, + "variables": { + "deployment-prefix": "[toLower(concat(parameters('namePrefix'), '-', parameters('hubName')))]", + "unique-string": "[uniqueString(subscription().id, concat(variables('deployment-prefix')))]", + "diagnostic-storage-account-prefix": "[concat(replace(variables('deployment-prefix'), '-', ''), 'diag')]", + "diagnostic-storage-account-name": "[toLower(substring(replace(concat(variables('diagnostic-storage-account-prefix'), variables('unique-string'), variables('unique-string')), '-', ''), 0, 23) )]", + "oms-workspace-name": "[concat(variables('deployment-prefix'), '-log')]", + "oms-workspace-resource-group": "[concat(variables('deployment-prefix'), '-rg')]", + "oms-workspace-subscription-id": "[subscription().subscriptionId]", + "pricing": "Standard" + }, + "resources": [ + { + "type": "Microsoft.Insights/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "service", + "condition": "[parameters('deployHub')]", + "dependsOn": [], + "tags": { + "component": "hub-security-center" + }, + "properties": { + "storageAccountId": "[concat('/subscriptions/', variables('oms-workspace-subscription-id'), '/resourceGroups/', variables('oms-workspace-resource-group'), '/providers/Microsoft.Storage/storageAccounts/', variables('diagnostic-storage-account-name'))]", + "workspaceId": "[concat('/subscriptions/', variables('oms-workspace-subscription-id'), '/resourceGroups/', variables('oms-workspace-resource-group'), '/providers/Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]", + "logs": [ + { + "category": "Administrative", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('logsRetentionInDays')]" + } + }, + { + "category": "Alert", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('logsRetentionInDays')]" + } + }, + { + "category": "Autoscale", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('logsRetentionInDays')]" + } + }, + { + "category": "Policy", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('logsRetentionInDays')]" + } + }, + { + "category": "Recommendation", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('logsRetentionInDays')]" + } + }, + { + "category": "ResourceHealth", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('logsRetentionInDays')]" + } + }, + { + "category": "Security", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('logsRetentionInDays')]" + } + }, + { + "category": "ServiceHealth", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('logsRetentionInDays')]" + } + } + ] + } + }, + { + "type": "Microsoft.Security/pricings", + "apiVersion": "2017-08-01-preview", + "name": "default", + "condition": "[parameters('deployHub')]", + "tags": { + "tagName": "hub-security-center" + }, + "properties": { + "pricingTier": "[variables('pricing')]" + } + }, + { + "type": "Microsoft.Security/pricings", + "apiVersion": "2018-06-01", + "name": "StorageAccounts", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.Security/pricings/default')]" + ], + "tags": { + "component": "hub-security-center" + }, + "properties": { + "pricingTier": "[variables('pricing')]" + } + }, + { + "type": "Microsoft.Security/pricings", + "apiVersion": "2018-06-01", + "name": "SqlServers", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.Security/pricings/StorageAccounts')]" + ], + "tags": { + "component": "hub-security-center" + }, + "properties": { + "pricingTier": "[variables('pricing')]" + } + }, + { + "type": "Microsoft.Security/pricings", + "apiVersion": "2018-06-01", + "name": "VirtualMachines", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.Security/pricings/SqlServers')]" + ], + "tags": { + "component": "hub-security-center" + }, + "properties": { + "pricingTier": "[variables('pricing')]" + } + } + ], + "outputs": {} + }, + "parameters": { + "namePrefix": { + "value": "[parameters('namePrefix')]" + }, + "hubName": { + "value": "[parameters('hubName')]" + }, + "logsRetentionInDays": { + "value": "[parameters('logsRetentionInDays')]" + }, + "deployHub": { + "value": "[parameters('deployHub')]" + } + }, + "dependsOn": [ + "hub-shared-security-log" + ], + "displayName": "Azure Security Center template", + "description": "Azure Security Center template." + }, + "kind": "template", + "id": "/providers/Microsoft.Blueprint/blueprints/ASBF/artifacts/hub-security-center", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "hub-security-center" +} \ No newline at end of file diff --git a/samples/001-builtins/ASBF/artifact.hub-shared-network-bastion.json b/samples/001-builtins/ASBF/artifact.hub-shared-network-bastion.json new file mode 100644 index 0000000..102ec28 --- /dev/null +++ b/samples/001-builtins/ASBF/artifact.hub-shared-network-bastion.json @@ -0,0 +1,203 @@ +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "namePrefix": { + "type": "string", + "metadata": { + "displayName": "Prefix for resources and resource groups", + "description": "This string will be used as a prefix for all resource and resource group names." + } + }, + "hubName": { + "type": "string", + "defaultValue": "hub-shared", + "metadata": { + "displayName": "Hub name", + "description": "Name for the hub." + } + }, + "logsRetentionInDays": { + "type": "int", + "defaultValue": 365, + "minValue": 0, + "maxValue": 365, + "metadata": { + "displayName": "Log retention (days)", + "description": "Number of days that logs will be retained; entering '0' will retain logs indefinitely." + } + }, + "deployHub": { + "type": "bool", + "defaultValue": true, + "metadata": { + "displayName": "Deploy hub", + "description": "Enter 'true' or 'false' to specify whether the assignment will deploy the hub components of the architecture." + } + } + }, + "variables": { + "location": "[resourceGroup().location]", + "deployment-prefix": "[toLower(concat(parameters('namePrefix'), '-', parameters('hubName')))]", + "oms-workspace-resource-group": "[concat(variables('deployment-prefix'), '-rg')]", + "oms-workspace-name": "[concat(variables('deployment-prefix'), '-log')]", + "vnet-resource-group": "[concat(variables('deployment-prefix'), '-rg')]", + "unique-string": "[uniqueString(subscription().id, concat(variables('deployment-prefix')))]", + "diagnostic-storage-account-prefix": "[concat(replace(variables('deployment-prefix'), '-', ''), 'diag')]", + "diagnostic-storage-account-name": "[toLower(substring(replace(concat(variables('diagnostic-storage-account-prefix'), variables('unique-string'), variables('unique-string')), '-', ''), 0, 23) )]", + "vnet-name": "[concat(variables('deployment-prefix'), '-vnet')]", + "bastion-subnet-id": "[concat(resourceId(variables('vnet-resource-group'), 'Microsoft.Network/virtualNetworks', variables('vnet-name')) , '/subnets/AzureBastionSubnet')]", + "bastion-ip-name": "[concat(variables('deployment-prefix'), '-bastion-ip')]", + "bastion-ip-id": "[resourceId('Microsoft.Network/publicIPAddresses', variables('bastion-ip-name'))]", + "bastion-name": "[concat(variables('deployment-prefix'), '-bastion')]" + }, + "resources": [ + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "2019-11-01", + "name": "[variables('bastion-ip-name')]", + "location": "[variables('location')]", + "condition": "[parameters('deployHub')]", + "sku": { + "name": "Standard" + }, + "tags": { + "component": "hub-shared-network-bastion" + }, + "properties": { + "publicIPAllocationMethod": "Static", + "publicIPAddressVersion": "IPv4" + } + }, + { + "type": "Microsoft.Network/publicIPAddresses/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(variables('bastion-ip-name'), '/Microsoft.Insights/service')]", + "location": "[variables('location')]", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[variables('bastion-ip-name')]" + ], + "tags": { + "component": "hub-shared-network-bastion" + }, + "properties": { + "storageAccountId": "[resourceId(variables('oms-workspace-resource-group'), 'Microsoft.Storage/storageAccounts', variables('diagnostic-storage-account-name'))]", + "workspaceId": "[resourceId(variables('oms-workspace-resource-group'), 'Microsoft.OperationalInsights/workspaces', variables('oms-workspace-name'))]", + "logs": [ + { + "category": "DDoSProtectionNotifications", + "enabled": true + }, + { + "category": "DDoSMitigationFlowLogs", + "enabled": true + }, + { + "category": "DDoSMitigationReports", + "enabled": true + } + ], + "metrics": [ + { + "category": "AllMetrics", + "timeGrain": null, + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('logsRetentionInDays')]" + } + } + ] + } + }, + { + "type": "Microsoft.Network/bastionHosts", + "apiVersion": "2020-05-01", + "name": "[variables('bastion-name')]", + "location": "[variables('location')]", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[variables('bastion-ip-name')]" + ], + "tags": { + "component": "hub-shared-network-bastion" + }, + "properties": { + "dnsName": "bst-10f100c2-b1c6-4110-93f8-41a2947e4c35.bastion.azure.com", + "ipConfigurations": [ + { + "name": "IpConf", + "properties": { + "privateIPAllocationMethod": "Dynamic", + "publicIPAddress": { + "id": "[variables('bastion-ip-id')]" + }, + "subnet": { + "id": "[variables('bastion-subnet-id')]" + } + } + } + ] + } + }, + { + "type": "Microsoft.Network/bastionHosts/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(variables('bastion-name'), '/Microsoft.Insights/service')]", + "location": "[variables('location')]", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[variables('bastion-name')]" + ], + "tags": { + "component": "hub-shared-network-bastion" + }, + "properties": { + "storageAccountId": "[resourceId(variables('oms-workspace-resource-group'), 'Microsoft.Storage/storageAccounts', variables('diagnostic-storage-account-name'))]", + "workspaceId": "[resourceId(variables('oms-workspace-resource-group'), 'Microsoft.OperationalInsights/workspaces', variables('oms-workspace-name'))]", + "logs": [ + { + "category": "BastionAuditLogs", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('logsRetentionInDays')]" + } + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "namePrefix": { + "value": "[parameters('namePrefix')]" + }, + "hubName": { + "value": "[parameters('hubName')]" + }, + "logsRetentionInDays": { + "value": "[parameters('logsRetentionInDays')]" + }, + "deployHub": { + "value": "[parameters('deployHub')]" + } + }, + "dependsOn": [ + "hub-shared-security-log", + "hub-shared-network-nsg", + "hub-shared-network-vnet" + ], + "resourceGroup": "HubResourceGroup", + "displayName": "Azure Bastion Host template", + "description": "Azure Bastion Host template." + }, + "kind": "template", + "id": "/providers/Microsoft.Blueprint/blueprints/ASBF/artifacts/hub-shared-network-bastion", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "hub-shared-network-bastion" +} diff --git a/samples/001-builtins/ASBF/artifact.hub-shared-network-firewall.json b/samples/001-builtins/ASBF/artifact.hub-shared-network-firewall.json new file mode 100644 index 0000000..62d303e --- /dev/null +++ b/samples/001-builtins/ASBF/artifact.hub-shared-network-firewall.json @@ -0,0 +1,405 @@ +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "namePrefix": { + "type": "string", + "metadata": { + "displayName": "Prefix for resources and resource groups", + "description": "This string will be used as a prefix for all resource and resource group names." + } + }, + "hubName": { + "type": "string", + "defaultValue": "hub-shared", + "metadata": { + "displayName": "Hub name", + "description": "Name for the hub." + } + }, + "azureFirewallPrivateIP": { + "type": "string", + "defaultValue": "10.0.0.4", + "metadata": { + "displayName": "Azure Firewall private IP address", + "description": "Azure Firewall private IP address." + } + }, + "destinationAddresses": { + "type": "string", + "metadata": { + "displayName": "Destination IP addresses", + "description": "Destination IP addresses for outbound connectivity; comma-separated list of IP addresses or IP range prefixes." + }, + "defaultValue": "0.0.0.0" + }, + "logsRetentionInDays": { + "type": "int", + "defaultValue": 365, + "minValue": 0, + "maxValue": 365, + "metadata": { + "displayName": "Log retention (days)", + "description": "Number of days that logs will be retained; entering '0' will retain logs indefinitely." + } + }, + "deployHub": { + "type": "bool", + "defaultValue": true, + "metadata": { + "displayName": "Deploy hub", + "description": "Enter 'true' or 'false' to specify whether the assignment will deploy the hub components of the architecture." + } + } + }, + "variables": { + "location": "[resourceGroup().location]", + "deployment-prefix": "[toLower(concat(parameters('namePrefix'), '-', parameters('hubName')))]", + "oms-workspace-resource-group": "[concat(variables('deployment-prefix'), '-rg')]", + "oms-workspace-name": "[concat(variables('deployment-prefix'), '-log')]", + "vnet-resource-group": "[concat(variables('deployment-prefix'), '-rg')]", + "vnet-name": "[concat(variables('deployment-prefix'), '-vnet')]", + "azure-fw-subnet-id": "[concat(resourceId(variables('vnet-resource-group'), 'Microsoft.Network/virtualNetworks', variables('vnet-name')) , '/subnets/AzureFirewallSubnet')]", + "azure-fw-ip-name": "[concat(variables('deployment-prefix'), '-az-fw-ip')]", + "azure-fw-ip-id": "[resourceId('Microsoft.Network/publicIPAddresses', variables('azure-fw-ip-name'))]", + "azure-fw-name": "[concat(variables('deployment-prefix'), '-az-fw')]", + "unique-string": "[uniqueString(subscription().id, concat(variables('deployment-prefix')))]", + "diagnostic-storage-account-prefix": "[concat(replace(variables('deployment-prefix'), '-', ''), 'diag')]", + "diagnostic-storage-account-name": "[toLower(substring(replace(concat(variables('diagnostic-storage-account-prefix'), variables('unique-string'), variables('unique-string')), '-', ''), 0, 23) )]", + "shared-user-defined-routes": { + "name": "default", + "routes": [ + { + "name": "default", + "properties": { + "addressPrefix": "0.0.0.0/0", + "nextHopIpAddress": "[parameters('azureFirewallPrivateIP')]", + "nextHopType": "VirtualAppliance" + } + } + ] + }, + "default-ip": "0.0.0.0" + }, + "resources": [ + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "2019-11-01", + "name": "[variables('azure-fw-ip-name')]", + "location": "[variables('location')]", + "condition": "[parameters('deployHub')]", + "sku": { + "name": "Standard" + }, + "tags": { + "component": "hub-shared-network-firewall" + }, + "properties": { + "publicIPAllocationMethod": "Static", + "publicIPAddressVersion": "IPv4" + } + }, + { + "type": "Microsoft.Network/publicIPAddresses/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(variables('azure-fw-ip-name'), '/Microsoft.Insights/service')]", + "location": "[variables('location')]", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[variables('azure-fw-ip-name')]" + ], + "tags": { + "component": "hub-shared-network-firewall" + }, + "properties": { + "storageAccountId": "[resourceId(variables('oms-workspace-resource-group'), 'Microsoft.Storage/storageAccounts', variables('diagnostic-storage-account-name'))]", + "workspaceId": "[resourceId(variables('oms-workspace-resource-group'), 'Microsoft.OperationalInsights/workspaces', variables('oms-workspace-name'))]", + "logs": [ + { + "category": "DDoSProtectionNotifications", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('logsRetentionInDays')]" + } + }, + { + "category": "DDoSMitigationFlowLogs", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('logsRetentionInDays')]" + } + }, + { + "category": "DDoSMitigationReports", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('logsRetentionInDays')]" + } + } + ], + "metrics": [ + { + "category": "AllMetrics", + "timeGrain": null, + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('logsRetentionInDays')]" + } + } + ] + } + }, + { + "type": "Microsoft.Network/azureFirewalls", + "apiVersion": "2019-11-01", + "name": "[variables('azure-fw-name')]", + "location": "[variables('location')]", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[variables('azure-fw-ip-name')]" + ], + "tags": { + "component": "hub-shared-network-firewall" + }, + "properties": { + "ipConfigurations": [ + { + "name": "IpConf", + "properties": { + "subnet": { + "id": "[variables('azure-fw-subnet-id')]" + }, + "publicIPAddress": { + "id": "[variables('azure-fw-ip-id')]" + } + } + } + ], + "applicationRuleCollections": [], + "natRuleCollections": [ + { + "name": "RdpDnat", + "properties": { + "priority": 3000, + "action": { + "type": "Dnat" + }, + "rules": [ + { + "name": "rdp", + "protocols": [ + "TCP" + ], + "translatedAddress": "[variables('default-ip')]", + "translatedPort": "3389", + "sourceAddresses": [ + "[variables('default-ip')]" + ], + "sourceIpGroups": [], + "destinationAddresses": [ + "[reference(resourceId('Microsoft.Network/publicIPAddresses', variables('azure-fw-ip-name'))).ipAddress]" + ], + "destinationPorts": [ + "3389" + ] + } + ] + } + } + ], + "networkRuleCollections": [ + { + "name": "AllowAzureCloud", + "properties": { + "priority": 3000, + "action": { + "type": "Allow" + }, + "rules": [ + { + "name": "azure-cloud", + "protocols": [ + "TCP" + ], + "sourceAddresses": [ + "*" + ], + "destinationAddresses": [ + "AzureCloud" + ], + "sourceIpGroups": [], + "destinationIpGroups": [], + "destinationFqdns": [], + "destinationPorts": [ + "443" + ] + } + ] + } + }, + { + "name": "AllowIPAddresses", + "properties": { + "priority": 3050, + "action": { + "type": "Allow" + }, + "rules": [ + { + "name": "ip-addresses", + "protocols": [ + "TCP" + ], + "sourceAddresses": [ + "*" + ], + "destinationAddresses": [ + "[parameters('destinationAddresses')]" + ], + "sourceIpGroups": [], + "destinationIpGroups": [], + "destinationFqdns": [], + "destinationPorts": [ + "443" + ] + } + ] + } + } + ] + } + }, + { + "type": "Microsoft.Network/azureFirewalls/providers/diagnosticsettings", + "name": "[concat(variables('azure-fw-name'), '/Microsoft.Insights/service')]", + "apiVersion": "2017-05-01-preview", + "location": "[variables('location')]", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[variables('azure-fw-name')]" + ], + "tags": { + "component": "hub-shared-network-firewall" + }, + "properties": { + "storageAccountId": "[resourceId(variables('oms-workspace-resource-group'), 'Microsoft.Storage/storageAccounts', variables('diagnostic-storage-account-name'))]", + "workspaceId": "[resourceId(variables('oms-workspace-resource-group'), 'Microsoft.OperationalInsights/workspaces', variables('oms-workspace-name'))]", + "logs": [ + { + "category": "AzureFirewallApplicationRule", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('logsRetentionInDays')]" + } + }, + { + "category": "AzureFirewallNetworkRule", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('logsRetentionInDays')]" + } + }, + { + "category": "AzureFirewallDnsProxy", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('logsRetentionInDays')]" + } + } + ], + "metrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('logsRetentionInDays')]" + } + } + ] + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "nested.configure.default-udr", + "condition": "[parameters('deployHub')]", + "resourceGroup": "[variables('vnet-resource-group')]", + "dependsOn": [ + "[variables('azure-fw-name')]" + ], + "tags": { + "component": "hub-shared-network-firewall" + }, + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/routeTables", + "apiVersion": "2019-09-01", + "location": "[resourceGroup().location]", + "name": "[concat(variables('deployment-prefix'), '-', variables('shared-user-defined-routes').name, '-udr')]", + "tags": { + "component": "hub-shared-network-firewall" + }, + "properties": { + "routes": "[variables('shared-user-defined-routes').routes]", + "disableBgpRoutePropagation": true + } + } + ] + }, + "parameters": {} + } + } + ], + "outputs": {} + }, + "parameters": { + "namePrefix": { + "value": "[parameters('namePrefix')]" + }, + "hubName": { + "value": "[parameters('hubName')]" + }, + "azureFirewallPrivateIP": { + "value": "[parameters('hub-shared-network-firewall_azureFirewallPrivateIP')]" + }, + "destinationAddresses": { + "value": "[parameters('destinationAddresses')]" + }, + "logsRetentionInDays": { + "value": "[parameters('logsRetentionInDays')]" + }, + "deployHub": { + "value": "[parameters('deployHub')]" + } + }, + "dependsOn": [ + "hub-shared-security-log", + "hub-shared-network-nsg", + "hub-shared-network-vnet" + ], + "resourceGroup": "HubResourceGroup", + "displayName": "Azure Firewall template", + "description": "Azure Firewall template." + }, + "kind": "template", + "id": "/providers/Microsoft.Blueprint/blueprints/ASBF/artifacts/hub-shared-network-firewall", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "hub-shared-network-firewall" +} \ No newline at end of file diff --git a/samples/001-builtins/ASBF/artifact.hub-shared-network-gateway.json b/samples/001-builtins/ASBF/artifact.hub-shared-network-gateway.json new file mode 100644 index 0000000..5121acf --- /dev/null +++ b/samples/001-builtins/ASBF/artifact.hub-shared-network-gateway.json @@ -0,0 +1,255 @@ +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "namePrefix": { + "type": "string", + "metadata": { + "displayName": "Prefix for resources and resource groups", + "description": "This string will be used as a prefix for all resource and resource group names." + } + }, + "hubName": { + "type": "string", + "defaultValue": "hub-shared", + "metadata": { + "displayName": "Hub name", + "description": "Name for the hub." + } + }, + "logsRetentionInDays": { + "type": "int", + "defaultValue": 365, + "minValue": 0, + "maxValue": 365, + "metadata": { + "displayName": "Log retention (days)", + "description": "Number of days that logs will be retained; entering '0' will retain logs indefinitely." + } + }, + "deployHub": { + "type": "bool", + "defaultValue": true, + "metadata": { + "displayName": "Deploy hub", + "description": "Enter 'true' or 'false' to specify whether the assignment will deploy the hub components of the architecture." + } + } + }, + "variables": { + "location": "[resourceGroup().location]", + "deployment-prefix": "[toLower(concat(parameters('namePrefix'), '-', parameters('hubName')))]", + "oms-workspace-resource-group": "[concat(variables('deployment-prefix'), '-rg')]", + "oms-workspace-name": "[concat(variables('deployment-prefix'), '-log')]", + "vnet-resource-group": "[concat(variables('deployment-prefix'), '-rg')]", + "unique-string": "[uniqueString(subscription().id, concat(variables('deployment-prefix')))]", + "diagnostic-storage-account-prefix": "[concat(replace(variables('deployment-prefix'), '-', ''), 'diag')]", + "diagnostic-storage-account-name": "[toLower(substring(replace(concat(variables('diagnostic-storage-account-prefix'), variables('unique-string'), variables('unique-string')), '-', ''), 0, 23) )]", + "vnet-name": "[concat(variables('deployment-prefix'), '-vnet')]", + "vpn-gw-subnet-id": "[concat(resourceId(variables('vnet-resource-group'), 'Microsoft.Network/virtualNetworks', variables('vnet-name')) , '/subnets/GatewaySubnet')]", + "vpn-gw-ip-name": "[concat(variables('deployment-prefix'), '-vpn-gw-ip')]", + "vpn-gw-ip-id": "[resourceId('Microsoft.Network/publicIPAddresses', variables('vpn-gw-ip-name'))]", + "vpn-gw-name": "[concat(variables('deployment-prefix'), '-vpn-gw')]" + }, + "resources": [ + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "2019-11-01", + "name": "[variables('vpn-gw-ip-name')]", + "location": "[variables('location')]", + "condition": "[parameters('deployHub')]", + "sku": { + "name": "Basic" + }, + "tags": { + "component": "hub-shared-network-gateway" + }, + "properties": { + "publicIPAllocationMethod": "Dynamic", + "publicIPAddressVersion": "IPv4" + } + }, + { + "type": "Microsoft.Network/publicIPAddresses/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(variables('vpn-gw-ip-name'), '/Microsoft.Insights/service')]", + "location": "[variables('location')]", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[variables('vpn-gw-ip-name')]" + ], + "tags": { + "component": "hub-shared-network-gateway" + }, + "properties": { + "storageAccountId": "[resourceId(variables('oms-workspace-resource-group'), 'Microsoft.Storage/storageAccounts', variables('diagnostic-storage-account-name'))]", + "workspaceId": "[resourceId(variables('oms-workspace-resource-group'), 'Microsoft.OperationalInsights/workspaces', variables('oms-workspace-name'))]", + "logs": [ + { + "category": "DDoSProtectionNotifications", + "enabled": true + }, + { + "category": "DDoSMitigationFlowLogs", + "enabled": true + }, + { + "category": "DDoSMitigationReports", + "enabled": true + } + ], + "metrics": [ + { + "category": "AllMetrics", + "timeGrain": null, + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('logsRetentionInDays')]" + } + } + ] + } + }, + { + "type": "Microsoft.Network/virtualNetworkGateways", + "apiVersion": "2020-05-01", + "name": "[variables('vpn-gw-name')]", + "location": "[variables('location')]", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[variables('vpn-gw-ip-name')]" + ], + "tags": { + "component": "hub-shared-network-gateway" + }, + "properties": { + "enablePrivateIpAddress": false, + "ipConfigurations": [ + { + "name": "default", + "properties": { + "privateIPAllocationMethod": "Dynamic", + "publicIPAddress": { + "id": "[variables('vpn-gw-ip-id')]" + }, + "subnet": { + "id": "[variables('vpn-gw-subnet-id')]" + } + } + } + ], + "sku": { + "name": "VpnGw2", + "tier": "VpnGw2" + }, + "gatewayType": "Vpn", + "vpnType": "RouteBased", + "enableBgp": false, + "activeActive": false, + "vpnGatewayGeneration": "Generation2" + } + }, + { + "type": "Microsoft.Network/virtualNetworkGateways/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(variables('vpn-gw-name'), '/Microsoft.Insights/service')]", + "location": "[variables('location')]", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[variables('vpn-gw-name')]" + ], + "tags": { + "component": "hub-shared-network-gateway" + }, + "properties": { + "storageAccountId": "[resourceId(variables('oms-workspace-resource-group'), 'Microsoft.Storage/storageAccounts', variables('diagnostic-storage-account-name'))]", + "workspaceId": "[resourceId(variables('oms-workspace-resource-group'), 'Microsoft.OperationalInsights/workspaces', variables('oms-workspace-name'))]", + "logs": [ + { + "category": "GatewayDiagnosticLog", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('logsRetentionInDays')]" + } + }, + { + "category": "TunnelDiagnosticLog", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('logsRetentionInDays')]" + } + }, + { + "category": "RouteDiagnosticLog", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('logsRetentionInDays')]" + } + }, + { + "category": "IKEDiagnosticLog", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('logsRetentionInDays')]" + } + }, + { + "category": "P2SDiagnosticLog", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('logsRetentionInDays')]" + } + } + ], + "metrics": [ + { + "category": "AllMetrics", + "timeGrain": null, + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('logsRetentionInDays')]" + } + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "namePrefix": { + "value": "[parameters('namePrefix')]" + }, + "hubName": { + "value": "[parameters('hubName')]" + }, + "logsRetentionInDays": { + "value": "[parameters('logsRetentionInDays')]" + }, + "deployHub": { + "value": "[parameters('deployHub')]" + } + }, + "dependsOn": [ + "hub-shared-security-log", + "hub-shared-network-nsg", + "hub-shared-network-vnet" + ], + "resourceGroup": "HubResourceGroup", + "displayName": "Azure VPN Gateway template", + "description": "Azure VPN Gateway template." + }, + "kind": "template", + "id": "/providers/Microsoft.Blueprint/blueprints/ASBF/artifacts/hub-shared-network-gateway", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "hub-shared-network-gateway" +} \ No newline at end of file diff --git a/samples/001-builtins/ASBF/artifact.hub-shared-network-nsg.json b/samples/001-builtins/ASBF/artifact.hub-shared-network-nsg.json new file mode 100644 index 0000000..31afe22 --- /dev/null +++ b/samples/001-builtins/ASBF/artifact.hub-shared-network-nsg.json @@ -0,0 +1,573 @@ +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "namePrefix": { + "type": "string", + "metadata": { + "displayName": "Prefix for resources and resource groups", + "description": "This string will be used as a prefix for all resource and resource group names." + } + }, + "hubName": { + "type": "string", + "defaultValue": "hub-shared", + "metadata": { + "displayName": "Hub name", + "description": "Name for the hub." + } + }, + "enableNsgFlowLogs": { + "type": "bool", + "defaultValue": true, + "metadata": { + "displayName": "Enable NSG flow logs", + "description": "Enter 'true' or 'false' to enable or disable NSG flow logs." + } + }, + "networkWatcherName": { + "defaultValue": "[concat('NetworkWatcher_', resourceGroup().location)]", + "type": "string", + "metadata": { + "displayName": "Network Watcher name", + "description": "Name for the Network Watcher resource." + } + }, + "networkWatcherResourceGroup": { + "defaultValue": "NetworkWatcherRG", + "type": "string", + "metadata": { + "displayName": "Network Watcher resource group name", + "description": "Name for the Network Watcher resource group." + } + }, + "destinationAddresses": { + "type": "string", + "metadata": { + "displayName": "Destination IP addresses", + "description": "Destination IP addresses for outbound connectivity; comma-separated list of IP addresses or IP range prefixes." + }, + "defaultValue": "0.0.0.0" + }, + "logsRetentionInDays": { + "type": "int", + "defaultValue": 365, + "minValue": 0, + "maxValue": 365, + "metadata": { + "displayName": "Log retention (days)", + "description": "Number of days that logs will be retained; entering '0' will retain logs indefinitely." + } + }, + "deployHub": { + "type": "bool", + "defaultValue": true, + "metadata": { + "displayName": "Deploy hub", + "description": "Enter 'true' or 'false' to specify whether the assignment will deploy the hub components of the architecture." + } + } + }, + "variables": { + "location": "[resourceGroup().location]", + "deployment-prefix": "[toLower(concat(parameters('namePrefix'), '-', parameters('hubName')))]", + "unique-string": "[uniqueString(subscription().id, concat(variables('deployment-prefix')))]", + "diagnostic-storage-account-prefix": "[concat(replace(variables('deployment-prefix'), '-', ''), 'diag')]", + "diagnostic-storage-account-name": "[toLower(substring(replace(concat(variables('diagnostic-storage-account-prefix'), variables('unique-string'), variables('unique-string')), '-', ''), 0, 23) )]", + "oms-workspace-name": "[concat(variables('deployment-prefix'), '-log')]", + "oms-workspace-resourceGroup": "[concat(variables('deployment-prefix'), '-rg')]", + "application-security-groups": [ + { + "name": "management" + }, + { + "name": "jump-box" + }, + { + "name": "workload" + } + ], + "network-security-groups": [ + { + "name": "default-deny", + "rules": [ + { + "name": "DenyVnetInBound", + "properties": { + "protocol": "*", + "sourcePortRange": "*", + "destinationPortRange": "*", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "VirtualNetwork", + "access": "Deny", + "priority": 4000, + "direction": "Inbound", + "sourcePortRanges": [], + "destinationPortRanges": [], + "sourceAddressPrefixes": [], + "destinationAddressPrefixes": [] + } + }, + { + "name": "DenyAllOutBound", + "properties": { + "protocol": "*", + "sourcePortRange": "*", + "destinationPortRange": "*", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Deny", + "priority": 4000, + "direction": "Outbound", + "sourcePortRanges": [], + "destinationPortRanges": [], + "sourceAddressPrefixes": [], + "destinationAddressPrefixes": [] + } + } + ] + }, + { + "name": "management-subnet", + "rules": [ + { + "name": "AllowJumpBoxInBound", + "properties": { + "protocol": "TCP", + "sourcePortRange": "*", + "access": "Allow", + "priority": 3050, + "direction": "Inbound", + "destinationPortRanges": [ + "3389", + "22" + ], + "sourceApplicationSecurityGroups": [ + { + "id": "[resourceId('Microsoft.Network/applicationSecurityGroups', concat(variables('deployment-prefix'), '-jump-box-asg'))]" + } + ], + "destinationApplicationSecurityGroups": [ + { + "id": "[resourceId('Microsoft.Network/applicationSecurityGroups', concat(variables('deployment-prefix'), '-management-asg'))]" + } + ] + } + }, + { + "name": "AllowAzureCloudOutBound", + "properties": { + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "443", + "sourceApplicationSecurityGroups": [ + { + "id": "[resourceId('Microsoft.Network/applicationSecurityGroups', concat(variables('deployment-prefix'), '-management-asg'))]" + } + ], + "destinationAddressPrefix": "AzureCloud", + "access": "Allow", + "priority": 3600, + "direction": "Outbound" + } + }, + { + "name": "AllowIPAddressesOutBound", + "properties": { + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "443", + "sourceAddressPrefix": "VirtualNetwork", + "destinationAddressPrefix": "[parameters('destinationAddresses')]", + "access": "Allow", + "priority": 3650, + "direction": "Outbound", + "sourcePortRanges": [], + "destinationPortRanges": [], + "sourceAddressPrefixes": [], + "destinationAddressPrefixes": [] + } + } + ] + }, + { + "name": "jump-box-subnet", + "rules": [ + { + "name": "AllowVnetInbound", + "properties": { + "protocol": "TCP", + "sourcePortRange": "*", + "sourceAddressPrefix": "VirtualNetwork", + "access": "Allow", + "priority": 3050, + "direction": "Inbound", + "destinationPortRanges": [ + "3389", + "22" + ], + "destinationApplicationSecurityGroups": [ + { + "id": "[resourceId('Microsoft.Network/applicationSecurityGroups', concat(variables('deployment-prefix'), '-jump-box-asg'))]" + } + ] + } + }, + { + "name": "AllowVnetOutboundRestricted", + "properties": { + "protocol": "TCP", + "sourcePortRange": "*", + "access": "Allow", + "priority": 3551, + "direction": "Outbound", + "destinationPortRanges": [ + "3389", + "22" + ], + "sourceApplicationSecurityGroups": [ + { + "id": "[resourceId('Microsoft.Network/applicationSecurityGroups', concat(variables('deployment-prefix'), '-jump-box-asg'))]" + } + ], + "destinationAddressPrefix": "VirtualNetwork" + } + }, + { + "name": "AllowAzureCloudOutBound", + "properties": { + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "443", + "sourceAddressPrefix": "VirtualNetwork", + "destinationAddressPrefix": "AzureCloud", + "access": "Allow", + "priority": 3600, + "direction": "Outbound" + } + }, + { + "name": "AllowIPAddressesOutBound", + "properties": { + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "443", + "sourceAddressPrefix": "VirtualNetwork", + "destinationAddressPrefix": "[parameters('destinationAddresses')]", + "access": "Allow", + "priority": 3650, + "direction": "Outbound", + "sourcePortRanges": [], + "destinationPortRanges": [], + "sourceAddressPrefixes": [], + "destinationAddressPrefixes": [] + } + } + ] + }, + { + "name": "workload-subnet", + "rules": [ + { + "name": "AllowJumpBoxInBound", + "properties": { + "protocol": "TCP", + "sourcePortRange": "*", + "access": "Allow", + "priority": 3050, + "direction": "Inbound", + "destinationPortRanges": [ + "3389", + "22" + ], + "sourceAddressPrefix": "VirtualNetwork", + "destinationApplicationSecurityGroups": [ + { + "id": "[resourceId('Microsoft.Network/applicationSecurityGroups', concat(variables('deployment-prefix'), '-workload-asg'))]" + } + ] + } + }, + { + "name": "AllowAzureCloudOutBound", + "properties": { + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "443", + "sourceApplicationSecurityGroups": [ + { + "id": "[resourceId('Microsoft.Network/applicationSecurityGroups', concat(variables('deployment-prefix'), '-workload-asg'))]" + } + ], + "destinationAddressPrefix": "AzureCloud", + "access": "Allow", + "priority": 3600, + "direction": "Outbound" + } + }, + { + "name": "AllowIPAddressesOutBound", + "properties": { + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "443", + "sourceAddressPrefix": "VirtualNetwork", + "destinationAddressPrefix": "[parameters('destinationAddresses')]", + "access": "Allow", + "priority": 3650, + "direction": "Outbound", + "sourcePortRanges": [], + "destinationPortRanges": [], + "sourceAddressPrefixes": [], + "destinationAddressPrefixes": [] + } + } + ] + } + ] + }, + "resources": [ + { + "type": "Microsoft.Network/applicationSecurityGroups", + "apiVersion": "2019-09-01", + "name": "[concat(variables('deployment-prefix'), '-', variables('application-security-groups')[copyIndex('asgLoop')].name, '-asg')]", + "location": "[variables('location')]", + "condition": "[parameters('deployHub')]", + "copy": { + "count": "[length(variables('application-security-groups'))]", + "name": "asgLoop" + }, + "tags": { + "component": "hub-shared-network-nsg" + }, + "properties": {} + }, + { + "type": "Microsoft.Network/networkSecurityGroups", + "apiVersion": "2019-09-01", + "name": "[concat(variables('deployment-prefix'), '-', variables('network-security-groups')[copyIndex()].name, '-nsg')]", + "location": "[resourceGroup().location]", + "condition": "[parameters('deployHub')]", + "copy": { + "count": "[length(variables('network-security-groups'))]", + "name": "nsgLoop" + }, + "dependsOn": [ + "asgLoop" + ], + "tags": { + "component": "hub-shared-network-nsg" + }, + "properties": { + "securityRules": "[concat(if(equals(copyIndex('nsgLoop'), 0), json('[]'), variables('network-security-groups')[0].rules), variables('network-security-groups')[copyIndex('nsgLoop')].rules)]" + }, + "resources": [] + }, + { + "type": "Microsoft.Network/networkSecurityGroups/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(variables('deployment-prefix'), '-', variables('network-security-groups')[copyIndex()].name, '-nsg','/Microsoft.Insights/setbypolicy')]", + "location": "[variables('location')]", + "condition": "[parameters('deployHub')]", + "copy": { + "count": "[length(variables('network-security-groups'))]", + "name": "nsgDiagnosticLoop" + }, + "dependsOn": [ + "nsgLoop" + ], + "tags": { + "component": "hub-shared-network-nsg" + }, + "properties": { + "storageAccountId": "[resourceId(variables('oms-workspace-resourceGroup'), 'Microsoft.Storage/storageAccounts', variables('diagnostic-storage-account-name'))]", + "workspaceId": "[resourceId(variables('oms-workspace-resourceGroup'), 'Microsoft.OperationalInsights/workspaces', variables('oms-workspace-name'))]", + "logs": [ + { + "category": "NetworkSecurityGroupEvent", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('logsRetentionInDays')]" + } + }, + { + "category": "NetworkSecurityGroupRuleCounter", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('logsRetentionInDays')]" + } + } + ] + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[concat('nested.configure.nsg-flow-logs-', variables('network-security-groups')[copyIndex('nsgFlowLogsLoop')].name, '-nsg')]", + "condition": "[and(parameters('deployHub'), parameters('enableNsgFlowLogs'))]", + "copy": { + "count": "[length(variables('network-security-groups'))]", + "name": "nsgFlowLogsLoop" + }, + "dependsOn": [ + "nsgDiagnosticLoop" + ], + "resourceGroup": "[parameters('networkWatcherResourceGroup')]", + "subscriptionId": "[subscription().subscriptionId]", + "tags": { + "component": "hub-shared-network-nsg" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "networkSecurityGroupName": { + "type": "string" + }, + "deploymentPrefix": { + "type": "string" + }, + "nsgResourceGroup": { + "type": "string" + }, + "nsgResourceGroupLocation": { + "type": "string" + }, + "omsWorkspaceResourceGroup": { + "type": "string" + }, + "omsWorkspaceName": { + "type": "string" + }, + "diagnosticStorageAccountName": { + "type": "string" + }, + "networkWatcherName": { + "type": "string" + }, + "logsRetentionInDays": { + "type": "int", + "defaultValue": 365, + "minValue": 0, + "maxValue": 365, + "metadata": { + "displayName": "Log retention in days", + "description": "Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely" + } + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/networkWatchers/FlowLogs", + "apiVersion": "2019-11-01", + "name": "[concat(parameters('networkWatcherName'),'/', parameters('networkSecurityGroupName'), '-flow')]", + "location": "[parameters('nsgResourceGroupLocation')]", + "tags": { + "component": "hub-shared-network-nsg" + }, + "properties": { + "targetResourceId": "[resourceId(parameters('nsgResourceGroup'),'Microsoft.Network/networkSecurityGroups', concat(parameters('deploymentPrefix'), '-', parameters('networkSecurityGroupName'), '-nsg'))]", + "storageId": "[resourceId(parameters('omsWorkspaceResourceGroup'), 'Microsoft.Storage/storageAccounts', parameters('diagnosticStorageAccountName'))]", + "enabled": true, + "retentionPolicy": { + "days": "[parameters('logsRetentionInDays')]", + "enabled": true + }, + "format": { + "type": "JSON", + "version": 2 + }, + "flowAnalyticsConfiguration": { + "networkWatcherFlowAnalyticsConfiguration": { + "enabled": true, + "workspaceResourceId": "[resourceId(parameters('omsWorkspaceResourceGroup'), 'Microsoft.OperationalInsights/workspaces', parameters('omsWorkspaceName'))]", + "trafficAnalyticsInterval": 60 + } + } + } + } + ] + }, + "parameters": { + "networkSecurityGroupName": { + "value": "[variables('network-security-groups')[copyIndex('nsgFlowLogsLoop')].name]" + }, + "deploymentPrefix": { + "value": "[variables('deployment-prefix')]" + }, + "nsgResourceGroup": { + "value": "[resourceGroup().name]" + }, + "nsgResourceGroupLocation": { + "value": "[variables('location')]" + }, + "omsWorkspaceResourceGroup": { + "value": "[variables('oms-workspace-resourceGroup')]" + }, + "omsWorkspaceName": { + "value": "[variables('oms-workspace-name')]" + }, + "diagnosticStorageAccountName": { + "value": "[variables('diagnostic-storage-account-name')]" + }, + "networkWatcherName": { + "value": "[parameters('networkWatcherName')]" + }, + "logsRetentionInDays": { + "value": "[parameters('logsRetentionInDays')]" + } + } + } + } + ], + "outputs": {} + }, + "parameters": { + "namePrefix": { + "value": "[parameters('namePrefix')]" + }, + "hubName": { + "value": "[parameters('hubName')]" + }, + "enableNsgFlowLogs": { + "value": "[parameters('hub-shared-network-nsg_enableNsgFlowLogs')]" + }, + "networkWatcherName" : { + "value": "[parameters('networkWatcherName')]" + }, + "networkWatcherResourceGroup" : { + "value": "[parameters('networkWatcherResourceGroup')]" + }, + "destinationAddresses": { + "value": "[parameters('destinationAddresses')]" + }, + "logsRetentionInDays": { + "value": "[parameters('logsRetentionInDays')]" + }, + "deployHub": { + "value": "[parameters('deployHub')]" + } + }, + "dependsOn": [ + "hub-shared-security-log", + "hub-shared-network-watcher" + ], + "resourceGroup": "HubResourceGroup", + "displayName": "Azure Network Security Group template", + "description": "Azure Network Security Group template." + }, + "kind": "template", + "id": "/providers/Microsoft.Blueprint/blueprints/ASBF/artifacts/hub-shared-network-nsg", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "hub-shared-network-nsg" +} \ No newline at end of file diff --git a/samples/001-builtins/ASBF/artifact.hub-shared-network-vnet.json b/samples/001-builtins/ASBF/artifact.hub-shared-network-vnet.json new file mode 100644 index 0000000..5359c2b --- /dev/null +++ b/samples/001-builtins/ASBF/artifact.hub-shared-network-vnet.json @@ -0,0 +1,395 @@ +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "namePrefix": { + "type": "string", + "metadata": { + "displayName": "Prefix for resources and resource groups", + "description": "This string will be used as a prefix for all resource and resource group names." + } + }, + "hubName": { + "type": "string", + "defaultValue": "hub-shared", + "metadata": { + "displayName": "Hub name", + "description": "Name for the hub." + } + }, + "vnetAddressPrefix": { + "type": "string", + "defaultValue": "10.0.0.0/16", + "metadata": { + "displayName": "Virtual network address prefix", + "description": "Virtual network address prefix for hub virtual network." + } + }, + "azureFirewallSubnetAddressPrefix": { + "type": "string", + "defaultValue": "10.0.0.0/26", + "metadata": { + "displayName": "Firewall subnet address prefix", + "description": "Firewall subnet address prefix for hub virtual network." + } + }, + "bastionSubnetAddressPrefix": { + "type": "string", + "defaultValue": "10.0.1.0/27", + "metadata": { + "displayName": "Bastion subnet address prefix", + "description": "Bastion subnet address prefix for hub virtual network." + } + }, + "gatewaySubnetAddressPrefix": { + "type": "string", + "defaultValue": "10.0.2.0/24", + "metadata": { + "displayName": "Gateway subnet address prefix", + "description": "Gateway subnet address prefix for hub virtual network." + } + }, + "managementSubnetAddressPrefix": { + "type": "string", + "defaultValue": "10.0.3.0/24", + "metadata": { + "displayName": "Management subnet address prefix", + "description": "Management subnet address prefix for hub virtual network." + } + }, + "jumpBoxSubnetAddressPrefix": { + "type": "string", + "defaultValue": "10.0.4.0/24", + "metadata": { + "displayName": "Jump box subnet address prefix", + "description": "Jump box subnet address prefix for hub virtual network." + } + }, + "optionalSubnetNames": { + "type": "array", + "defaultValue": [], + "metadata": { + "displayName": "Subnet address names (optional)", + "description": "Array of subnet names to deploy to the hub virtual network; for example, \"subnet1\",\"subnet2\"." + } + }, + "optionalSubnetPrefixes": { + "type": "array", + "defaultValue": [], + "metadata": { + "displayName": "Subnet address prefixes (optional)", + "description": "Array of IP address prefixes for optional subnets for hub virtual network; for example, \"10.0.7.0/24\",\"10.0.8.0/24\"." + } + }, + "enableDdosProtection": { + "type": "bool", + "defaultValue": true, + "metadata": { + "displayName": "Enable DDoS protection", + "description": "Enter 'true' or 'false' to specify whether or not DDoS Protection is enabled in the virtual network." + } + }, + "logsRetentionInDays": { + "type": "int", + "defaultValue": 365, + "minValue": 0, + "maxValue": 365, + "metadata": { + "displayName": "Log retention (days)", + "description": "Number of days that logs will be retained; entering '0' will retain logs indefinitely." + } + }, + "deployHub": { + "type": "bool", + "defaultValue": true, + "metadata": { + "displayName": "Deploy hub", + "description": "Enter 'true' or 'false' to specify whether the assignment will deploy the hub components of the architecture." + } + } + }, + "variables": { + "deployment-prefix": "[toLower(concat(parameters('namePrefix'), '-', parameters('hubName')))]", + "vnet-name": "[concat(variables('deployment-prefix'), '-vnet')]", + "private-endpoint-name": "[concat(variables('deployment-prefix'), '-pe')]", + "ddos-protection-plan-name": "[concat(variables('deployment-prefix'), '-ddos-plan')]", + "ddos-protection-plan-id": { + "id": "[resourceId('Microsoft.Network/ddosProtectionPlans', variables('ddos-protection-plan-name'))]" + }, + "user-defined-routes": [ + { + "name": "default", + "routes": [] + } + ], + "static-subnets": [ + { + "name": "AzureFirewallSubnet", + "address-prefix": "[parameters('azureFirewallSubnetAddressPrefix')]", + "network-security-group": "", + "user-defined-route": "", + "service-endpoints": [] + }, + { + "name": "AzureBastionSubnet", + "address-prefix": "[parameters('bastionSubnetAddressPrefix')]", + "network-security-group": "", + "user-defined-route": "", + "service-endpoints": [] + }, + { + "name": "GatewaySubnet", + "address-prefix": "[parameters('gatewaySubnetAddressPrefix')]", + "network-security-group": "", + "user-defined-route": "", + "service-endpoints": [ + { + "service": "Microsoft.AzureCosmosDB" + }, + { + "service": "Microsoft.CognitiveServices" + }, + { + "service": "Microsoft.ContainerRegistry" + }, + { + "service": "Microsoft.EventHub" + }, + { + "service": "Microsoft.KeyVault" + }, + { + "service": "Microsoft.ServiceBus" + }, + { + "service": "Microsoft.Sql" + }, + { + "service": "Microsoft.Storage" + } + ] + }, + { + "name": "management-subnet", + "address-prefix": "[parameters('managementSubnetAddressPrefix')]", + "network-security-group": "management-subnet", + "user-defined-route": "default", + "service-endpoints": [] + }, + { + "name": "jump-box-subnet", + "address-prefix": "[parameters('jumpBoxSubnetAddressPrefix')]", + "network-security-group": "jump-box-subnet", + "user-defined-route": "default", + "service-endpoints": [] + } + ], + "copy": [ + { + "name": "optional-subnets", + "count": "[length(parameters('optionalSubnetNames'))]", + "input": { + "name": "[parameters('optionalSubnetNames')[copyIndex('optional-subnets')]]", + "address-prefix": "[parameters('optionalSubnetPrefixes')[copyIndex('optional-subnets')]]", + "user-defined-route": "default", + "network-security-group": "default-deny", + "service-endpoints": [] + } + } + ], + "location": "[resourceGroup().location]", + "subnets": "[union(variables('static-subnets'), variables('optional-subnets'))]", + "oms-workspace-resourceGroup": "[concat(variables('deployment-prefix'), '-rg')]", + "oms-workspace-name": "[concat(variables('deployment-prefix'), '-log')]", + "unique-string": "[uniqueString(subscription().id, concat(variables('deployment-prefix')))]", + "diagnostic-storage-account-prefix": "[concat(replace(variables('deployment-prefix'), '-', ''), 'diag')]", + "diagnostic-storage-account-name": "[toLower(substring(replace(concat(variables('diagnostic-storage-account-prefix'), variables('unique-string'), variables('unique-string')), '-', ''), 0, 23) )]" + }, + "resources": [ + { + "type": "Microsoft.Network/routeTables", + "apiVersion": "2019-09-01", + "name": "[concat(variables('deployment-prefix'), '-', variables('user-defined-routes')[copyIndex()].name, '-udr')]", + "location": "[variables('location')]", + "condition": "[parameters('deployHub')]", + "tags": { + "component": "hub-shared-network-vnet" + }, + "copy": { + "count": "[length(variables('user-defined-routes'))]", + "name": "udrLoop" + }, + "properties": {} + }, + { + "type": "Microsoft.Network/ddosProtectionPlans", + "apiVersion": "2019-09-01", + "name": "[variables('ddos-protection-plan-name')]", + "location": "[variables('location')]", + "condition": "[and(parameters('deployHub'), parameters('enableDdosProtection'))]", + "tags": { + "component": "hub-shared-network-vnet" + }, + "properties": {} + }, + { + "apiVersion": "2019-09-01", + "type": "Microsoft.Network/virtualNetworks", + "name": "[variables('vnet-name')]", + "location": "[variables('location')]", + "condition": "[parameters('deployHub')]", + "tags": { + "component": "hub-shared-network-vnet" + }, + "dependsOn": [ + "udrLoop", + "[variables('ddos-protection-plan-name')]" + ], + "properties": { + "addressSpace": { + "addressPrefixes": [ + "[parameters('vnetAddressPrefix')]" + ] + }, + "enableDdosProtection": "[parameters('enableDdosProtection')]", + "ddosProtectionPlan": "[if(parameters('enableDdosProtection'), variables('ddos-protection-plan-id'), json('null'))]", + "copy": [ + { + "name": "subnets", + "count": "[length(variables('subnets'))]", + "input": { + "name": "[variables('subnets')[copyIndex('subnets')].name]", + "properties": { + "addressPrefix": "[variables('subnets')[copyIndex('subnets')]['address-prefix']]", + "networkSecurityGroup": "[if(equals(variables('subnets')[copyIndex('subnets')]['network-security-group'], ''), json('null'), json(concat('{\"id\": \"', resourceId('Microsoft.Network/networkSecurityGroups', concat(variables('deployment-prefix'), '-', variables('subnets')[copyIndex('subnets')]['network-security-group'], '-nsg')), '\"}')))]", + "routeTable": "[if(equals(variables('subnets')[copyIndex('subnets')]['user-defined-route'], ''), json('null'), json(concat('{\"id\": \"', resourceId('Microsoft.Network/routeTables', concat(variables('deployment-prefix'), '-', variables('subnets')[copyIndex('subnets')]['user-defined-route'], '-udr')), '\"}')))]", + "serviceEndpoints": "[if(equals(length(variables('subnets')[copyIndex('subnets')]['service-endpoints']), 0), json('null'), variables('subnets')[copyIndex('subnets')]['service-endpoints'])]", + "privateEndpointNetworkPolicies": "[if(equals(variables('subnets')[copyIndex('subnets')].name, 'management-subnet'), 'Disabled', json('null'))]" + } + } + } + ] + } + }, + { + "type": "Microsoft.Network/privateEndpoints", + "apiVersion": "2020-06-01", + "name": "[variables('private-endpoint-name')]", + "location": "[variables('location')]", + "dependsOn": [ + "[variables('vnet-name')]" + ], + "properties": { + "subnet": { + "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('vnet-name'), 'management-subnet')]" + }, + "privateLinkServiceConnections": [ + { + "name": "[variables('private-endpoint-name')]", + "properties": { + "privateLinkServiceId": "[resourceId('Microsoft.Storage/storageAccounts', variables('diagnostic-storage-account-name'))]", + "groupIds": [ + "blob" + ] + } + } + ] + } + }, + { + "type": "Microsoft.Network/virtualNetworks/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(variables('vnet-name'),'/Microsoft.Insights/service')]", + "location": "[variables('location')]", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[variables('vnet-name')]" + ], + "tags": { + "component": "hub-shared-network-vnet" + }, + "properties": { + "storageAccountId": "[resourceId(variables('oms-workspace-resourceGroup'), 'Microsoft.Storage/storageAccounts', variables('diagnostic-storage-account-name'))]", + "workspaceId": "[resourceId(variables('oms-workspace-resourceGroup'), 'Microsoft.OperationalInsights/workspaces', variables('oms-workspace-name'))]", + "logs": [ + { + "category": "VMProtectionAlerts", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('logsRetentionInDays')]" + } + } + ], + "metrics": [ + { + "category": "AllMetrics", + "timeGrain": null, + "enabled": true, + "retentionPolicy": { + "enabled": false, + "days": "[parameters('logsRetentionInDays')]" + } + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "namePrefix": { + "value": "[parameters('namePrefix')]" + }, + "hubName": { + "value": "[parameters('hubName')]" + }, + "vnetAddressPrefix": { + "value": "[parameters('hub-shared-network-vnet_vnetAddressPrefix')]" + }, + "azureFirewallSubnetAddressPrefix": { + "value": "[parameters('hub-shared-network-vnet_azureFirewallSubnetAddressPrefix')]" + }, + "bastionSubnetAddressPrefix": { + "value": "[parameters('hub-shared-network-vnet_bastionSubnetAddressPrefix')]" + }, + "gatewaySubnetAddressPrefix": { + "value": "[parameters('hub-shared-network-vnet_gatewaySubnetAddressPrefix')]" + }, + "managementSubnetAddressPrefix": { + "value": "[parameters('hub-shared-network-vnet_managementSubnetAddressPrefix')]" + }, + "jumpBoxSubnetAddressPrefix": { + "value": "[parameters('hub-shared-network-vnet_jumpBoxSubnetAddressPrefix')]" + }, + "optionalSubnetNames": { + "value": "[parameters('hub-shared-network-vnet_optionalSubnetNames')]" + }, + "optionalSubnetPrefixes": { + "value": "[parameters('hub-shared-network-vnet_optionalSubnetPrefixes')]" + }, + "enableDdosProtection": { + "value": "[parameters('enableDdosProtection')]" + }, + "logsRetentionInDays": { + "value": "[parameters('logsRetentionInDays')]" + }, + "deployHub": { + "value": "[parameters('deployHub')]" + } + }, + "dependsOn": [ + "hub-shared-security-log", + "hub-shared-network-nsg" + ], + "resourceGroup": "HubResourceGroup", + "displayName": "Azure Virtual Network hub template", + "description": "Azure Virtual Network hub template." + }, + "kind": "template", + "id": "/providers/Microsoft.Blueprint/blueprints/ASBF/artifacts/hub-shared-network-vnet", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "hub-shared-network-vnet" +} \ No newline at end of file diff --git a/samples/001-builtins/ASBF/artifact.hub-shared-network-watcher.json b/samples/001-builtins/ASBF/artifact.hub-shared-network-watcher.json new file mode 100644 index 0000000..90f08bd --- /dev/null +++ b/samples/001-builtins/ASBF/artifact.hub-shared-network-watcher.json @@ -0,0 +1,67 @@ +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "networkWatcherName": { + "defaultValue": "[concat('NetworkWatcher_', parameters('networkWatcherLocation'))]", + "type": "string", + "metadata": { + "displayName": "Network Watcher name", + "description": "Name for the Network Watcher resource." + } + }, + "networkWatcherLocation": { + "defaultValue": "[resourceGroup().location]", + "type": "string", + "metadata": { + "displayName": "Network Watcher location", + "description": "Location for the Network Watcher resource." + } + }, + "deployHub": { + "type": "bool", + "defaultValue": true, + "metadata": { + "displayName": "Deploy hub", + "description": "Enter 'true' or 'false' to specify whether the assignment will deploy the hub components of the architecture." + } + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/networkWatchers", + "apiVersion": "2020-06-01", + "name": "[parameters('networkWatcherName')]", + "location": "[parameters('networkWatcherLocation')]", + "condition": "[parameters('deployHub')]", + "tags": { + "component": "hub-shared-network-vnet" + }, + "properties": {} + } + ], + "outputs": {} + }, + "parameters": { + "networkWatcherName": { + "value": "[parameters('networkWatcherName')]" + }, + "networkWatcherLocation": { + "value": "[parameters('networkWatcherLocation')]" + }, + "deployHub": { + "value": "[parameters('deployHub')]" + } + }, + "resourceGroup": "NetworkWatcherResourceGroup", + "displayName": "Azure Network Watcher template", + "description": "Azure Network Watcher template." + }, + "kind": "template", + "id": "/providers/Microsoft.Blueprint/blueprints/ASBF/artifacts/hub-shared-network-watcher", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "hub-shared-network-watcher" +} \ No newline at end of file diff --git a/samples/001-builtins/ASBF/artifact.hub-shared-security-log.json b/samples/001-builtins/ASBF/artifact.hub-shared-security-log.json new file mode 100644 index 0000000..a2f6e58 --- /dev/null +++ b/samples/001-builtins/ASBF/artifact.hub-shared-security-log.json @@ -0,0 +1,1439 @@ +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "namePrefix": { + "type": "string", + "metadata": { + "displayName": "Prefix for resources and resource groups", + "description": "This string will be used as a prefix for all resource and resource group names." + } + }, + "hubName": { + "type": "string", + "defaultValue": "hub-shared", + "metadata": { + "displayName": "Hub name", + "description": "Name for the hub." + } + }, + "logsRetentionInDays": { + "type": "int", + "defaultValue": 365, + "minValue": 0, + "maxValue": 365, + "metadata": { + "displayName": "Log retention (days)", + "description": "Number of days that logs will be retained; entering '0' will retain logs indefinitely." + } + }, + "workspaceLocation": { + "type": "string", + "metadata": { + "displayName": "Log Analytics workspace location", + "description": "Location where Log Analytics workspace will be created; run `Get-AzLocation | Where-Object Providers -like 'Microsoft.OperationalInsights' | Select DisplayName` in Azure PowersShell to see available regions." + } + }, + "automationAccountId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "Azure Automation account ID (optional)", + "description": "Automation account resource ID; used to create a linked service between Log Analytics and an Automation account." + } + }, + "deployHub": { + "type": "bool", + "defaultValue": true, + "metadata": { + "displayName": "Deploy hub", + "description": "Enter 'true' or 'false' to specify whether the assignment will deploy the hub components of the architecture." + } + } + }, + "variables": { + "location": "[resourceGroup().location]", + "deployment-prefix": "[toLower(concat(parameters('namePrefix'), '-', parameters('hubName')))]", + "unique-string": "[uniqueString(subscription().id, concat(variables('deployment-prefix')))]", + "diagnostic-storage-account-prefix": "[concat(replace(variables('deployment-prefix'), '-', ''), 'diag')]", + "diagnostic-storage-account-name": "[toLower(substring(replace(concat(variables('diagnostic-storage-account-prefix'), variables('unique-string'), variables('unique-string')), '-', ''), 0, 23) )]", + "oms-workspace-name": "[concat(variables('deployment-prefix'), '-log')]", + "log-analytics-search-version": 1, + "solutions": [ + { + "name": "[concat('Updates', '(', variables('oms-workspace-name'), ')')]", + "galleryName": "Updates" + }, + { + "name": "[concat('AzureAutomation', '(', variables('oms-workspace-name'), ')')]", + "galleryName": "AzureAutomation" + }, + { + "name": "[concat('AntiMalware', '(', variables('oms-workspace-name'), ')')]", + "galleryName": "AntiMalware" + }, + { + "name": "[concat('SQLAssessment', '(', variables('oms-workspace-name'), ')')]", + "galleryName": "SQLAssessment" + }, + { + "name": "[concat('Security', '(', variables('oms-workspace-name'), ')')]", + "galleryName": "Security" + }, + { + "name": "[concat('ChangeTracking', '(', variables('oms-workspace-name'), ')')]", + "galleryName": "ChangeTracking" + }, + { + "name": "[concat('KeyVaultAnalytics', '(', variables('oms-workspace-name'), ')')]", + "galleryName": "KeyVaultAnalytics" + }, + { + "name": "[concat('AzureSQLAnalytics', '(', variables('oms-workspace-name'), ')')]", + "galleryName": "AzureSQLAnalytics" + }, + { + "name": "[concat('ServiceMap', '(', variables('oms-workspace-name'), ')')]", + "galleryName": "ServiceMap" + } + ] + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2020-03-01-preview", + "location": "[parameters('workspaceLocation')]", + "name": "[variables('oms-workspace-name')]", + "condition": "[parameters('deployHub')]", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "features": { + "searchVersion": "[variables('log-analytics-search-version')]" + }, + "sku": { + "name": "PerGB2018" + }, + "retentionInDays": "[parameters('logsRetentionInDays')]" + }, + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-03-01-preview", + "name": "VMSSQueries", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "etag": "*", + "DisplayName": "VMSS Instance Count", + "Category": "Security", + "Query": "Event | where Source == \"ServiceFabricNodeBootstrapAgent\" | summarize AggregatedValue = count() by Computer" + } + }, + { + "type": "savedSearches", + "apiVersion": "2020-03-01-preview", + "name": "AzureFirewallThreatDeny", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "etag": "*", + "DisplayName": "Azure Threat Deny", + "Category": "Security", + "Query": "AzureDiagnostics | where ResourceType == 'AZUREFIREWALLS' and msg_s contains 'Deny'" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "[subscription().subscriptionId]", + "location": "[parameters('workspaceLocation')]", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "AzureActivityLog", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "linkedResourceId": "[concat(subscription().Id, '/providers/microsoft.insights/eventTypes/management')]" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "applicationEvent", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsEvent", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "eventLogName": "Application", + "eventTypes": [ + { + "eventType": "Error" + }, + { + "eventType": "Warning" + }, + { + "eventType": "Information" + } + ] + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "systemEvent", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsEvent", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "eventLogName": "System", + "eventTypes": [ + { + "eventType": "Error" + }, + { + "eventType": "Warning" + }, + { + "eventType": "Information" + } + ] + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter1", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "Processor", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "% Processor Time" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter2", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "Processor", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "% Privileged Time" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter3", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "Processor", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "% User Time" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter4", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "Processor", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Processor Frequency" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter5", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "Process", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Thread Count" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter6", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "Process", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Handle Count" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter7", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "System", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "System Up Time" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter8", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "System", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Context Switches/sec" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter9", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "System", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Processor Queue Length" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter10", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "System", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Processes" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter11", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "Memory", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "% Committed Bytes In Use" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter12", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "Memory", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Available MBytes" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter13", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "Memory", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Available Bytes" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter14", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "Memory", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Committed Bytes" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter15", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "Memory", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Cache Bytes" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter16", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "Memory", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Pool Paged Bytes" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter17", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "Memory", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Pool Nonpaged Bytes" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter18", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "Memory", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Pages/sec" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter19", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "Memory", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Page Faults/sec" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter20", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "Process", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Working Set" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter21", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "Process", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Working Set - Private" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter22", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "LogicalDisk", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "% Disk Time" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter23", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "LogicalDisk", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "% Disk Read Time" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter24", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "LogicalDisk", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "% Disk Write Time" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter25", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "LogicalDisk", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "% Idle Time" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter26", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "LogicalDisk", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Disk Bytes/sec" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter27", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "LogicalDisk", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Disk Read Bytes/sec" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter28", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "LogicalDisk", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Disk Write Bytes/sec" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter29", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "LogicalDisk", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Disk Transfers/sec" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter30", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "LogicalDisk", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Disk Reads/sec" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter31", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "LogicalDisk", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Disk Writes/sec" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter32", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "LogicalDisk", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Avg. Disk sec/Transfer" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter33", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "LogicalDisk", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Avg. Disk sec/Read" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter34", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "LogicalDisk", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Avg. Disk sec/Write" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter35", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "LogicalDisk", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Avg. Disk Queue Length" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter36", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "LogicalDisk", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Avg. Disk Write Queue Length" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter37", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "LogicalDisk", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "% Free Space" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter38", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "LogicalDisk", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Free Megabytes" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter39", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "Network Interface", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Bytes Total/sec" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter40", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "Network Interface", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Bytes Sent/sec" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter41", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "Network Interface", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Bytes Received/sec" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter42", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "Network Interface", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Packets/sec" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter43", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "Network Interface", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Packets Sent/sec" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter44", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "Network Interface", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Packets Received/sec" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter45", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "Network Interface", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Packets Outbound Errors" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter46", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "Network Interface", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Packets Received Errors" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "sampleIISLog1", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "IISLogs", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "state": "OnPremiseEnabled" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "sampleSyslog1", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "LinuxSyslog", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "syslogName": "kern", + "syslogSeverities": [ + { + "severity": "emerg" + }, + { + "severity": "alert" + }, + { + "severity": "crit" + }, + { + "severity": "err" + }, + { + "severity": "warning" + } + ] + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "sampleSyslogCollection1", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "LinuxSyslogCollection", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "state": "Enabled" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "sampleLinuxPerf1", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "LinuxPerformanceObject", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "performanceCounters": [ + { + "counterName": "% Used Inodes" + }, + { + "counterName": "Free Megabytes" + }, + { + "counterName": "% Used Space" + }, + { + "counterName": "Disk Transfers/sec" + }, + { + "counterName": "Disk Reads/sec" + }, + { + "counterName": "Disk Writes/sec" + } + ], + "objectName": "Logical Disk", + "instanceName": "*", + "intervalSeconds": 10 + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "sampleLinuxPerfCollection1", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "LinuxPerformanceCollection", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "state": "Enabled" + } + } + ] + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "nestedTemplate", + "condition": "[parameters('deployHub')]", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "variables": {}, + "resources": [] + }, + "parameters": {} + } + }, + { + "type": "Microsoft.OperationsManagement/solutions", + "apiVersion": "2015-11-01-preview", + "name": "[concat(variables('solutions')[copyIndex()].name)]", + "location": "[parameters('workspaceLocation')]", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "copy": { + "name": "solutionCopy", + "count": "[length(variables('solutions'))]", + "mode": "Serial" + }, + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces', variables('oms-workspace-name'))]" + }, + "plan": { + "name": "[variables('solutions')[copyIndex()].name]", + "product": "[concat('OMSGallery/', variables('solutions')[copyIndex()].galleryName)]", + "promotionCode": "", + "publisher": "Microsoft" + } + }, + { + "comments": "*Log Analytics Workspace resource lock*", + "type": "Microsoft.OperationalInsights/workspaces/providers/locks", + "apiVersion": "2017-04-01", + "name": "[concat(variables('oms-workspace-name'), '/Microsoft.Authorization/logAnalyticsDoNotDelete')]", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[variables('oms-workspace-name')]" + ], + "properties": { + "level": "CannotDelete" + } + }, + { + "comments": "*Diagnostic storage account*", + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2019-06-01", + "name": "[variables('diagnostic-storage-account-name')]", + "location": "[variables('location')]", + "condition": "[parameters('deployHub')]", + "kind": "StorageV2", + "sku": { + "name": "Standard_GRS" + }, + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "encryption": { + "keySource": "Microsoft.Storage", + "services": { + "blob": { + "enabled": true + }, + "file": { + "enabled": true + } + } + }, + "allowBlobPublicAccess": false, + "supportsHttpsTrafficOnly": true, + "networkAcls": { + "bypass": "AzureServices", + "defaultAction": "Deny" + } + } + }, + { + "type": "Microsoft.Storage/storageAccounts/providers/locks", + "apiVersion": "2016-09-01", + "name": "[concat(variables('diagnostic-storage-account-name'), '/Microsoft.Authorization/storageDoNotDelete')]", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.Storage/storageAccounts/', variables('diagnostic-storage-account-name'))]" + ], + "comments": "Resource lock on diagnostic storage account", + "properties": { + "level": "CannotDelete" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/storageinsightconfigs", + "apiVersion": "2020-03-01-preview", + "name": "[concat(variables('oms-workspace-name'), '/', variables('diagnostic-storage-account-name'))]", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.Storage/storageAccounts/', variables('diagnostic-storage-account-name'))]" + ], + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "containers": [], + "tables": [ + "WADWindowsEventLogsTable", + "WADETWEventTable", + "WADServiceFabric*EventTable", + "LinuxsyslogVer2v0" + ], + "storageAccount": { + "id": "[resourceId('Microsoft.Storage/storageAccounts/', variables('diagnostic-storage-account-name'))]", + "key": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('diagnostic-storage-account-name')), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).keys[0].value]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/linkedServices", + "apiVersion": "2020-03-01-preview", + "name": "[concat(variables('oms-workspace-name'), '/' , 'Automation')]", + "location": "[parameters('workspaceLocation')]", + "condition": "[and(parameters('deployHub'), not(empty(parameters('automationAccountId'))))]", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "resourceId": "[parameters('automationAccountId')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(variables('oms-workspace-name'),'/Microsoft.Insights/service')]", + "location": "[variables('location')]", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[variables('oms-workspace-name')]", + "[variables('diagnostic-storage-account-name')]" + ], + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "storageAccountId": "[resourceId('Microsoft.Storage/storageAccounts', variables('diagnostic-storage-account-name'))]", + "workspaceId": "[resourceId('Microsoft.OperationalInsights/workspaces', variables('oms-workspace-name'))]", + "logs": [ + { + "category": "Audit", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('logsRetentionInDays')]" + } + } + ], + "metrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('logsRetentionInDays')]" + } + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "namePrefix": { + "value": "[parameters('namePrefix')]" + }, + "hubName": { + "value": "[parameters('hubName')]" + }, + "logsRetentionInDays": { + "value": "[parameters('logsRetentionInDays')]" + }, + "workspaceLocation": { + "value": "[parameters('hub-shared-security-log_workspaceLocation')]" + }, + "automationAccountId": { + "value": "[parameters('hub-shared-security-log_automationAccountId')]" + }, + "deployHub": { + "value": "[parameters('deployHub')]" + } + }, + "resourceGroup": "HubResourceGroup", + "displayName": "Azure Log Analytics and Diagnostics template", + "description": "Azure Log Analytics and Diagnostics template." + }, + "kind": "template", + "id": "/providers/Microsoft.Blueprint/blueprints/ASBF/artifacts/hub-shared-security-log", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "hub-shared-security-log" +} \ No newline at end of file diff --git a/samples/001-builtins/ASBF/artifact.spoke-workload-network-vnet.json b/samples/001-builtins/ASBF/artifact.spoke-workload-network-vnet.json new file mode 100644 index 0000000..357d8f5 --- /dev/null +++ b/samples/001-builtins/ASBF/artifact.spoke-workload-network-vnet.json @@ -0,0 +1,352 @@ +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "namePrefix": { + "type": "string", + "metadata": { + "displayName": "Prefix for resources and resource groups", + "description": "This string will be used as a prefix for all resource and resource group names." + } + }, + "hubSubscriptionId": { + "type": "string", + "defaultValue": "[subscription().subscriptionId]", + "metadata": { + "displayName": "Hub subscription ID", + "description": "Subscription ID where hub is deployed; default value is the subscription where the blueprint definition is located." + } + }, + "hubName": { + "type": "string", + "defaultValue": "hub-shared", + "metadata": { + "displayName": "Hub name", + "description": "Name for the hub." + } + }, + "spokeName": { + "type": "string", + "defaultValue": "spoke-workload", + "metadata": { + "displayName": "Spoke name", + "description": "Name of the spoke." + } + }, + "deploySpoke": { + "type": "bool", + "defaultValue": true, + "metadata": { + "displayName": "Deploy spoke", + "description": "Enter 'true' or 'false' to specify whether the assignment will deploy the spoke components of the architecture." + } + }, + "spokeVnetAddressPrefix": { + "type": "string", + "defaultValue": "10.1.0.0/16", + "metadata": { + "displayName": "Virtual Network address prefix", + "description": "Virtual Network address prefix for spoke virtual network." + } + }, + "spokeSubnetAddressPrefix": { + "type": "string", + "defaultValue": "10.1.0.0/24", + "metadata": { + "displayName": "Subnet address prefix", + "description": "Subnet address prefix for spoke virtual network." + } + }, + "spokeOptionalSubnetNames": { + "type": "array", + "defaultValue": [], + "metadata": { + "displayName": "Subnet address names (optional)", + "description": "Array of subnet names to deploy to the spoke virtual network; for example, \"subnet1\",\"subnet2\"." + } + }, + "spokeOptionalSubnetPrefixes": { + "type": "array", + "defaultValue": [], + "metadata": { + "displayName": "Subnet address prefixes (optional)", + "description": "Array of IP address prefixes for optional subnets for the spoke virtual network; for example, \"10.0.7.0/24\",\"10.0.8.0/24\"." + } + }, + "enableDdosProtection": { + "type": "bool", + "defaultValue": "true", + "metadata": { + "displayName": "Enable DDoS protection", + "description": "Enter 'true' or 'false' to specify whether or not DDoS Protection is enabled in the virtual network." + } + }, + "logsRetentionInDays": { + "type": "int", + "defaultValue": 365, + "minValue": 0, + "maxValue": 365, + "metadata": { + "displayName": "Log retention (days)", + "description": "Number of days that logs will be retained; entering '0' will retain logs indefinitely." + } + } + }, + "variables": { + "location": "[resourceGroup().location]", + "hub-deployment-prefix": "[toLower(concat(parameters('namePrefix'), '-', parameters('hubName')))]", + "hub-resource-group-name": "[concat(variables('hub-deployment-prefix'), '-rg')]", + "hub-vnet-name": "[concat(variables('hub-deployment-prefix'), '-vnet')]", + "hub-vnet-resource-id": "[resourceId(parameters('hubSubscriptionId'), variables('hub-resource-group-name'), 'Microsoft.Network/virtualNetworks', variables('hub-vnet-name'))]", + "oms-workspace-name": "[concat(variables('hub-deployment-prefix'), '-log')]", + "unique-string": "[uniqueString(concat('/subscriptions/', parameters('hubSubscriptionId')), concat(variables('hub-deployment-prefix')))]", + "diagnostic-storage-account-prefix": "[concat(replace(variables('hub-deployment-prefix'), '-', ''), 'diag')]", + "diagnostic-storage-account-name": "[toLower(substring(replace(concat(variables('diagnostic-storage-account-prefix'), variables('unique-string'), variables('unique-string')), '-', ''), 0, 23) )]", + "ddos-protection-plan-name": "[concat(variables('hub-deployment-prefix'), '-ddos-plan')]", + "ddos-protection-plan-id": { + "id": "[resourceId(variables('hub-resource-group-name'), 'Microsoft.Network/ddosProtectionPlans', variables('ddos-protection-plan-name'))]" + }, + "deployment-prefix": "[toLower(concat(parameters('namePrefix'), '-', parameters('spokeName')))]", + "vnet-name": "[concat(variables('deployment-prefix'), '-vnet')]", + "spoke-vnet-resource-id": "[resourceId(subscription().subscriptionId, resourceGroup().name, 'Microsoft.Network/virtualNetworks', variables('vnet-name'))]", + "static-subnets": [ + { + "name": "workload-subnet", + "address-prefix": "[parameters('spokeSubnetAddressPrefix')]", + "network-security-group": "workload-subnet", + "user-defined-route": "default", + "service-endpoints": [] + } + ], + "copy": [ + { + "name": "optional-subnets", + "count": "[length(parameters('spokeOptionalSubnetNames'))]", + "input": { + "name": "[parameters('SpokeOptionalSubnetNames')[copyIndex('optional-subnets')]]", + "address-prefix": "[parameters('spokeOptionalSubnetPrefixes')[copyIndex('optional-subnets')]]", + "user-defined-route": "default", + "network-security-group": "default-deny", + "service-endpoints": [] + } + } + ], + "subnets": "[union(variables('static-subnets'), variables('optional-subnets'))]" + }, + "resources": [ + { + "apiVersion": "2020-05-01", + "type": "Microsoft.Network/virtualNetworks", + "name": "[variables('vnet-name')]", + "location": "[variables('location')]", + "condition": "[parameters('deploySpoke')]", + "tags": { + "component": "spoke-workload-network-vnet" + }, + "properties": { + "addressSpace": { + "addressPrefixes": [ + "[parameters('spokeVnetAddressPrefix')]" + ] + }, + "enableDdosProtection": "[parameters('enableDdosProtection')]", + "ddosProtectionPlan": "[if(parameters('enableDdosProtection'), variables('ddos-protection-plan-id'), json('null'))]", + "copy": [ + { + "name": "subnets", + "count": "[length(variables('subnets'))]", + "input": { + "name": "[variables('subnets')[copyIndex('subnets')].name]", + "properties": { + "addressPrefix": "[variables('subnets')[copyIndex('subnets')]['address-prefix']]", + "networkSecurityGroup": "[if(equals(variables('subnets')[copyIndex('subnets')]['network-security-group'], ''), json('null'), json(concat('{\"id\": \"', resourceId(parameters('hubSubscriptionId'), variables('hub-resource-group-name'), 'Microsoft.Network/networkSecurityGroups', concat(variables('hub-deployment-prefix'), '-', variables('subnets')[copyIndex('subnets')]['network-security-group'], '-nsg')), '\"}')))]", + "routeTable": "[if(equals(variables('subnets')[copyIndex('subnets')]['user-defined-route'], ''), json('null'), json(concat('{\"id\": \"', resourceId(parameters('hubSubscriptionId'), variables('hub-resource-group-name'), 'Microsoft.Network/routeTables', concat(variables('hub-deployment-prefix'), '-', variables('subnets')[copyIndex('subnets')]['user-defined-route'], '-udr')), '\"}')))]", + "serviceEndpoints": "[if(equals(length(variables('subnets')[copyIndex('subnets')]['service-endpoints']), 0), json('null'), variables('subnets')[copyIndex('subnets')]['service-endpoints'])]" + } + } + } + ] + } + }, + { + "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings", + "apiVersion": "2020-05-01", + "name": "[concat(variables('vnet-name'), '/', parameters('hubName'), '-peering')]", + "condition": "[parameters('deploySpoke')]", + "dependsOn": [ + "[variables('vnet-name')]" + ], + "properties": { + "peeringState": "Connected", + "remoteVirtualNetwork": { + "id": "[variables('hub-vnet-resource-id')]" + }, + "allowVirtualNetworkAccess": true, + "allowForwardedTraffic": false, + "allowGatewayTransit": false, + "useRemoteGateways": false, + "remoteAddressSpace": { + "addressPrefixes": "[reference(variables('hub-vnet-resource-id'), '2020-05-01').addressSpace.addressPrefixes]" + } + } + }, + { + "type": "Microsoft.Network/virtualNetworks/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(variables('vnet-name'),'/Microsoft.Insights/service')]", + "location": "[variables('location')]", + "condition": "[parameters('deploySpoke')]", + "dependsOn": [ + "[variables('vnet-name')]" + ], + "tags": { + "component": "spoke-workload-network-vnet" + }, + "properties": { + "storageAccountId": "[resourceId(parameters('hubSubscriptionId'), variables('hub-resource-group-name'), 'Microsoft.Storage/storageAccounts', variables('diagnostic-storage-account-name'))]", + "workspaceId": "[resourceId(parameters('hubSubscriptionId'), variables('hub-resource-group-name'), 'Microsoft.OperationalInsights/workspaces', variables('oms-workspace-name'))]", + "logs": [ + { + "category": "VMProtectionAlerts", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('logsRetentionInDays')]" + } + } + ], + "metrics": [ + { + "category": "AllMetrics", + "timeGrain": null, + "enabled": true, + "retentionPolicy": { + "enabled": false, + "days": "[parameters('logsRetentionInDays')]" + } + } + ] + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-09-01", + "name": "[concat('nested.configure.vnet-peering-', variables('vnet-name'))]", + "subscriptionId": "[parameters('hubSubscriptionId')]", + "resourceGroup": "[variables('hub-resource-group-name')]", + "condition": "[parameters('deploySpoke')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/virtualNetworks', variables('vnet-name'))]" + ], + "tags": { + "component": "spoke-workload-network-vnet" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "hub-vnet-name": { + "type": "String" + }, + "deployment-prefix": { + "type": "string" + }, + "spoke-vnet-resource-id": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings", + "apiVersion": "2020-05-01", + "name": "[concat(parameters('hub-vnet-name'), '/', parameters('deployment-prefix'), '-peering')]", + "properties": { + "peeringState": "Connected", + "remoteVirtualNetwork": { + "id": "[parameters('spoke-vnet-resource-id')]" + }, + "allowVirtualNetworkAccess": true, + "allowForwardedTraffic": false, + "allowGatewayTransit": false, + "useRemoteGateways": false, + "remoteAddressSpace": { + "addressPrefixes": "[reference(parameters('spoke-vnet-resource-id'), '2020-05-01').addressSpace.addressPrefixes]" + } + } + } + ] + }, + "parameters": { + "hub-vnet-name": { + "value": "[variables('hub-vnet-name')]" + }, + "deployment-prefix": { + "value": "[variables('deployment-prefix')]" + }, + "spoke-vnet-resource-id": { + "value": "[variables('spoke-vnet-resource-id')]" + } + } + } + } + ], + "outputs": {} + }, + "parameters": { + "namePrefix": { + "value": "[parameters('namePrefix')]" + }, + "hubSubscriptionId": { + "value": "[parameters('hubSubscriptionId')]" + }, + "hubName": { + "value": "[parameters('hubName')]" + }, + "spokeName": { + "value": "[parameters('spokeName')]" + }, + "spokeVnetAddressPrefix": { + "value": "[parameters('spoke-workload-network-vnet_spokeVnetAddressPrefix')]" + }, + "spokeSubnetAddressPrefix": { + "value": "[parameters('spoke-workload-network-vnet_spokeSubnetAddressPrefix')]" + }, + "spokeOptionalSubnetNames": { + "value": "[parameters('spoke-workload-network-vnet_spokeOptionalSubnetNames')]" + }, + "spokeOptionalSubnetPrefixes": { + "value": "[parameters('spoke-workload-network-vnet_spokeOptionalSubnetPrefixes')]" + }, + "enableDdosProtection": { + "value": "[parameters('enableDdosProtection')]" + }, + "logsRetentionInDays": { + "value": "[parameters('logsRetentionInDays')]" + }, + "deploySpoke": { + "value": "[parameters('deploySpoke')]" + } + }, + "dependsOn": [ + "hub-shared-security-log", + "hub-shared-network-nsg", + "hub-shared-network-vnet", + "hub-shared-network-firewall" + ], + "resourceGroup": "SpokeResourceGroup", + "displayName": "Azure Virtual Network spoke template", + "description": "Azure Virtual Network spoke template." + }, + "kind": "template", + "id": "/providers/Microsoft.Blueprint/blueprints/ASBF/artifacts/spoke-workload-network-vnet", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "spoke-workload-network-vnet" + } \ No newline at end of file diff --git a/samples/001-builtins/ASBF/blueprint.json b/samples/001-builtins/ASBF/blueprint.json new file mode 100644 index 0000000..07c682a --- /dev/null +++ b/samples/001-builtins/ASBF/blueprint.json @@ -0,0 +1,280 @@ +{ + "properties": { + "parameters": { + "namePrefix": { + "type": "string", + "metadata": { + "displayName": "Prefix for resources and resource groups", + "description": "This string will be used as a prefix for all resource and resource group names." + } + }, + "hubName": { + "type": "string", + "defaultValue": "hub-shared", + "metadata": { + "displayName": "Hub name", + "description": "Name for the hub." + } + }, + "hubLocation": { + "type": "string", + "metadata": { + "strongType": "location", + "displayName": "Hub location", + "description": "Location for the hub resource group." + } + }, + "hubSubscriptionId": { + "type": "string", + "defaultValue": "[subscription().subscriptionId]", + "metadata": { + "displayName": "Hub subscription ID", + "description": "Subscription ID where hub is deployed; default value is the subscription where the blueprint is assigned (scope)." + } + }, + "deployHub": { + "type": "bool", + "defaultValue": true, + "metadata": { + "displayName": "Deploy hub", + "description": "Enter 'true' or 'false' to specify whether the assignment will deploy the hub components of the architecture." + } + }, + "spokeName": { + "type": "string", + "defaultValue": "spoke-workload", + "metadata": { + "displayName": "Spoke name", + "description": "Name of the spoke." + } + }, + "deploySpoke": { + "type": "bool", + "defaultValue": true, + "metadata": { + "displayName": "Deploy spoke", + "description": "Enter 'true' or 'false' to specify whether the assignment will deploy the spoke components of the architecture." + } + }, + "logsRetentionInDays": { + "type": "int", + "defaultValue": 365, + "minValue": 0, + "maxValue": 365, + "metadata": { + "displayName": "Log retention (days)", + "description": "Number of days that logs will be retained; entering '0' will retain logs indefinitely." + } + }, + "hub-shared-security-log_workspaceLocation": { + "type": "string", + "defaultValue": "[parameters('hubLocation')]", + "metadata": { + "displayName": "Log Analytics workspace location", + "description": "Location where Log Analytics workspace will be created; run `Get-AzLocation | Where-Object Providers -like 'Microsoft.OperationalInsights' | Select DisplayName` in Azure PowersShell to see available regions." + } + }, + "hub-shared-security-log_automationAccountId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "Azure Automation account ID (optional)", + "description": "Automation account resource ID; used to create a linked service between Log Analytics and an Automation account." + } + }, + "networkWatcherName": { + "defaultValue": "[concat('NetworkWatcher_', parameters('networkWatcherLocation'))]", + "type": "string", + "metadata": { + "displayName": "Network Watcher name", + "description": "Name for the Network Watcher resource." + } + }, + "networkWatcherLocation": { + "defaultValue": "[parameters('hubLocation')]", + "type": "string", + "metadata": { + "displayName": "Network Watcher location", + "description": "Location for the Network Watcher resource." + } + }, + "networkWatcherResourceGroup": { + "defaultValue": "NetworkWatcherRG", + "type": "string", + "metadata": { + "displayName": "Network Watcher resource group name", + "description": "Name for the Network Watcher resource group." + } + }, + "networkWatcherResourceGroupLocation": { + "defaultValue": "[parameters('hubLocation')]", + "type": "string", + "metadata": { + "displayName": "Network Watcher resource group location", + "description": "Location of the Network Watcher resource group." + } + }, + "hub-shared-network-nsg_enableNsgFlowLogs": { + "type": "bool", + "defaultValue": true, + "metadata": { + "displayName": "Enable NSG flow logs", + "description": "Enter 'true' or 'false' to enable or disable NSG flow logs." + } + }, + "destinationAddresses": { + "type": "string", + "metadata": { + "displayName": "Destination IP addresses", + "description": "Destination IP addresses for outbound connectivity; comma-separated list of IP addresses or IP range prefixes." + }, + "defaultValue": "0.0.0.0" + }, + "hub-shared-network-vnet_vnetAddressPrefix": { + "type": "string", + "defaultValue": "10.0.0.0/16", + "metadata": { + "displayName": "Virtual network address prefix", + "description": "Virtual network address prefix for hub virtual network." + } + }, + "hub-shared-network-vnet_azureFirewallSubnetAddressPrefix": { + "type": "string", + "defaultValue": "10.0.0.0/26", + "metadata": { + "displayName": "Firewall subnet address prefix", + "description": "Firewall subnet address prefix for hub virtual network." + } + }, + "hub-shared-network-vnet_bastionSubnetAddressPrefix": { + "type": "string", + "defaultValue": "10.0.1.0/27", + "metadata": { + "displayName": "Bastion subnet address prefix", + "description": "Bastion subnet address prefix for hub virtual network." + } + }, + "hub-shared-network-vnet_gatewaySubnetAddressPrefix": { + "type": "string", + "defaultValue": "10.0.2.0/24", + "metadata": { + "displayName": "Gateway subnet address prefix", + "description": "Gateway subnet address prefix for hub virtual network." + } + }, + "hub-shared-network-vnet_managementSubnetAddressPrefix": { + "type": "string", + "defaultValue": "10.0.3.0/24", + "metadata": { + "displayName": "Management subnet address prefix", + "description": "Management subnet address prefix for hub virtual network." + } + }, + "hub-shared-network-vnet_jumpBoxSubnetAddressPrefix": { + "type": "string", + "defaultValue": "10.0.4.0/24", + "metadata": { + "displayName": "Jump box subnet address prefix", + "description": "Jump box subnet address prefix for hub virtual network." + } + }, + "hub-shared-network-vnet_optionalSubnetNames": { + "type": "array", + "defaultValue": [], + "metadata": { + "displayName": "Subnet address names (optional)", + "description": "Array of subnet names to deploy to the hub virtual network; for example, \"subnet1\",\"subnet2\"." + } + }, + "hub-shared-network-vnet_optionalSubnetPrefixes": { + "type": "array", + "defaultValue": [], + "metadata": { + "displayName": "Subnet address prefixes (optional)", + "description": "Array of IP address prefixes for optional subnets for hub virtual network; for example, \"10.0.7.0/24\",\"10.0.8.0/24\"." + } + }, + "enableDdosProtection": { + "type": "bool", + "defaultValue": true, + "metadata": { + "displayName": "Enable DDoS protection", + "description": "Enter 'true' or 'false' to specify whether or not DDoS Protection is enabled in the virtual network." + } + }, + "hub-shared-network-firewall_azureFirewallPrivateIP": { + "type": "string", + "defaultValue": "10.0.0.4", + "metadata": { + "displayName": "Azure Firewall private IP address", + "description": "Azure Firewall private IP address." + } + }, + "spoke-workload-network-vnet_spokeVnetAddressPrefix": { + "type": "string", + "defaultValue": "10.1.0.0/16", + "metadata": { + "displayName": "Virtual Network address prefix", + "description": "Virtual Network address prefix for spoke virtual network." + } + }, + "spoke-workload-network-vnet_spokeSubnetAddressPrefix": { + "type": "string", + "defaultValue": "10.1.0.0/24", + "metadata": { + "displayName": "Subnet address prefix", + "description": "Subnet address prefix for spoke virtual network." + } + }, + "spoke-workload-network-vnet_spokeOptionalSubnetNames": { + "type": "array", + "defaultValue": [], + "metadata": { + "displayName": "Subnet address names (optional)", + "description": "Array of subnet names to deploy to the spoke virtual network; for example, \"subnet1\",\"subnet2\"." + } + }, + "spoke-workload-network-vnet_spokeOptionalSubnetPrefixes": { + "type": "array", + "defaultValue": [], + "metadata": { + "displayName": "Subnet address prefixes (optional)", + "description": "Array of IP address prefixes for optional subnets for the spoke virtual network; for example, \"10.0.7.0/24\",\"10.0.8.0/24\"." + } + } + }, + "resourceGroups": { + "HubResourceGroup": { + "name": "[concat(parameters('namePrefix'), '-', parameters('hubName'), '-rg')]", + "location": "[parameters('hubLocation')]", + "metadata": { + "displayName": "Hub resource group" + } + }, + "SpokeResourceGroup": { + "name": "[concat(parameters('namePrefix'), '-', parameters('spokeName'), '-rg')]", + "location": "[parameters('hubLocation')]", + "metadata": { + "displayName": "Spoke resource group" + } + }, + "NetworkWatcherResourceGroup": { + "name": "[parameters('networkWatcherResourceGroup')]", + "location": "[parameters('networkWatcherResourceGroupLocation')]", + "metadata": { + "displayName": "Network Watcher resource group" + } + } + }, + "targetScope": "subscription", + "status": { + "timeCreated": "2020-12-04T23:25:37+00:00", + "lastModified": "2021-02-12T23:31:27.4720923+00:00" + }, + "displayName": "Azure Security Benchmark Foundation (Preview)", + "description": "Deploys and configures Azure Security Benchmark Foundation (Preview)." + }, + "id": "/providers/Microsoft.Blueprint/blueprints/ASBF", + "type": "Microsoft.Blueprint/blueprints", + "name": "ASBF" +} \ No newline at end of file diff --git a/samples/001-builtins/ASBF_Gov/artifact.hub-security-center.json b/samples/001-builtins/ASBF_Gov/artifact.hub-security-center.json new file mode 100644 index 0000000..c40325b --- /dev/null +++ b/samples/001-builtins/ASBF_Gov/artifact.hub-security-center.json @@ -0,0 +1,216 @@ +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.1", + "parameters": { + "namePrefix": { + "type": "string", + "metadata": { + "displayName": "Prefix for resources and resource groups", + "description": "This string will be used as a prefix for all resource and resource group names." + } + }, + "hubName": { + "type": "string", + "defaultValue": "hub-shared", + "metadata": { + "displayName": "Hub name", + "description": "Name for the hub." + } + }, + "logsRetentionInDays": { + "type": "int", + "defaultValue": 365, + "minValue": 0, + "maxValue": 365, + "metadata": { + "displayName": "Log retention (days)", + "description": "Number of days that logs will be retained; entering '0' will retain logs indefinitely." + } + }, + "deployHub": { + "type": "bool", + "defaultValue": true, + "metadata": { + "displayName": "Deploy hub", + "description": "Enter 'true' or 'false' to specify whether the assignment will deploy the hub components of the architecture." + } + } + }, + "variables": { + "deployment-prefix": "[toLower(concat(parameters('namePrefix'), '-', parameters('hubName')))]", + "unique-string": "[uniqueString(subscription().id, concat(variables('deployment-prefix')))]", + "diagnostic-storage-account-prefix": "[concat(replace(variables('deployment-prefix'), '-', ''), 'diag')]", + "diagnostic-storage-account-name": "[toLower(substring(replace(concat(variables('diagnostic-storage-account-prefix'), variables('unique-string'), variables('unique-string')), '-', ''), 0, 23) )]", + "oms-workspace-name": "[concat(variables('deployment-prefix'), '-log')]", + "oms-workspace-resource-group": "[concat(variables('deployment-prefix'), '-rg')]", + "oms-workspace-subscription-id": "[subscription().subscriptionId]", + "pricing": "Standard" + }, + "resources": [ + { + "type": "Microsoft.Insights/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "service", + "condition": "[parameters('deployHub')]", + "dependsOn": [], + "tags": { + "component": "hub-security-center" + }, + "properties": { + "storageAccountId": "[concat('/subscriptions/', variables('oms-workspace-subscription-id'), '/resourceGroups/', variables('oms-workspace-resource-group'), '/providers/Microsoft.Storage/storageAccounts/', variables('diagnostic-storage-account-name'))]", + "workspaceId": "[concat('/subscriptions/', variables('oms-workspace-subscription-id'), '/resourceGroups/', variables('oms-workspace-resource-group'), '/providers/Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]", + "logs": [ + { + "category": "Administrative", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('logsRetentionInDays')]" + } + }, + { + "category": "Alert", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('logsRetentionInDays')]" + } + }, + { + "category": "Autoscale", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('logsRetentionInDays')]" + } + }, + { + "category": "Policy", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('logsRetentionInDays')]" + } + }, + { + "category": "Recommendation", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('logsRetentionInDays')]" + } + }, + { + "category": "ResourceHealth", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('logsRetentionInDays')]" + } + }, + { + "category": "Security", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('logsRetentionInDays')]" + } + }, + { + "category": "ServiceHealth", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('logsRetentionInDays')]" + } + } + ] + } + }, + { + "type": "Microsoft.Security/pricings", + "apiVersion": "2017-08-01-preview", + "name": "default", + "condition": "[parameters('deployHub')]", + "tags": { + "tagName": "hub-security-center" + }, + "properties": { + "pricingTier": "[variables('pricing')]" + } + }, + { + "type": "Microsoft.Security/pricings", + "apiVersion": "2018-06-01", + "name": "StorageAccounts", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.Security/pricings/default')]" + ], + "tags": { + "component": "hub-security-center" + }, + "properties": { + "pricingTier": "[variables('pricing')]" + } + }, + { + "type": "Microsoft.Security/pricings", + "apiVersion": "2018-06-01", + "name": "SqlServers", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.Security/pricings/StorageAccounts')]" + ], + "tags": { + "component": "hub-security-center" + }, + "properties": { + "pricingTier": "[variables('pricing')]" + } + }, + { + "type": "Microsoft.Security/pricings", + "apiVersion": "2018-06-01", + "name": "VirtualMachines", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.Security/pricings/SqlServers')]" + ], + "tags": { + "component": "hub-security-center" + }, + "properties": { + "pricingTier": "[variables('pricing')]" + } + } + ], + "outputs": {} + }, + "parameters": { + "namePrefix": { + "value": "[parameters('namePrefix')]" + }, + "hubName": { + "value": "[parameters('hubName')]" + }, + "logsRetentionInDays": { + "value": "[parameters('logsRetentionInDays')]" + }, + "deployHub": { + "value": "[parameters('deployHub')]" + } + }, + "dependsOn": [ + "hub-shared-security-log" + ], + "displayName": "Azure Security Center template", + "description": "Azure Security Center template." + }, + "kind": "template", + "id": "/providers/Microsoft.Blueprint/blueprints/ASBF_Gov/artifacts/hub-security-center", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "hub-security-center" +} \ No newline at end of file diff --git a/samples/001-builtins/ASBF_Gov/artifact.hub-shared-network-bastion.json b/samples/001-builtins/ASBF_Gov/artifact.hub-shared-network-bastion.json new file mode 100644 index 0000000..efa6150 --- /dev/null +++ b/samples/001-builtins/ASBF_Gov/artifact.hub-shared-network-bastion.json @@ -0,0 +1,203 @@ +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "namePrefix": { + "type": "string", + "metadata": { + "displayName": "Prefix for resources and resource groups", + "description": "This string will be used as a prefix for all resource and resource group names." + } + }, + "hubName": { + "type": "string", + "defaultValue": "hub-shared", + "metadata": { + "displayName": "Hub name", + "description": "Name for the hub." + } + }, + "logsRetentionInDays": { + "type": "int", + "defaultValue": 365, + "minValue": 0, + "maxValue": 365, + "metadata": { + "displayName": "Log retention (days)", + "description": "Number of days that logs will be retained; entering '0' will retain logs indefinitely." + } + }, + "deployHub": { + "type": "bool", + "defaultValue": true, + "metadata": { + "displayName": "Deploy hub", + "description": "Enter 'true' or 'false' to specify whether the assignment will deploy the hub components of the architecture." + } + } + }, + "variables": { + "location": "[resourceGroup().location]", + "deployment-prefix": "[toLower(concat(parameters('namePrefix'), '-', parameters('hubName')))]", + "oms-workspace-resource-group": "[concat(variables('deployment-prefix'), '-rg')]", + "oms-workspace-name": "[concat(variables('deployment-prefix'), '-log')]", + "vnet-resource-group": "[concat(variables('deployment-prefix'), '-rg')]", + "unique-string": "[uniqueString(subscription().id, concat(variables('deployment-prefix')))]", + "diagnostic-storage-account-prefix": "[concat(replace(variables('deployment-prefix'), '-', ''), 'diag')]", + "diagnostic-storage-account-name": "[toLower(substring(replace(concat(variables('diagnostic-storage-account-prefix'), variables('unique-string'), variables('unique-string')), '-', ''), 0, 23) )]", + "vnet-name": "[concat(variables('deployment-prefix'), '-vnet')]", + "bastion-subnet-id": "[concat(resourceId(variables('vnet-resource-group'), 'Microsoft.Network/virtualNetworks', variables('vnet-name')) , '/subnets/AzureBastionSubnet')]", + "bastion-ip-name": "[concat(variables('deployment-prefix'), '-bastion-ip')]", + "bastion-ip-id": "[resourceId('Microsoft.Network/publicIPAddresses', variables('bastion-ip-name'))]", + "bastion-name": "[concat(variables('deployment-prefix'), '-bastion')]" + }, + "resources": [ + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "2019-11-01", + "name": "[variables('bastion-ip-name')]", + "location": "[variables('location')]", + "condition": "[parameters('deployHub')]", + "sku": { + "name": "Standard" + }, + "tags": { + "component": "hub-shared-network-bastion" + }, + "properties": { + "publicIPAllocationMethod": "Static", + "publicIPAddressVersion": "IPv4" + } + }, + { + "type": "Microsoft.Network/publicIPAddresses/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(variables('bastion-ip-name'), '/Microsoft.Insights/service')]", + "location": "[variables('location')]", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[variables('bastion-ip-name')]" + ], + "tags": { + "component": "hub-shared-network-bastion" + }, + "properties": { + "storageAccountId": "[resourceId(variables('oms-workspace-resource-group'), 'Microsoft.Storage/storageAccounts', variables('diagnostic-storage-account-name'))]", + "workspaceId": "[resourceId(variables('oms-workspace-resource-group'), 'Microsoft.OperationalInsights/workspaces', variables('oms-workspace-name'))]", + "logs": [ + { + "category": "DDoSProtectionNotifications", + "enabled": true + }, + { + "category": "DDoSMitigationFlowLogs", + "enabled": true + }, + { + "category": "DDoSMitigationReports", + "enabled": true + } + ], + "metrics": [ + { + "category": "AllMetrics", + "timeGrain": null, + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('logsRetentionInDays')]" + } + } + ] + } + }, + { + "type": "Microsoft.Network/bastionHosts", + "apiVersion": "2020-05-01", + "name": "[variables('bastion-name')]", + "location": "[variables('location')]", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[variables('bastion-ip-name')]" + ], + "tags": { + "component": "hub-shared-network-bastion" + }, + "properties": { + "dnsName": "bst-10f100c2-b1c6-4110-93f8-41a2947e4c35.bastion.azure.com", + "ipConfigurations": [ + { + "name": "IpConf", + "properties": { + "privateIPAllocationMethod": "Dynamic", + "publicIPAddress": { + "id": "[variables('bastion-ip-id')]" + }, + "subnet": { + "id": "[variables('bastion-subnet-id')]" + } + } + } + ] + } + }, + { + "type": "Microsoft.Network/bastionHosts/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(variables('bastion-name'), '/Microsoft.Insights/service')]", + "location": "[variables('location')]", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[variables('bastion-name')]" + ], + "tags": { + "component": "hub-shared-network-bastion" + }, + "properties": { + "storageAccountId": "[resourceId(variables('oms-workspace-resource-group'), 'Microsoft.Storage/storageAccounts', variables('diagnostic-storage-account-name'))]", + "workspaceId": "[resourceId(variables('oms-workspace-resource-group'), 'Microsoft.OperationalInsights/workspaces', variables('oms-workspace-name'))]", + "logs": [ + { + "category": "BastionAuditLogs", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('logsRetentionInDays')]" + } + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "namePrefix": { + "value": "[parameters('namePrefix')]" + }, + "hubName": { + "value": "[parameters('hubName')]" + }, + "logsRetentionInDays": { + "value": "[parameters('logsRetentionInDays')]" + }, + "deployHub": { + "value": "[parameters('deployHub')]" + } + }, + "dependsOn": [ + "hub-shared-security-log", + "hub-shared-network-nsg", + "hub-shared-network-vnet" + ], + "resourceGroup": "HubResourceGroup", + "displayName": "Azure Bastion Host template", + "description": "Azure Bastion Host template." + }, + "kind": "template", + "id": "/providers/Microsoft.Blueprint/blueprints/ASBF_Gov/artifacts/hub-shared-network-bastion", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "hub-shared-network-bastion" +} diff --git a/samples/001-builtins/ASBF_Gov/artifact.hub-shared-network-firewall.json b/samples/001-builtins/ASBF_Gov/artifact.hub-shared-network-firewall.json new file mode 100644 index 0000000..3f15df4 --- /dev/null +++ b/samples/001-builtins/ASBF_Gov/artifact.hub-shared-network-firewall.json @@ -0,0 +1,405 @@ +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "namePrefix": { + "type": "string", + "metadata": { + "displayName": "Prefix for resources and resource groups", + "description": "This string will be used as a prefix for all resource and resource group names." + } + }, + "hubName": { + "type": "string", + "defaultValue": "hub-shared", + "metadata": { + "displayName": "Hub name", + "description": "Name for the hub." + } + }, + "azureFirewallPrivateIP": { + "type": "string", + "defaultValue": "10.0.0.4", + "metadata": { + "displayName": "Azure Firewall private IP address", + "description": "Azure Firewall private IP address." + } + }, + "destinationAddresses": { + "type": "string", + "metadata": { + "displayName": "Destination IP addresses", + "description": "Destination IP addresses for outbound connectivity; comma-separated list of IP addresses or IP range prefixes." + }, + "defaultValue": "0.0.0.0" + }, + "logsRetentionInDays": { + "type": "int", + "defaultValue": 365, + "minValue": 0, + "maxValue": 365, + "metadata": { + "displayName": "Log retention (days)", + "description": "Number of days that logs will be retained; entering '0' will retain logs indefinitely." + } + }, + "deployHub": { + "type": "bool", + "defaultValue": true, + "metadata": { + "displayName": "Deploy hub", + "description": "Enter 'true' or 'false' to specify whether the assignment will deploy the hub components of the architecture." + } + } + }, + "variables": { + "location": "[resourceGroup().location]", + "deployment-prefix": "[toLower(concat(parameters('namePrefix'), '-', parameters('hubName')))]", + "oms-workspace-resource-group": "[concat(variables('deployment-prefix'), '-rg')]", + "oms-workspace-name": "[concat(variables('deployment-prefix'), '-log')]", + "vnet-resource-group": "[concat(variables('deployment-prefix'), '-rg')]", + "vnet-name": "[concat(variables('deployment-prefix'), '-vnet')]", + "azure-fw-subnet-id": "[concat(resourceId(variables('vnet-resource-group'), 'Microsoft.Network/virtualNetworks', variables('vnet-name')) , '/subnets/AzureFirewallSubnet')]", + "azure-fw-ip-name": "[concat(variables('deployment-prefix'), '-az-fw-ip')]", + "azure-fw-ip-id": "[resourceId('Microsoft.Network/publicIPAddresses', variables('azure-fw-ip-name'))]", + "azure-fw-name": "[concat(variables('deployment-prefix'), '-az-fw')]", + "unique-string": "[uniqueString(subscription().id, concat(variables('deployment-prefix')))]", + "diagnostic-storage-account-prefix": "[concat(replace(variables('deployment-prefix'), '-', ''), 'diag')]", + "diagnostic-storage-account-name": "[toLower(substring(replace(concat(variables('diagnostic-storage-account-prefix'), variables('unique-string'), variables('unique-string')), '-', ''), 0, 23) )]", + "shared-user-defined-routes": { + "name": "default", + "routes": [ + { + "name": "default", + "properties": { + "addressPrefix": "0.0.0.0/0", + "nextHopIpAddress": "[parameters('azureFirewallPrivateIP')]", + "nextHopType": "VirtualAppliance" + } + } + ] + }, + "default-ip": "0.0.0.0" + }, + "resources": [ + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "2019-11-01", + "name": "[variables('azure-fw-ip-name')]", + "location": "[variables('location')]", + "condition": "[parameters('deployHub')]", + "sku": { + "name": "Standard" + }, + "tags": { + "component": "hub-shared-network-firewall" + }, + "properties": { + "publicIPAllocationMethod": "Static", + "publicIPAddressVersion": "IPv4" + } + }, + { + "type": "Microsoft.Network/publicIPAddresses/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(variables('azure-fw-ip-name'), '/Microsoft.Insights/service')]", + "location": "[variables('location')]", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[variables('azure-fw-ip-name')]" + ], + "tags": { + "component": "hub-shared-network-firewall" + }, + "properties": { + "storageAccountId": "[resourceId(variables('oms-workspace-resource-group'), 'Microsoft.Storage/storageAccounts', variables('diagnostic-storage-account-name'))]", + "workspaceId": "[resourceId(variables('oms-workspace-resource-group'), 'Microsoft.OperationalInsights/workspaces', variables('oms-workspace-name'))]", + "logs": [ + { + "category": "DDoSProtectionNotifications", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('logsRetentionInDays')]" + } + }, + { + "category": "DDoSMitigationFlowLogs", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('logsRetentionInDays')]" + } + }, + { + "category": "DDoSMitigationReports", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('logsRetentionInDays')]" + } + } + ], + "metrics": [ + { + "category": "AllMetrics", + "timeGrain": null, + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('logsRetentionInDays')]" + } + } + ] + } + }, + { + "type": "Microsoft.Network/azureFirewalls", + "apiVersion": "2019-11-01", + "name": "[variables('azure-fw-name')]", + "location": "[variables('location')]", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[variables('azure-fw-ip-name')]" + ], + "tags": { + "component": "hub-shared-network-firewall" + }, + "properties": { + "ipConfigurations": [ + { + "name": "IpConf", + "properties": { + "subnet": { + "id": "[variables('azure-fw-subnet-id')]" + }, + "publicIPAddress": { + "id": "[variables('azure-fw-ip-id')]" + } + } + } + ], + "applicationRuleCollections": [], + "natRuleCollections": [ + { + "name": "RdpDnat", + "properties": { + "priority": 3000, + "action": { + "type": "Dnat" + }, + "rules": [ + { + "name": "rdp", + "protocols": [ + "TCP" + ], + "translatedAddress": "[variables('default-ip')]", + "translatedPort": "3389", + "sourceAddresses": [ + "[variables('default-ip')]" + ], + "sourceIpGroups": [], + "destinationAddresses": [ + "[reference(resourceId('Microsoft.Network/publicIPAddresses', variables('azure-fw-ip-name'))).ipAddress]" + ], + "destinationPorts": [ + "3389" + ] + } + ] + } + } + ], + "networkRuleCollections": [ + { + "name": "AllowAzureCloud", + "properties": { + "priority": 3000, + "action": { + "type": "Allow" + }, + "rules": [ + { + "name": "azure-cloud", + "protocols": [ + "TCP" + ], + "sourceAddresses": [ + "*" + ], + "destinationAddresses": [ + "AzureCloud" + ], + "sourceIpGroups": [], + "destinationIpGroups": [], + "destinationFqdns": [], + "destinationPorts": [ + "443" + ] + } + ] + } + }, + { + "name": "AllowIPAddresses", + "properties": { + "priority": 3050, + "action": { + "type": "Allow" + }, + "rules": [ + { + "name": "ip-addresses", + "protocols": [ + "TCP" + ], + "sourceAddresses": [ + "*" + ], + "destinationAddresses": [ + "[parameters('destinationAddresses')]" + ], + "sourceIpGroups": [], + "destinationIpGroups": [], + "destinationFqdns": [], + "destinationPorts": [ + "443" + ] + } + ] + } + } + ] + } + }, + { + "type": "Microsoft.Network/azureFirewalls/providers/diagnosticsettings", + "name": "[concat(variables('azure-fw-name'), '/Microsoft.Insights/service')]", + "apiVersion": "2017-05-01-preview", + "location": "[variables('location')]", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[variables('azure-fw-name')]" + ], + "tags": { + "component": "hub-shared-network-firewall" + }, + "properties": { + "storageAccountId": "[resourceId(variables('oms-workspace-resource-group'), 'Microsoft.Storage/storageAccounts', variables('diagnostic-storage-account-name'))]", + "workspaceId": "[resourceId(variables('oms-workspace-resource-group'), 'Microsoft.OperationalInsights/workspaces', variables('oms-workspace-name'))]", + "logs": [ + { + "category": "AzureFirewallApplicationRule", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('logsRetentionInDays')]" + } + }, + { + "category": "AzureFirewallNetworkRule", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('logsRetentionInDays')]" + } + }, + { + "category": "AzureFirewallDnsProxy", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('logsRetentionInDays')]" + } + } + ], + "metrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('logsRetentionInDays')]" + } + } + ] + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "nested.configure.default-udr", + "condition": "[parameters('deployHub')]", + "resourceGroup": "[variables('vnet-resource-group')]", + "dependsOn": [ + "[variables('azure-fw-name')]" + ], + "tags": { + "component": "hub-shared-network-firewall" + }, + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/routeTables", + "apiVersion": "2019-09-01", + "location": "[resourceGroup().location]", + "name": "[concat(variables('deployment-prefix'), '-', variables('shared-user-defined-routes').name, '-udr')]", + "tags": { + "component": "hub-shared-network-firewall" + }, + "properties": { + "routes": "[variables('shared-user-defined-routes').routes]", + "disableBgpRoutePropagation": true + } + } + ] + }, + "parameters": {} + } + } + ], + "outputs": {} + }, + "parameters": { + "namePrefix": { + "value": "[parameters('namePrefix')]" + }, + "hubName": { + "value": "[parameters('hubName')]" + }, + "azureFirewallPrivateIP": { + "value": "[parameters('hub-shared-network-firewall_azureFirewallPrivateIP')]" + }, + "destinationAddresses": { + "value": "[parameters('destinationAddresses')]" + }, + "logsRetentionInDays": { + "value": "[parameters('logsRetentionInDays')]" + }, + "deployHub": { + "value": "[parameters('deployHub')]" + } + }, + "dependsOn": [ + "hub-shared-security-log", + "hub-shared-network-nsg", + "hub-shared-network-vnet" + ], + "resourceGroup": "HubResourceGroup", + "displayName": "Azure Firewall template", + "description": "Azure Firewall template." + }, + "kind": "template", + "id": "/providers/Microsoft.Blueprint/blueprints/ASBF_Gov/artifacts/hub-shared-network-firewall", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "hub-shared-network-firewall" +} \ No newline at end of file diff --git a/samples/001-builtins/ASBF_Gov/artifact.hub-shared-network-gateway.json b/samples/001-builtins/ASBF_Gov/artifact.hub-shared-network-gateway.json new file mode 100644 index 0000000..7d9deed --- /dev/null +++ b/samples/001-builtins/ASBF_Gov/artifact.hub-shared-network-gateway.json @@ -0,0 +1,255 @@ +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "namePrefix": { + "type": "string", + "metadata": { + "displayName": "Prefix for resources and resource groups", + "description": "This string will be used as a prefix for all resource and resource group names." + } + }, + "hubName": { + "type": "string", + "defaultValue": "hub-shared", + "metadata": { + "displayName": "Hub name", + "description": "Name for the hub." + } + }, + "logsRetentionInDays": { + "type": "int", + "defaultValue": 365, + "minValue": 0, + "maxValue": 365, + "metadata": { + "displayName": "Log retention (days)", + "description": "Number of days that logs will be retained; entering '0' will retain logs indefinitely." + } + }, + "deployHub": { + "type": "bool", + "defaultValue": true, + "metadata": { + "displayName": "Deploy hub", + "description": "Enter 'true' or 'false' to specify whether the assignment will deploy the hub components of the architecture." + } + } + }, + "variables": { + "location": "[resourceGroup().location]", + "deployment-prefix": "[toLower(concat(parameters('namePrefix'), '-', parameters('hubName')))]", + "oms-workspace-resource-group": "[concat(variables('deployment-prefix'), '-rg')]", + "oms-workspace-name": "[concat(variables('deployment-prefix'), '-log')]", + "vnet-resource-group": "[concat(variables('deployment-prefix'), '-rg')]", + "unique-string": "[uniqueString(subscription().id, concat(variables('deployment-prefix')))]", + "diagnostic-storage-account-prefix": "[concat(replace(variables('deployment-prefix'), '-', ''), 'diag')]", + "diagnostic-storage-account-name": "[toLower(substring(replace(concat(variables('diagnostic-storage-account-prefix'), variables('unique-string'), variables('unique-string')), '-', ''), 0, 23) )]", + "vnet-name": "[concat(variables('deployment-prefix'), '-vnet')]", + "vpn-gw-subnet-id": "[concat(resourceId(variables('vnet-resource-group'), 'Microsoft.Network/virtualNetworks', variables('vnet-name')) , '/subnets/GatewaySubnet')]", + "vpn-gw-ip-name": "[concat(variables('deployment-prefix'), '-vpn-gw-ip')]", + "vpn-gw-ip-id": "[resourceId('Microsoft.Network/publicIPAddresses', variables('vpn-gw-ip-name'))]", + "vpn-gw-name": "[concat(variables('deployment-prefix'), '-vpn-gw')]" + }, + "resources": [ + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "2019-11-01", + "name": "[variables('vpn-gw-ip-name')]", + "location": "[variables('location')]", + "condition": "[parameters('deployHub')]", + "sku": { + "name": "Basic" + }, + "tags": { + "component": "hub-shared-network-gateway" + }, + "properties": { + "publicIPAllocationMethod": "Dynamic", + "publicIPAddressVersion": "IPv4" + } + }, + { + "type": "Microsoft.Network/publicIPAddresses/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(variables('vpn-gw-ip-name'), '/Microsoft.Insights/service')]", + "location": "[variables('location')]", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[variables('vpn-gw-ip-name')]" + ], + "tags": { + "component": "hub-shared-network-gateway" + }, + "properties": { + "storageAccountId": "[resourceId(variables('oms-workspace-resource-group'), 'Microsoft.Storage/storageAccounts', variables('diagnostic-storage-account-name'))]", + "workspaceId": "[resourceId(variables('oms-workspace-resource-group'), 'Microsoft.OperationalInsights/workspaces', variables('oms-workspace-name'))]", + "logs": [ + { + "category": "DDoSProtectionNotifications", + "enabled": true + }, + { + "category": "DDoSMitigationFlowLogs", + "enabled": true + }, + { + "category": "DDoSMitigationReports", + "enabled": true + } + ], + "metrics": [ + { + "category": "AllMetrics", + "timeGrain": null, + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('logsRetentionInDays')]" + } + } + ] + } + }, + { + "type": "Microsoft.Network/virtualNetworkGateways", + "apiVersion": "2020-05-01", + "name": "[variables('vpn-gw-name')]", + "location": "[variables('location')]", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[variables('vpn-gw-ip-name')]" + ], + "tags": { + "component": "hub-shared-network-gateway" + }, + "properties": { + "enablePrivateIpAddress": false, + "ipConfigurations": [ + { + "name": "default", + "properties": { + "privateIPAllocationMethod": "Dynamic", + "publicIPAddress": { + "id": "[variables('vpn-gw-ip-id')]" + }, + "subnet": { + "id": "[variables('vpn-gw-subnet-id')]" + } + } + } + ], + "sku": { + "name": "VpnGw2", + "tier": "VpnGw2" + }, + "gatewayType": "Vpn", + "vpnType": "RouteBased", + "enableBgp": false, + "activeActive": false, + "vpnGatewayGeneration": "Generation2" + } + }, + { + "type": "Microsoft.Network/virtualNetworkGateways/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(variables('vpn-gw-name'), '/Microsoft.Insights/service')]", + "location": "[variables('location')]", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[variables('vpn-gw-name')]" + ], + "tags": { + "component": "hub-shared-network-gateway" + }, + "properties": { + "storageAccountId": "[resourceId(variables('oms-workspace-resource-group'), 'Microsoft.Storage/storageAccounts', variables('diagnostic-storage-account-name'))]", + "workspaceId": "[resourceId(variables('oms-workspace-resource-group'), 'Microsoft.OperationalInsights/workspaces', variables('oms-workspace-name'))]", + "logs": [ + { + "category": "GatewayDiagnosticLog", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('logsRetentionInDays')]" + } + }, + { + "category": "TunnelDiagnosticLog", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('logsRetentionInDays')]" + } + }, + { + "category": "RouteDiagnosticLog", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('logsRetentionInDays')]" + } + }, + { + "category": "IKEDiagnosticLog", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('logsRetentionInDays')]" + } + }, + { + "category": "P2SDiagnosticLog", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('logsRetentionInDays')]" + } + } + ], + "metrics": [ + { + "category": "AllMetrics", + "timeGrain": null, + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('logsRetentionInDays')]" + } + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "namePrefix": { + "value": "[parameters('namePrefix')]" + }, + "hubName": { + "value": "[parameters('hubName')]" + }, + "logsRetentionInDays": { + "value": "[parameters('logsRetentionInDays')]" + }, + "deployHub": { + "value": "[parameters('deployHub')]" + } + }, + "dependsOn": [ + "hub-shared-security-log", + "hub-shared-network-nsg", + "hub-shared-network-vnet" + ], + "resourceGroup": "HubResourceGroup", + "displayName": "Azure VPN Gateway template", + "description": "Azure VPN Gateway template." + }, + "kind": "template", + "id": "/providers/Microsoft.Blueprint/blueprints/ASBF_Gov/artifacts/hub-shared-network-gateway", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "hub-shared-network-gateway" +} \ No newline at end of file diff --git a/samples/001-builtins/ASBF_Gov/artifact.hub-shared-network-nsg.json b/samples/001-builtins/ASBF_Gov/artifact.hub-shared-network-nsg.json new file mode 100644 index 0000000..b538a53 --- /dev/null +++ b/samples/001-builtins/ASBF_Gov/artifact.hub-shared-network-nsg.json @@ -0,0 +1,573 @@ +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "namePrefix": { + "type": "string", + "metadata": { + "displayName": "Prefix for resources and resource groups", + "description": "This string will be used as a prefix for all resource and resource group names." + } + }, + "hubName": { + "type": "string", + "defaultValue": "hub-shared", + "metadata": { + "displayName": "Hub name", + "description": "Name for the hub." + } + }, + "enableNsgFlowLogs": { + "type": "bool", + "defaultValue": true, + "metadata": { + "displayName": "Enable NSG flow logs", + "description": "Enter 'true' or 'false' to enable or disable NSG flow logs." + } + }, + "networkWatcherName": { + "defaultValue": "[concat('NetworkWatcher_', resourceGroup().location)]", + "type": "string", + "metadata": { + "displayName": "Network Watcher name", + "description": "Name for the Network Watcher resource." + } + }, + "networkWatcherResourceGroup": { + "defaultValue": "NetworkWatcherRG", + "type": "string", + "metadata": { + "displayName": "Network Watcher resource group name", + "description": "Name for the Network Watcher resource group." + } + }, + "destinationAddresses": { + "type": "string", + "metadata": { + "displayName": "Destination IP addresses", + "description": "Destination IP addresses for outbound connectivity; comma-separated list of IP addresses or IP range prefixes." + }, + "defaultValue": "0.0.0.0" + }, + "logsRetentionInDays": { + "type": "int", + "defaultValue": 365, + "minValue": 0, + "maxValue": 365, + "metadata": { + "displayName": "Log retention (days)", + "description": "Number of days that logs will be retained; entering '0' will retain logs indefinitely." + } + }, + "deployHub": { + "type": "bool", + "defaultValue": true, + "metadata": { + "displayName": "Deploy hub", + "description": "Enter 'true' or 'false' to specify whether the assignment will deploy the hub components of the architecture." + } + } + }, + "variables": { + "location": "[resourceGroup().location]", + "deployment-prefix": "[toLower(concat(parameters('namePrefix'), '-', parameters('hubName')))]", + "unique-string": "[uniqueString(subscription().id, concat(variables('deployment-prefix')))]", + "diagnostic-storage-account-prefix": "[concat(replace(variables('deployment-prefix'), '-', ''), 'diag')]", + "diagnostic-storage-account-name": "[toLower(substring(replace(concat(variables('diagnostic-storage-account-prefix'), variables('unique-string'), variables('unique-string')), '-', ''), 0, 23) )]", + "oms-workspace-name": "[concat(variables('deployment-prefix'), '-log')]", + "oms-workspace-resourceGroup": "[concat(variables('deployment-prefix'), '-rg')]", + "application-security-groups": [ + { + "name": "management" + }, + { + "name": "jump-box" + }, + { + "name": "workload" + } + ], + "network-security-groups": [ + { + "name": "default-deny", + "rules": [ + { + "name": "DenyVnetInBound", + "properties": { + "protocol": "*", + "sourcePortRange": "*", + "destinationPortRange": "*", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "VirtualNetwork", + "access": "Deny", + "priority": 4000, + "direction": "Inbound", + "sourcePortRanges": [], + "destinationPortRanges": [], + "sourceAddressPrefixes": [], + "destinationAddressPrefixes": [] + } + }, + { + "name": "DenyAllOutBound", + "properties": { + "protocol": "*", + "sourcePortRange": "*", + "destinationPortRange": "*", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Deny", + "priority": 4000, + "direction": "Outbound", + "sourcePortRanges": [], + "destinationPortRanges": [], + "sourceAddressPrefixes": [], + "destinationAddressPrefixes": [] + } + } + ] + }, + { + "name": "management-subnet", + "rules": [ + { + "name": "AllowJumpBoxInBound", + "properties": { + "protocol": "TCP", + "sourcePortRange": "*", + "access": "Allow", + "priority": 3050, + "direction": "Inbound", + "destinationPortRanges": [ + "3389", + "22" + ], + "sourceApplicationSecurityGroups": [ + { + "id": "[resourceId('Microsoft.Network/applicationSecurityGroups', concat(variables('deployment-prefix'), '-jump-box-asg'))]" + } + ], + "destinationApplicationSecurityGroups": [ + { + "id": "[resourceId('Microsoft.Network/applicationSecurityGroups', concat(variables('deployment-prefix'), '-management-asg'))]" + } + ] + } + }, + { + "name": "AllowAzureCloudOutBound", + "properties": { + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "443", + "sourceApplicationSecurityGroups": [ + { + "id": "[resourceId('Microsoft.Network/applicationSecurityGroups', concat(variables('deployment-prefix'), '-management-asg'))]" + } + ], + "destinationAddressPrefix": "AzureCloud", + "access": "Allow", + "priority": 3600, + "direction": "Outbound" + } + }, + { + "name": "AllowIPAddressesOutBound", + "properties": { + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "443", + "sourceAddressPrefix": "VirtualNetwork", + "destinationAddressPrefix": "[parameters('destinationAddresses')]", + "access": "Allow", + "priority": 3650, + "direction": "Outbound", + "sourcePortRanges": [], + "destinationPortRanges": [], + "sourceAddressPrefixes": [], + "destinationAddressPrefixes": [] + } + } + ] + }, + { + "name": "jump-box-subnet", + "rules": [ + { + "name": "AllowVnetInbound", + "properties": { + "protocol": "TCP", + "sourcePortRange": "*", + "sourceAddressPrefix": "VirtualNetwork", + "access": "Allow", + "priority": 3050, + "direction": "Inbound", + "destinationPortRanges": [ + "3389", + "22" + ], + "destinationApplicationSecurityGroups": [ + { + "id": "[resourceId('Microsoft.Network/applicationSecurityGroups', concat(variables('deployment-prefix'), '-jump-box-asg'))]" + } + ] + } + }, + { + "name": "AllowVnetOutboundRestricted", + "properties": { + "protocol": "TCP", + "sourcePortRange": "*", + "access": "Allow", + "priority": 3551, + "direction": "Outbound", + "destinationPortRanges": [ + "3389", + "22" + ], + "sourceApplicationSecurityGroups": [ + { + "id": "[resourceId('Microsoft.Network/applicationSecurityGroups', concat(variables('deployment-prefix'), '-jump-box-asg'))]" + } + ], + "destinationAddressPrefix": "VirtualNetwork" + } + }, + { + "name": "AllowAzureCloudOutBound", + "properties": { + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "443", + "sourceAddressPrefix": "VirtualNetwork", + "destinationAddressPrefix": "AzureCloud", + "access": "Allow", + "priority": 3600, + "direction": "Outbound" + } + }, + { + "name": "AllowIPAddressesOutBound", + "properties": { + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "443", + "sourceAddressPrefix": "VirtualNetwork", + "destinationAddressPrefix": "[parameters('destinationAddresses')]", + "access": "Allow", + "priority": 3650, + "direction": "Outbound", + "sourcePortRanges": [], + "destinationPortRanges": [], + "sourceAddressPrefixes": [], + "destinationAddressPrefixes": [] + } + } + ] + }, + { + "name": "workload-subnet", + "rules": [ + { + "name": "AllowJumpBoxInBound", + "properties": { + "protocol": "TCP", + "sourcePortRange": "*", + "access": "Allow", + "priority": 3050, + "direction": "Inbound", + "destinationPortRanges": [ + "3389", + "22" + ], + "sourceAddressPrefix": "VirtualNetwork", + "destinationApplicationSecurityGroups": [ + { + "id": "[resourceId('Microsoft.Network/applicationSecurityGroups', concat(variables('deployment-prefix'), '-workload-asg'))]" + } + ] + } + }, + { + "name": "AllowAzureCloudOutBound", + "properties": { + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "443", + "sourceApplicationSecurityGroups": [ + { + "id": "[resourceId('Microsoft.Network/applicationSecurityGroups', concat(variables('deployment-prefix'), '-workload-asg'))]" + } + ], + "destinationAddressPrefix": "AzureCloud", + "access": "Allow", + "priority": 3600, + "direction": "Outbound" + } + }, + { + "name": "AllowIPAddressesOutBound", + "properties": { + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "443", + "sourceAddressPrefix": "VirtualNetwork", + "destinationAddressPrefix": "[parameters('destinationAddresses')]", + "access": "Allow", + "priority": 3650, + "direction": "Outbound", + "sourcePortRanges": [], + "destinationPortRanges": [], + "sourceAddressPrefixes": [], + "destinationAddressPrefixes": [] + } + } + ] + } + ] + }, + "resources": [ + { + "type": "Microsoft.Network/applicationSecurityGroups", + "apiVersion": "2019-09-01", + "name": "[concat(variables('deployment-prefix'), '-', variables('application-security-groups')[copyIndex('asgLoop')].name, '-asg')]", + "location": "[variables('location')]", + "condition": "[parameters('deployHub')]", + "copy": { + "count": "[length(variables('application-security-groups'))]", + "name": "asgLoop" + }, + "tags": { + "component": "hub-shared-network-nsg" + }, + "properties": {} + }, + { + "type": "Microsoft.Network/networkSecurityGroups", + "apiVersion": "2019-09-01", + "name": "[concat(variables('deployment-prefix'), '-', variables('network-security-groups')[copyIndex()].name, '-nsg')]", + "location": "[resourceGroup().location]", + "condition": "[parameters('deployHub')]", + "copy": { + "count": "[length(variables('network-security-groups'))]", + "name": "nsgLoop" + }, + "dependsOn": [ + "asgLoop" + ], + "tags": { + "component": "hub-shared-network-nsg" + }, + "properties": { + "securityRules": "[concat(if(equals(copyIndex('nsgLoop'), 0), json('[]'), variables('network-security-groups')[0].rules), variables('network-security-groups')[copyIndex('nsgLoop')].rules)]" + }, + "resources": [] + }, + { + "type": "Microsoft.Network/networkSecurityGroups/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(variables('deployment-prefix'), '-', variables('network-security-groups')[copyIndex()].name, '-nsg','/Microsoft.Insights/setbypolicy')]", + "location": "[variables('location')]", + "condition": "[parameters('deployHub')]", + "copy": { + "count": "[length(variables('network-security-groups'))]", + "name": "nsgDiagnosticLoop" + }, + "dependsOn": [ + "nsgLoop" + ], + "tags": { + "component": "hub-shared-network-nsg" + }, + "properties": { + "storageAccountId": "[resourceId(variables('oms-workspace-resourceGroup'), 'Microsoft.Storage/storageAccounts', variables('diagnostic-storage-account-name'))]", + "workspaceId": "[resourceId(variables('oms-workspace-resourceGroup'), 'Microsoft.OperationalInsights/workspaces', variables('oms-workspace-name'))]", + "logs": [ + { + "category": "NetworkSecurityGroupEvent", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('logsRetentionInDays')]" + } + }, + { + "category": "NetworkSecurityGroupRuleCounter", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('logsRetentionInDays')]" + } + } + ] + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[concat('nested.configure.nsg-flow-logs-', variables('network-security-groups')[copyIndex('nsgFlowLogsLoop')].name, '-nsg')]", + "condition": "[and(parameters('deployHub'), parameters('enableNsgFlowLogs'))]", + "copy": { + "count": "[length(variables('network-security-groups'))]", + "name": "nsgFlowLogsLoop" + }, + "dependsOn": [ + "nsgDiagnosticLoop" + ], + "resourceGroup": "[parameters('networkWatcherResourceGroup')]", + "subscriptionId": "[subscription().subscriptionId]", + "tags": { + "component": "hub-shared-network-nsg" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "networkSecurityGroupName": { + "type": "string" + }, + "deploymentPrefix": { + "type": "string" + }, + "nsgResourceGroup": { + "type": "string" + }, + "nsgResourceGroupLocation": { + "type": "string" + }, + "omsWorkspaceResourceGroup": { + "type": "string" + }, + "omsWorkspaceName": { + "type": "string" + }, + "diagnosticStorageAccountName": { + "type": "string" + }, + "networkWatcherName": { + "type": "string" + }, + "logsRetentionInDays": { + "type": "int", + "defaultValue": 365, + "minValue": 0, + "maxValue": 365, + "metadata": { + "displayName": "Log retention in days", + "description": "Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely" + } + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/networkWatchers/FlowLogs", + "apiVersion": "2019-11-01", + "name": "[concat(parameters('networkWatcherName'),'/', parameters('networkSecurityGroupName'), '-flow')]", + "location": "[parameters('nsgResourceGroupLocation')]", + "tags": { + "component": "hub-shared-network-nsg" + }, + "properties": { + "targetResourceId": "[resourceId(parameters('nsgResourceGroup'),'Microsoft.Network/networkSecurityGroups', concat(parameters('deploymentPrefix'), '-', parameters('networkSecurityGroupName'), '-nsg'))]", + "storageId": "[resourceId(parameters('omsWorkspaceResourceGroup'), 'Microsoft.Storage/storageAccounts', parameters('diagnosticStorageAccountName'))]", + "enabled": true, + "retentionPolicy": { + "days": "[parameters('logsRetentionInDays')]", + "enabled": true + }, + "format": { + "type": "JSON", + "version": 2 + }, + "flowAnalyticsConfiguration": { + "networkWatcherFlowAnalyticsConfiguration": { + "enabled": true, + "workspaceResourceId": "[resourceId(parameters('omsWorkspaceResourceGroup'), 'Microsoft.OperationalInsights/workspaces', parameters('omsWorkspaceName'))]", + "trafficAnalyticsInterval": 60 + } + } + } + } + ] + }, + "parameters": { + "networkSecurityGroupName": { + "value": "[variables('network-security-groups')[copyIndex('nsgFlowLogsLoop')].name]" + }, + "deploymentPrefix": { + "value": "[variables('deployment-prefix')]" + }, + "nsgResourceGroup": { + "value": "[resourceGroup().name]" + }, + "nsgResourceGroupLocation": { + "value": "[variables('location')]" + }, + "omsWorkspaceResourceGroup": { + "value": "[variables('oms-workspace-resourceGroup')]" + }, + "omsWorkspaceName": { + "value": "[variables('oms-workspace-name')]" + }, + "diagnosticStorageAccountName": { + "value": "[variables('diagnostic-storage-account-name')]" + }, + "networkWatcherName": { + "value": "[parameters('networkWatcherName')]" + }, + "logsRetentionInDays": { + "value": "[parameters('logsRetentionInDays')]" + } + } + } + } + ], + "outputs": {} + }, + "parameters": { + "namePrefix": { + "value": "[parameters('namePrefix')]" + }, + "hubName": { + "value": "[parameters('hubName')]" + }, + "enableNsgFlowLogs": { + "value": "[parameters('hub-shared-network-nsg_enableNsgFlowLogs')]" + }, + "networkWatcherName" : { + "value": "[parameters('networkWatcherName')]" + }, + "networkWatcherResourceGroup" : { + "value": "[parameters('networkWatcherResourceGroup')]" + }, + "destinationAddresses": { + "value": "[parameters('destinationAddresses')]" + }, + "logsRetentionInDays": { + "value": "[parameters('logsRetentionInDays')]" + }, + "deployHub": { + "value": "[parameters('deployHub')]" + } + }, + "dependsOn": [ + "hub-shared-security-log", + "hub-shared-network-watcher" + ], + "resourceGroup": "HubResourceGroup", + "displayName": "Azure Network Security Group template", + "description": "Azure Network Security Group template." + }, + "kind": "template", + "id": "/providers/Microsoft.Blueprint/blueprints/ASBF_Gov/artifacts/hub-shared-network-nsg", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "hub-shared-network-nsg" +} \ No newline at end of file diff --git a/samples/001-builtins/ASBF_Gov/artifact.hub-shared-network-vnet.json b/samples/001-builtins/ASBF_Gov/artifact.hub-shared-network-vnet.json new file mode 100644 index 0000000..c1d1d71 --- /dev/null +++ b/samples/001-builtins/ASBF_Gov/artifact.hub-shared-network-vnet.json @@ -0,0 +1,385 @@ +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "namePrefix": { + "type": "string", + "metadata": { + "displayName": "Prefix for resources and resource groups", + "description": "This string will be used as a prefix for all resource and resource group names." + } + }, + "hubName": { + "type": "string", + "defaultValue": "hub-shared", + "metadata": { + "displayName": "Hub name", + "description": "Name for the hub." + } + }, + "vnetAddressPrefix": { + "type": "string", + "defaultValue": "10.0.0.0/16", + "metadata": { + "displayName": "Virtual network address prefix", + "description": "Virtual network address prefix for hub virtual network." + } + }, + "azureFirewallSubnetAddressPrefix": { + "type": "string", + "defaultValue": "10.0.0.0/26", + "metadata": { + "displayName": "Firewall subnet address prefix", + "description": "Firewall subnet address prefix for hub virtual network." + } + }, + "bastionSubnetAddressPrefix": { + "type": "string", + "defaultValue": "10.0.1.0/27", + "metadata": { + "displayName": "Bastion subnet address prefix", + "description": "Bastion subnet address prefix for hub virtual network." + } + }, + "gatewaySubnetAddressPrefix": { + "type": "string", + "defaultValue": "10.0.2.0/24", + "metadata": { + "displayName": "Gateway subnet address prefix", + "description": "Gateway subnet address prefix for hub virtual network." + } + }, + "managementSubnetAddressPrefix": { + "type": "string", + "defaultValue": "10.0.3.0/24", + "metadata": { + "displayName": "Management subnet address prefix", + "description": "Management subnet address prefix for hub virtual network." + } + }, + "jumpBoxSubnetAddressPrefix": { + "type": "string", + "defaultValue": "10.0.4.0/24", + "metadata": { + "displayName": "Jump box subnet address prefix", + "description": "Jump box subnet address prefix for hub virtual network." + } + }, + "optionalSubnetNames": { + "type": "array", + "defaultValue": [], + "metadata": { + "displayName": "Subnet address names (optional)", + "description": "Array of subnet names to deploy to the hub virtual network; for example, \"subnet1\",\"subnet2\"." + } + }, + "optionalSubnetPrefixes": { + "type": "array", + "defaultValue": [], + "metadata": { + "displayName": "Subnet address prefixes (optional)", + "description": "Array of IP address prefixes for optional subnets for hub virtual network; for example, \"10.0.7.0/24\",\"10.0.8.0/24\"." + } + }, + "enableDdosProtection": { + "type": "bool", + "defaultValue": true, + "metadata": { + "displayName": "Enable DDoS protection", + "description": "Enter 'true' or 'false' to specify whether or not DDoS Protection is enabled in the virtual network." + } + }, + "logsRetentionInDays": { + "type": "int", + "defaultValue": 365, + "minValue": 0, + "maxValue": 365, + "metadata": { + "displayName": "Log retention (days)", + "description": "Number of days that logs will be retained; entering '0' will retain logs indefinitely." + } + }, + "deployHub": { + "type": "bool", + "defaultValue": true, + "metadata": { + "displayName": "Deploy hub", + "description": "Enter 'true' or 'false' to specify whether the assignment will deploy the hub components of the architecture." + } + } + }, + "variables": { + "deployment-prefix": "[toLower(concat(parameters('namePrefix'), '-', parameters('hubName')))]", + "vnet-name": "[concat(variables('deployment-prefix'), '-vnet')]", + "private-endpoint-name": "[concat(variables('deployment-prefix'), '-pe')]", + "ddos-protection-plan-name": "[concat(variables('deployment-prefix'), '-ddos-plan')]", + "ddos-protection-plan-id": { + "id": "[resourceId('Microsoft.Network/ddosProtectionPlans', variables('ddos-protection-plan-name'))]" + }, + "user-defined-routes": [ + { + "name": "default", + "routes": [] + } + ], + "static-subnets": [ + { + "name": "AzureFirewallSubnet", + "address-prefix": "[parameters('azureFirewallSubnetAddressPrefix')]", + "network-security-group": "", + "user-defined-route": "", + "service-endpoints": [] + }, + { + "name": "AzureBastionSubnet", + "address-prefix": "[parameters('bastionSubnetAddressPrefix')]", + "network-security-group": "", + "user-defined-route": "", + "service-endpoints": [] + }, + { + "name": "GatewaySubnet", + "address-prefix": "[parameters('gatewaySubnetAddressPrefix')]", + "network-security-group": "", + "user-defined-route": "", + "service-endpoints": [ + { + "service": "Microsoft.AzureCosmosDB" + }, + { + "service": "Microsoft.CognitiveServices" + }, + { + "service": "Microsoft.ContainerRegistry" + }, + { + "service": "Microsoft.EventHub" + }, + { + "service": "Microsoft.KeyVault" + }, + { + "service": "Microsoft.ServiceBus" + }, + { + "service": "Microsoft.Sql" + }, + { + "service": "Microsoft.Storage" + } + ] + }, + { + "name": "management-subnet", + "address-prefix": "[parameters('managementSubnetAddressPrefix')]", + "network-security-group": "management-subnet", + "user-defined-route": "default", + "service-endpoints": [] + }, + { + "name": "jump-box-subnet", + "address-prefix": "[parameters('jumpBoxSubnetAddressPrefix')]", + "network-security-group": "jump-box-subnet", + "user-defined-route": "default", + "service-endpoints": [] + } + ], + "copy": [ + { + "name": "optional-subnets", + "count": "[length(parameters('optionalSubnetNames'))]", + "input": { + "name": "[parameters('optionalSubnetNames')[copyIndex('optional-subnets')]]", + "address-prefix": "[parameters('optionalSubnetPrefixes')[copyIndex('optional-subnets')]]", + "user-defined-route": "default", + "network-security-group": "default-deny", + "service-endpoints": [] + } + } + ], + "location": "[resourceGroup().location]", + "subnets": "[union(variables('static-subnets'), variables('optional-subnets'))]", + "oms-workspace-resourceGroup": "[concat(variables('deployment-prefix'), '-rg')]", + "oms-workspace-name": "[concat(variables('deployment-prefix'), '-log')]", + "unique-string": "[uniqueString(subscription().id, concat(variables('deployment-prefix')))]", + "diagnostic-storage-account-prefix": "[concat(replace(variables('deployment-prefix'), '-', ''), 'diag')]", + "diagnostic-storage-account-name": "[toLower(substring(replace(concat(variables('diagnostic-storage-account-prefix'), variables('unique-string'), variables('unique-string')), '-', ''), 0, 23) )]" + }, + "resources": [ + { + "type": "Microsoft.Network/routeTables", + "apiVersion": "2019-09-01", + "name": "[concat(variables('deployment-prefix'), '-', variables('user-defined-routes')[copyIndex()].name, '-udr')]", + "location": "[variables('location')]", + "condition": "[parameters('deployHub')]", + "tags": { + "component": "hub-shared-network-vnet" + }, + "copy": { + "count": "[length(variables('user-defined-routes'))]", + "name": "udrLoop" + }, + "properties": {} + }, + { + "type": "Microsoft.Network/ddosProtectionPlans", + "apiVersion": "2019-09-01", + "name": "[variables('ddos-protection-plan-name')]", + "location": "[variables('location')]", + "condition": "[and(parameters('deployHub'), parameters('enableDdosProtection'))]", + "tags": { + "component": "hub-shared-network-vnet" + }, + "properties": {} + }, + { + "apiVersion": "2019-09-01", + "type": "Microsoft.Network/virtualNetworks", + "name": "[variables('vnet-name')]", + "location": "[variables('location')]", + "condition": "[parameters('deployHub')]", + "tags": { + "component": "hub-shared-network-vnet" + }, + "dependsOn": [ + "udrLoop", + "[variables('ddos-protection-plan-name')]" + ], + "properties": { + "addressSpace": { + "addressPrefixes": [ + "[parameters('vnetAddressPrefix')]" + ] + }, + "enableDdosProtection": "[parameters('enableDdosProtection')]", + "ddosProtectionPlan": "[if(parameters('enableDdosProtection'), variables('ddos-protection-plan-id'), json('null'))]", + "copy": [ + { + "name": "subnets", + "count": "[length(variables('subnets'))]", + "input": { + "name": "[variables('subnets')[copyIndex('subnets')].name]", + "properties": { + "addressPrefix": "[variables('subnets')[copyIndex('subnets')]['address-prefix']]", + "networkSecurityGroup": "[if(equals(variables('subnets')[copyIndex('subnets')]['network-security-group'], ''), json('null'), json(concat('{\"id\": \"', resourceId('Microsoft.Network/networkSecurityGroups', concat(variables('deployment-prefix'), '-', variables('subnets')[copyIndex('subnets')]['network-security-group'], '-nsg')), '\"}')))]", + "routeTable": "[if(equals(variables('subnets')[copyIndex('subnets')]['user-defined-route'], ''), json('null'), json(concat('{\"id\": \"', resourceId('Microsoft.Network/routeTables', concat(variables('deployment-prefix'), '-', variables('subnets')[copyIndex('subnets')]['user-defined-route'], '-udr')), '\"}')))]", + "serviceEndpoints": "[if(equals(length(variables('subnets')[copyIndex('subnets')]['service-endpoints']), 0), json('null'), variables('subnets')[copyIndex('subnets')]['service-endpoints'])]", + "privateEndpointNetworkPolicies": "[if(equals(variables('subnets')[copyIndex('subnets')].name, 'management-subnet'), 'Disabled', json('null'))]" + } + } + } + ] + } + }, + { + "type": "Microsoft.Network/privateEndpoints", + "apiVersion": "2020-06-01", + "name": "[variables('private-endpoint-name')]", + "location": "[variables('location')]", + "dependsOn": [ + "[variables('vnet-name')]" + ], + "properties": { + "subnet": { + "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('vnet-name'), 'management-subnet')]" + }, + "privateLinkServiceConnections": [ + { + "name": "[variables('private-endpoint-name')]", + "properties": { + "privateLinkServiceId": "[resourceId('Microsoft.Storage/storageAccounts', variables('diagnostic-storage-account-name'))]", + "groupIds": [ + "blob" + ] + } + } + ] + } + }, + { + "type": "Microsoft.Network/virtualNetworks/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(variables('vnet-name'),'/Microsoft.Insights/service')]", + "location": "[variables('location')]", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[variables('vnet-name')]" + ], + "tags": { + "component": "hub-shared-network-vnet" + }, + "properties": { + "storageAccountId": "[resourceId(variables('oms-workspace-resourceGroup'), 'Microsoft.Storage/storageAccounts', variables('diagnostic-storage-account-name'))]", + "workspaceId": "[resourceId(variables('oms-workspace-resourceGroup'), 'Microsoft.OperationalInsights/workspaces', variables('oms-workspace-name'))]", + "metrics": [ + { + "category": "AllMetrics", + "timeGrain": null, + "enabled": true, + "retentionPolicy": { + "enabled": false, + "days": "[parameters('logsRetentionInDays')]" + } + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "namePrefix": { + "value": "[parameters('namePrefix')]" + }, + "hubName": { + "value": "[parameters('hubName')]" + }, + "vnetAddressPrefix": { + "value": "[parameters('hub-shared-network-vnet_vnetAddressPrefix')]" + }, + "azureFirewallSubnetAddressPrefix": { + "value": "[parameters('hub-shared-network-vnet_azureFirewallSubnetAddressPrefix')]" + }, + "bastionSubnetAddressPrefix": { + "value": "[parameters('hub-shared-network-vnet_bastionSubnetAddressPrefix')]" + }, + "gatewaySubnetAddressPrefix": { + "value": "[parameters('hub-shared-network-vnet_gatewaySubnetAddressPrefix')]" + }, + "managementSubnetAddressPrefix": { + "value": "[parameters('hub-shared-network-vnet_managementSubnetAddressPrefix')]" + }, + "jumpBoxSubnetAddressPrefix": { + "value": "[parameters('hub-shared-network-vnet_jumpBoxSubnetAddressPrefix')]" + }, + "optionalSubnetNames": { + "value": "[parameters('hub-shared-network-vnet_optionalSubnetNames')]" + }, + "optionalSubnetPrefixes": { + "value": "[parameters('hub-shared-network-vnet_optionalSubnetPrefixes')]" + }, + "enableDdosProtection": { + "value": "[parameters('enableDdosProtection')]" + }, + "logsRetentionInDays": { + "value": "[parameters('logsRetentionInDays')]" + }, + "deployHub": { + "value": "[parameters('deployHub')]" + } + }, + "dependsOn": [ + "hub-shared-security-log", + "hub-shared-network-nsg" + ], + "resourceGroup": "HubResourceGroup", + "displayName": "Azure Virtual Network hub template", + "description": "Azure Virtual Network hub template." + }, + "kind": "template", + "id": "/providers/Microsoft.Blueprint/blueprints/ASBF_Gov/artifacts/hub-shared-network-vnet", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "hub-shared-network-vnet" +} \ No newline at end of file diff --git a/samples/001-builtins/ASBF_Gov/artifact.hub-shared-network-watcher.json b/samples/001-builtins/ASBF_Gov/artifact.hub-shared-network-watcher.json new file mode 100644 index 0000000..8a980ea --- /dev/null +++ b/samples/001-builtins/ASBF_Gov/artifact.hub-shared-network-watcher.json @@ -0,0 +1,67 @@ +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "networkWatcherName": { + "defaultValue": "[concat('NetworkWatcher_', parameters('networkWatcherLocation'))]", + "type": "string", + "metadata": { + "displayName": "Network Watcher name", + "description": "Name for the Network Watcher resource." + } + }, + "networkWatcherLocation": { + "defaultValue": "[resourceGroup().location]", + "type": "string", + "metadata": { + "displayName": "Network Watcher location", + "description": "Location for the Network Watcher resource." + } + }, + "deployHub": { + "type": "bool", + "defaultValue": true, + "metadata": { + "displayName": "Deploy hub", + "description": "Enter 'true' or 'false' to specify whether the assignment will deploy the hub components of the architecture." + } + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/networkWatchers", + "apiVersion": "2020-06-01", + "name": "[parameters('networkWatcherName')]", + "location": "[parameters('networkWatcherLocation')]", + "condition": "[parameters('deployHub')]", + "tags": { + "component": "hub-shared-network-vnet" + }, + "properties": {} + } + ], + "outputs": {} + }, + "parameters": { + "networkWatcherName": { + "value": "[parameters('networkWatcherName')]" + }, + "networkWatcherLocation": { + "value": "[parameters('networkWatcherLocation')]" + }, + "deployHub": { + "value": "[parameters('deployHub')]" + } + }, + "resourceGroup": "NetworkWatcherResourceGroup", + "displayName": "Azure Network Watcher template", + "description": "Azure Network Watcher template." + }, + "kind": "template", + "id": "/providers/Microsoft.Blueprint/blueprints/ASBF_Gov/artifacts/hub-shared-network-watcher", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "hub-shared-network-watcher" +} \ No newline at end of file diff --git a/samples/001-builtins/ASBF_Gov/artifact.hub-shared-security-log.json b/samples/001-builtins/ASBF_Gov/artifact.hub-shared-security-log.json new file mode 100644 index 0000000..d30f513 --- /dev/null +++ b/samples/001-builtins/ASBF_Gov/artifact.hub-shared-security-log.json @@ -0,0 +1,1429 @@ +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "namePrefix": { + "type": "string", + "metadata": { + "displayName": "Prefix for resources and resource groups", + "description": "This string will be used as a prefix for all resource and resource group names." + } + }, + "hubName": { + "type": "string", + "defaultValue": "hub-shared", + "metadata": { + "displayName": "Hub name", + "description": "Name for the hub." + } + }, + "logsRetentionInDays": { + "type": "int", + "defaultValue": 365, + "minValue": 0, + "maxValue": 365, + "metadata": { + "displayName": "Log retention (days)", + "description": "Number of days that logs will be retained; entering '0' will retain logs indefinitely." + } + }, + "workspaceLocation": { + "type": "string", + "metadata": { + "displayName": "Log Analytics workspace location", + "description": "Location where Log Analytics workspace will be created; run `Get-AzLocation | Where-Object Providers -like 'Microsoft.OperationalInsights' | Select DisplayName` in Azure PowersShell to see available regions." + } + }, + "automationAccountId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "Azure Automation account ID (optional)", + "description": "Automation account resource ID; used to create a linked service between Log Analytics and an Automation account." + } + }, + "deployHub": { + "type": "bool", + "defaultValue": true, + "metadata": { + "displayName": "Deploy hub", + "description": "Enter 'true' or 'false' to specify whether the assignment will deploy the hub components of the architecture." + } + } + }, + "variables": { + "location": "[resourceGroup().location]", + "deployment-prefix": "[toLower(concat(parameters('namePrefix'), '-', parameters('hubName')))]", + "unique-string": "[uniqueString(subscription().id, concat(variables('deployment-prefix')))]", + "diagnostic-storage-account-prefix": "[concat(replace(variables('deployment-prefix'), '-', ''), 'diag')]", + "diagnostic-storage-account-name": "[toLower(substring(replace(concat(variables('diagnostic-storage-account-prefix'), variables('unique-string'), variables('unique-string')), '-', ''), 0, 23) )]", + "oms-workspace-name": "[concat(variables('deployment-prefix'), '-log')]", + "log-analytics-search-version": 1, + "solutions": [ + { + "name": "[concat('Updates', '(', variables('oms-workspace-name'), ')')]", + "galleryName": "Updates" + }, + { + "name": "[concat('AzureAutomation', '(', variables('oms-workspace-name'), ')')]", + "galleryName": "AzureAutomation" + }, + { + "name": "[concat('AntiMalware', '(', variables('oms-workspace-name'), ')')]", + "galleryName": "AntiMalware" + }, + { + "name": "[concat('SQLAssessment', '(', variables('oms-workspace-name'), ')')]", + "galleryName": "SQLAssessment" + }, + { + "name": "[concat('Security', '(', variables('oms-workspace-name'), ')')]", + "galleryName": "Security" + }, + { + "name": "[concat('ChangeTracking', '(', variables('oms-workspace-name'), ')')]", + "galleryName": "ChangeTracking" + }, + { + "name": "[concat('KeyVaultAnalytics', '(', variables('oms-workspace-name'), ')')]", + "galleryName": "KeyVaultAnalytics" + }, + { + "name": "[concat('AzureSQLAnalytics', '(', variables('oms-workspace-name'), ')')]", + "galleryName": "AzureSQLAnalytics" + }, + { + "name": "[concat('ServiceMap', '(', variables('oms-workspace-name'), ')')]", + "galleryName": "ServiceMap" + } + ] + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2020-03-01-preview", + "location": "[parameters('workspaceLocation')]", + "name": "[variables('oms-workspace-name')]", + "condition": "[parameters('deployHub')]", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "features": { + "searchVersion": "[variables('log-analytics-search-version')]" + }, + "sku": { + "name": "PerGB2018" + }, + "retentionInDays": "[parameters('logsRetentionInDays')]" + }, + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-03-01-preview", + "name": "VMSSQueries", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "etag": "*", + "DisplayName": "VMSS Instance Count", + "Category": "Security", + "Query": "Event | where Source == \"ServiceFabricNodeBootstrapAgent\" | summarize AggregatedValue = count() by Computer" + } + }, + { + "type": "savedSearches", + "apiVersion": "2020-03-01-preview", + "name": "AzureFirewallThreatDeny", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "etag": "*", + "DisplayName": "Azure Threat Deny", + "Category": "Security", + "Query": "AzureDiagnostics | where ResourceType == 'AZUREFIREWALLS' and msg_s contains 'Deny'" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "[subscription().subscriptionId]", + "location": "[parameters('workspaceLocation')]", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "AzureActivityLog", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "linkedResourceId": "[concat(subscription().Id, '/providers/microsoft.insights/eventTypes/management')]" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "applicationEvent", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsEvent", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "eventLogName": "Application", + "eventTypes": [ + { + "eventType": "Error" + }, + { + "eventType": "Warning" + }, + { + "eventType": "Information" + } + ] + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "systemEvent", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsEvent", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "eventLogName": "System", + "eventTypes": [ + { + "eventType": "Error" + }, + { + "eventType": "Warning" + }, + { + "eventType": "Information" + } + ] + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter1", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "Processor", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "% Processor Time" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter2", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "Processor", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "% Privileged Time" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter3", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "Processor", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "% User Time" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter4", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "Processor", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Processor Frequency" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter5", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "Process", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Thread Count" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter6", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "Process", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Handle Count" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter7", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "System", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "System Up Time" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter8", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "System", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Context Switches/sec" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter9", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "System", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Processor Queue Length" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter10", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "System", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Processes" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter11", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "Memory", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "% Committed Bytes In Use" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter12", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "Memory", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Available MBytes" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter13", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "Memory", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Available Bytes" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter14", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "Memory", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Committed Bytes" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter15", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "Memory", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Cache Bytes" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter16", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "Memory", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Pool Paged Bytes" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter17", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "Memory", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Pool Nonpaged Bytes" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter18", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "Memory", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Pages/sec" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter19", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "Memory", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Page Faults/sec" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter20", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "Process", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Working Set" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter21", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "Process", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Working Set - Private" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter22", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "LogicalDisk", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "% Disk Time" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter23", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "LogicalDisk", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "% Disk Read Time" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter24", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "LogicalDisk", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "% Disk Write Time" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter25", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "LogicalDisk", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "% Idle Time" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter26", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "LogicalDisk", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Disk Bytes/sec" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter27", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "LogicalDisk", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Disk Read Bytes/sec" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter28", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "LogicalDisk", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Disk Write Bytes/sec" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter29", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "LogicalDisk", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Disk Transfers/sec" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter30", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "LogicalDisk", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Disk Reads/sec" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter31", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "LogicalDisk", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Disk Writes/sec" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter32", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "LogicalDisk", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Avg. Disk sec/Transfer" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter33", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "LogicalDisk", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Avg. Disk sec/Read" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter34", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "LogicalDisk", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Avg. Disk sec/Write" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter35", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "LogicalDisk", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Avg. Disk Queue Length" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter36", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "LogicalDisk", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Avg. Disk Write Queue Length" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter37", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "LogicalDisk", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "% Free Space" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter38", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "LogicalDisk", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Free Megabytes" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter39", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "Network Interface", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Bytes Total/sec" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter40", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "Network Interface", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Bytes Sent/sec" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter41", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "Network Interface", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Bytes Received/sec" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter42", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "Network Interface", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Packets/sec" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter43", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "Network Interface", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Packets Sent/sec" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter44", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "Network Interface", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Packets Received/sec" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter45", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "Network Interface", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Packets Outbound Errors" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "windowsPerfCounter46", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "WindowsPerformanceCounter", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "objectName": "Network Interface", + "instanceName": "*", + "intervalSeconds": 60, + "counterName": "Packets Received Errors" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "sampleIISLog1", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "IISLogs", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "state": "OnPremiseEnabled" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "sampleSyslog1", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "LinuxSyslog", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "syslogName": "kern", + "syslogSeverities": [ + { + "severity": "emerg" + }, + { + "severity": "alert" + }, + { + "severity": "crit" + }, + { + "severity": "err" + }, + { + "severity": "warning" + } + ] + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "sampleSyslogCollection1", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "LinuxSyslogCollection", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "state": "Enabled" + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "sampleLinuxPerf1", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "LinuxPerformanceObject", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "performanceCounters": [ + { + "counterName": "% Used Inodes" + }, + { + "counterName": "Free Megabytes" + }, + { + "counterName": "% Used Space" + }, + { + "counterName": "Disk Transfers/sec" + }, + { + "counterName": "Disk Reads/sec" + }, + { + "counterName": "Disk Writes/sec" + } + ], + "objectName": "Logical Disk", + "instanceName": "*", + "intervalSeconds": 10 + } + }, + { + "type": "datasources", + "apiVersion": "2020-03-01-preview", + "name": "sampleLinuxPerfCollection1", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "kind": "LinuxPerformanceCollection", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "state": "Enabled" + } + } + ] + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "nestedTemplate", + "condition": "[parameters('deployHub')]", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "variables": {}, + "resources": [] + }, + "parameters": {} + } + }, + { + "type": "Microsoft.OperationsManagement/solutions", + "apiVersion": "2015-11-01-preview", + "name": "[concat(variables('solutions')[copyIndex()].name)]", + "location": "[parameters('workspaceLocation')]", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', variables('oms-workspace-name'))]" + ], + "copy": { + "name": "solutionCopy", + "count": "[length(variables('solutions'))]", + "mode": "Serial" + }, + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces', variables('oms-workspace-name'))]" + }, + "plan": { + "name": "[variables('solutions')[copyIndex()].name]", + "product": "[concat('OMSGallery/', variables('solutions')[copyIndex()].galleryName)]", + "promotionCode": "", + "publisher": "Microsoft" + } + }, + { + "comments": "*Log Analytics Workspace resource lock*", + "type": "Microsoft.OperationalInsights/workspaces/providers/locks", + "apiVersion": "2017-04-01", + "name": "[concat(variables('oms-workspace-name'), '/Microsoft.Authorization/logAnalyticsDoNotDelete')]", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[variables('oms-workspace-name')]" + ], + "properties": { + "level": "CannotDelete" + } + }, + { + "comments": "*Diagnostic storage account*", + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2019-06-01", + "name": "[variables('diagnostic-storage-account-name')]", + "location": "[variables('location')]", + "condition": "[parameters('deployHub')]", + "kind": "StorageV2", + "sku": { + "name": "Standard_GRS" + }, + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "encryption": { + "keySource": "Microsoft.Storage", + "services": { + "blob": { + "enabled": true + }, + "file": { + "enabled": true + } + } + }, + "allowBlobPublicAccess": false, + "supportsHttpsTrafficOnly": true, + "networkAcls": { + "bypass": "AzureServices", + "defaultAction": "Deny" + } + } + }, + { + "type": "Microsoft.Storage/storageAccounts/providers/locks", + "apiVersion": "2016-09-01", + "name": "[concat(variables('diagnostic-storage-account-name'), '/Microsoft.Authorization/storageDoNotDelete')]", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.Storage/storageAccounts/', variables('diagnostic-storage-account-name'))]" + ], + "comments": "Resource lock on diagnostic storage account", + "properties": { + "level": "CannotDelete" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/storageinsightconfigs", + "apiVersion": "2020-03-01-preview", + "name": "[concat(variables('oms-workspace-name'), '/', variables('diagnostic-storage-account-name'))]", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[concat('Microsoft.Storage/storageAccounts/', variables('diagnostic-storage-account-name'))]" + ], + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "containers": [], + "tables": [ + "WADWindowsEventLogsTable", + "WADETWEventTable", + "WADServiceFabric*EventTable", + "LinuxsyslogVer2v0" + ], + "storageAccount": { + "id": "[resourceId('Microsoft.Storage/storageAccounts/', variables('diagnostic-storage-account-name'))]", + "key": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('diagnostic-storage-account-name')), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).keys[0].value]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/linkedServices", + "apiVersion": "2020-03-01-preview", + "name": "[concat(variables('oms-workspace-name'), '/' , 'Automation')]", + "location": "[parameters('workspaceLocation')]", + "condition": "[and(parameters('deployHub'), not(empty(parameters('automationAccountId'))))]", + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "resourceId": "[parameters('automationAccountId')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(variables('oms-workspace-name'),'/Microsoft.Insights/service')]", + "location": "[variables('location')]", + "condition": "[parameters('deployHub')]", + "dependsOn": [ + "[variables('oms-workspace-name')]", + "[variables('diagnostic-storage-account-name')]" + ], + "tags": { + "component": "hub-shared-security-log" + }, + "properties": { + "storageAccountId": "[resourceId('Microsoft.Storage/storageAccounts', variables('diagnostic-storage-account-name'))]", + "workspaceId": "[resourceId('Microsoft.OperationalInsights/workspaces', variables('oms-workspace-name'))]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('logsRetentionInDays')]" + } + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "namePrefix": { + "value": "[parameters('namePrefix')]" + }, + "hubName": { + "value": "[parameters('hubName')]" + }, + "logsRetentionInDays": { + "value": "[parameters('logsRetentionInDays')]" + }, + "workspaceLocation": { + "value": "[parameters('hub-shared-security-log_workspaceLocation')]" + }, + "automationAccountId": { + "value": "[parameters('hub-shared-security-log_automationAccountId')]" + }, + "deployHub": { + "value": "[parameters('deployHub')]" + } + }, + "resourceGroup": "HubResourceGroup", + "displayName": "Azure Log Analytics and Diagnostics template", + "description": "Azure Log Analytics and Diagnostics template." + }, + "kind": "template", + "id": "/providers/Microsoft.Blueprint/blueprints/ASBF_Gov/artifacts/hub-shared-security-log", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "hub-shared-security-log" +} \ No newline at end of file diff --git a/samples/001-builtins/ASBF_Gov/artifact.spoke-workload-network-vnet.json b/samples/001-builtins/ASBF_Gov/artifact.spoke-workload-network-vnet.json new file mode 100644 index 0000000..c306cb0 --- /dev/null +++ b/samples/001-builtins/ASBF_Gov/artifact.spoke-workload-network-vnet.json @@ -0,0 +1,342 @@ +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "namePrefix": { + "type": "string", + "metadata": { + "displayName": "Prefix for resources and resource groups", + "description": "This string will be used as a prefix for all resource and resource group names." + } + }, + "hubSubscriptionId": { + "type": "string", + "defaultValue": "[subscription().subscriptionId]", + "metadata": { + "displayName": "Hub subscription ID", + "description": "Subscription ID where hub is deployed; default value is the subscription where the blueprint definition is located." + } + }, + "hubName": { + "type": "string", + "defaultValue": "hub-shared", + "metadata": { + "displayName": "Hub name", + "description": "Name for the hub." + } + }, + "spokeName": { + "type": "string", + "defaultValue": "spoke-workload", + "metadata": { + "displayName": "Spoke name", + "description": "Name of the spoke." + } + }, + "deploySpoke": { + "type": "bool", + "defaultValue": true, + "metadata": { + "displayName": "Deploy spoke", + "description": "Enter 'true' or 'false' to specify whether the assignment will deploy the spoke components of the architecture." + } + }, + "spokeVnetAddressPrefix": { + "type": "string", + "defaultValue": "10.1.0.0/16", + "metadata": { + "displayName": "Virtual network address prefix", + "description": "Virtual Network address prefix for spoke virtual network." + } + }, + "spokeSubnetAddressPrefix": { + "type": "string", + "defaultValue": "10.1.0.0/24", + "metadata": { + "displayName": "Subnet address prefix", + "description": "Subnet address prefix for spoke virtual network." + } + }, + "spokeOptionalSubnetNames": { + "type": "array", + "defaultValue": [], + "metadata": { + "displayName": "Subnet address names (optional)", + "description": "Array of subnet names to deploy to the spoke virtual network; for example, \"subnet1\",\"subnet2\"." + } + }, + "spokeOptionalSubnetPrefixes": { + "type": "array", + "defaultValue": [], + "metadata": { + "displayName": "Subnet address prefixes (optional)", + "description": "Array of IP address prefixes for optional subnets for the spoke virtual network; for example, \"10.0.7.0/24\",\"10.0.8.0/24\"." + } + }, + "enableDdosProtection": { + "type": "bool", + "defaultValue": "true", + "metadata": { + "displayName": "Enable DDoS protection", + "description": "Enter 'true' or 'false' to specify whether or not DDoS Protection is enabled in the virtual network." + } + }, + "logsRetentionInDays": { + "type": "int", + "defaultValue": 365, + "minValue": 0, + "maxValue": 365, + "metadata": { + "displayName": "Log retention (days)", + "description": "Number of days that logs will be retained; entering '0' will retain logs indefinitely." + } + } + }, + "variables": { + "location": "[resourceGroup().location]", + "hub-deployment-prefix": "[toLower(concat(parameters('namePrefix'), '-', parameters('hubName')))]", + "hub-resource-group-name": "[concat(variables('hub-deployment-prefix'), '-rg')]", + "hub-vnet-name": "[concat(variables('hub-deployment-prefix'), '-vnet')]", + "hub-vnet-resource-id": "[resourceId(parameters('hubSubscriptionId'), variables('hub-resource-group-name'), 'Microsoft.Network/virtualNetworks', variables('hub-vnet-name'))]", + "oms-workspace-name": "[concat(variables('hub-deployment-prefix'), '-log')]", + "unique-string": "[uniqueString(concat('/subscriptions/', parameters('hubSubscriptionId')), concat(variables('hub-deployment-prefix')))]", + "diagnostic-storage-account-prefix": "[concat(replace(variables('hub-deployment-prefix'), '-', ''), 'diag')]", + "diagnostic-storage-account-name": "[toLower(substring(replace(concat(variables('diagnostic-storage-account-prefix'), variables('unique-string'), variables('unique-string')), '-', ''), 0, 23) )]", + "ddos-protection-plan-name": "[concat(variables('hub-deployment-prefix'), '-ddos-plan')]", + "ddos-protection-plan-id": { + "id": "[resourceId(variables('hub-resource-group-name'), 'Microsoft.Network/ddosProtectionPlans', variables('ddos-protection-plan-name'))]" + }, + "deployment-prefix": "[toLower(concat(parameters('namePrefix'), '-', parameters('spokeName')))]", + "vnet-name": "[concat(variables('deployment-prefix'), '-vnet')]", + "spoke-vnet-resource-id": "[resourceId(subscription().subscriptionId, resourceGroup().name, 'Microsoft.Network/virtualNetworks', variables('vnet-name'))]", + "static-subnets": [ + { + "name": "workload-subnet", + "address-prefix": "[parameters('spokeSubnetAddressPrefix')]", + "network-security-group": "workload-subnet", + "user-defined-route": "default", + "service-endpoints": [] + } + ], + "copy": [ + { + "name": "optional-subnets", + "count": "[length(parameters('spokeOptionalSubnetNames'))]", + "input": { + "name": "[parameters('SpokeOptionalSubnetNames')[copyIndex('optional-subnets')]]", + "address-prefix": "[parameters('spokeOptionalSubnetPrefixes')[copyIndex('optional-subnets')]]", + "user-defined-route": "default", + "network-security-group": "default-deny", + "service-endpoints": [] + } + } + ], + "subnets": "[union(variables('static-subnets'), variables('optional-subnets'))]" + }, + "resources": [ + { + "apiVersion": "2020-05-01", + "type": "Microsoft.Network/virtualNetworks", + "name": "[variables('vnet-name')]", + "location": "[variables('location')]", + "condition": "[parameters('deploySpoke')]", + "tags": { + "component": "spoke-workload-network-vnet" + }, + "properties": { + "addressSpace": { + "addressPrefixes": [ + "[parameters('spokeVnetAddressPrefix')]" + ] + }, + "enableDdosProtection": "[parameters('enableDdosProtection')]", + "ddosProtectionPlan": "[if(parameters('enableDdosProtection'), variables('ddos-protection-plan-id'), json('null'))]", + "copy": [ + { + "name": "subnets", + "count": "[length(variables('subnets'))]", + "input": { + "name": "[variables('subnets')[copyIndex('subnets')].name]", + "properties": { + "addressPrefix": "[variables('subnets')[copyIndex('subnets')]['address-prefix']]", + "networkSecurityGroup": "[if(equals(variables('subnets')[copyIndex('subnets')]['network-security-group'], ''), json('null'), json(concat('{\"id\": \"', resourceId(parameters('hubSubscriptionId'), variables('hub-resource-group-name'), 'Microsoft.Network/networkSecurityGroups', concat(variables('hub-deployment-prefix'), '-', variables('subnets')[copyIndex('subnets')]['network-security-group'], '-nsg')), '\"}')))]", + "routeTable": "[if(equals(variables('subnets')[copyIndex('subnets')]['user-defined-route'], ''), json('null'), json(concat('{\"id\": \"', resourceId(parameters('hubSubscriptionId'), variables('hub-resource-group-name'), 'Microsoft.Network/routeTables', concat(variables('hub-deployment-prefix'), '-', variables('subnets')[copyIndex('subnets')]['user-defined-route'], '-udr')), '\"}')))]", + "serviceEndpoints": "[if(equals(length(variables('subnets')[copyIndex('subnets')]['service-endpoints']), 0), json('null'), variables('subnets')[copyIndex('subnets')]['service-endpoints'])]" + } + } + } + ] + } + }, + { + "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings", + "apiVersion": "2020-05-01", + "name": "[concat(variables('vnet-name'), '/', parameters('hubName'), '-peering')]", + "condition": "[parameters('deploySpoke')]", + "dependsOn": [ + "[variables('vnet-name')]" + ], + "properties": { + "peeringState": "Connected", + "remoteVirtualNetwork": { + "id": "[variables('hub-vnet-resource-id')]" + }, + "allowVirtualNetworkAccess": true, + "allowForwardedTraffic": false, + "allowGatewayTransit": false, + "useRemoteGateways": false, + "remoteAddressSpace": { + "addressPrefixes": "[reference(variables('hub-vnet-resource-id'), '2020-05-01').addressSpace.addressPrefixes]" + } + } + }, + { + "type": "Microsoft.Network/virtualNetworks/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(variables('vnet-name'),'/Microsoft.Insights/service')]", + "location": "[variables('location')]", + "condition": "[parameters('deploySpoke')]", + "dependsOn": [ + "[variables('vnet-name')]" + ], + "tags": { + "component": "spoke-workload-network-vnet" + }, + "properties": { + "storageAccountId": "[resourceId(parameters('hubSubscriptionId'), variables('hub-resource-group-name'), 'Microsoft.Storage/storageAccounts', variables('diagnostic-storage-account-name'))]", + "workspaceId": "[resourceId(parameters('hubSubscriptionId'), variables('hub-resource-group-name'), 'Microsoft.OperationalInsights/workspaces', variables('oms-workspace-name'))]", + "metrics": [ + { + "category": "AllMetrics", + "timeGrain": null, + "enabled": true, + "retentionPolicy": { + "enabled": false, + "days": "[parameters('logsRetentionInDays')]" + } + } + ] + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-09-01", + "name": "[concat('nested.configure.vnet-peering-', variables('vnet-name'))]", + "subscriptionId": "[parameters('hubSubscriptionId')]", + "resourceGroup": "[variables('hub-resource-group-name')]", + "condition": "[parameters('deploySpoke')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/virtualNetworks', variables('vnet-name'))]" + ], + "tags": { + "component": "spoke-workload-network-vnet" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "hub-vnet-name": { + "type": "String" + }, + "deployment-prefix": { + "type": "string" + }, + "spoke-vnet-resource-id": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings", + "apiVersion": "2020-05-01", + "name": "[concat(parameters('hub-vnet-name'), '/', parameters('deployment-prefix'), '-peering')]", + "properties": { + "peeringState": "Connected", + "remoteVirtualNetwork": { + "id": "[parameters('spoke-vnet-resource-id')]" + }, + "allowVirtualNetworkAccess": true, + "allowForwardedTraffic": false, + "allowGatewayTransit": false, + "useRemoteGateways": false, + "remoteAddressSpace": { + "addressPrefixes": "[reference(parameters('spoke-vnet-resource-id'), '2020-05-01').addressSpace.addressPrefixes]" + } + } + } + ] + }, + "parameters": { + "hub-vnet-name": { + "value": "[variables('hub-vnet-name')]" + }, + "deployment-prefix": { + "value": "[variables('deployment-prefix')]" + }, + "spoke-vnet-resource-id": { + "value": "[variables('spoke-vnet-resource-id')]" + } + } + } + } + ], + "outputs": {} + }, + "parameters": { + "namePrefix": { + "value": "[parameters('namePrefix')]" + }, + "hubSubscriptionId": { + "value": "[parameters('hubSubscriptionId')]" + }, + "hubName": { + "value": "[parameters('hubName')]" + }, + "spokeName": { + "value": "[parameters('spokeName')]" + }, + "spokeVnetAddressPrefix": { + "value": "[parameters('spoke-workload-network-vnet_spokeVnetAddressPrefix')]" + }, + "spokeSubnetAddressPrefix": { + "value": "[parameters('spoke-workload-network-vnet_spokeSubnetAddressPrefix')]" + }, + "spokeOptionalSubnetNames": { + "value": "[parameters('spoke-workload-network-vnet_spokeOptionalSubnetNames')]" + }, + "spokeOptionalSubnetPrefixes": { + "value": "[parameters('spoke-workload-network-vnet_spokeOptionalSubnetPrefixes')]" + }, + "enableDdosProtection": { + "value": "[parameters('enableDdosProtection')]" + }, + "logsRetentionInDays": { + "value": "[parameters('logsRetentionInDays')]" + }, + "deploySpoke": { + "value": "[parameters('deploySpoke')]" + } + }, + "dependsOn": [ + "hub-shared-security-log", + "hub-shared-network-nsg", + "hub-shared-network-vnet", + "hub-shared-network-firewall" + ], + "resourceGroup": "SpokeResourceGroup", + "displayName": "Azure Virtual Network spoke template", + "description": "Azure Virtual Network spoke template." + }, + "kind": "template", + "id": "/providers/Microsoft.Blueprint/blueprints/ASBF_Gov/artifacts/spoke-workload-network-vnet", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "spoke-workload-network-vnet" + } \ No newline at end of file diff --git a/samples/001-builtins/ASBF_Gov/blueprint.json b/samples/001-builtins/ASBF_Gov/blueprint.json new file mode 100644 index 0000000..40d188f --- /dev/null +++ b/samples/001-builtins/ASBF_Gov/blueprint.json @@ -0,0 +1,280 @@ +{ + "properties": { + "parameters": { + "namePrefix": { + "type": "string", + "metadata": { + "displayName": "Prefix for resources and resource groups", + "description": "This string will be used as a prefix for all resource and resource group names." + } + }, + "hubName": { + "type": "string", + "defaultValue": "hub-shared", + "metadata": { + "displayName": "Hub name", + "description": "Name for the hub." + } + }, + "hubLocation": { + "type": "string", + "metadata": { + "strongType": "location", + "displayName": "Hub location", + "description": "Location for the hub resource group." + } + }, + "hubSubscriptionId": { + "type": "string", + "defaultValue": "[subscription().subscriptionId]", + "metadata": { + "displayName": "Hub subscription ID", + "description": "Subscription ID where hub is deployed; default value is the subscription where the blueprint is assigned (scope)." + } + }, + "deployHub": { + "type": "bool", + "defaultValue": true, + "metadata": { + "displayName": "Deploy hub", + "description": "Enter 'true' or 'false' to specify whether the assignment will deploy the hub components of the architecture." + } + }, + "spokeName": { + "type": "string", + "defaultValue": "spoke-workload", + "metadata": { + "displayName": "Spoke name", + "description": "Name of the spoke." + } + }, + "deploySpoke": { + "type": "bool", + "defaultValue": true, + "metadata": { + "displayName": "Deploy spoke", + "description": "Enter 'true' or 'false' to specify whether the assignment will deploy the spoke components of the architecture." + } + }, + "logsRetentionInDays": { + "type": "int", + "defaultValue": 365, + "minValue": 0, + "maxValue": 365, + "metadata": { + "displayName": "Log retention (days)", + "description": "Number of days that logs will be retained; entering '0' will retain logs indefinitely." + } + }, + "hub-shared-security-log_workspaceLocation": { + "type": "string", + "defaultValue": "[parameters('hubLocation')]", + "metadata": { + "displayName": "Log Analytics workspace location", + "description": "Location where Log Analytics workspace will be created; run `Get-AzLocation | Where-Object Providers -like 'Microsoft.OperationalInsights' | Select DisplayName` in Azure PowersShell to see available regions." + } + }, + "hub-shared-security-log_automationAccountId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "Azure Automation account ID (optional)", + "description": "Automation account resource ID; used to create a linked service between Log Analytics and an Automation account." + } + }, + "networkWatcherName": { + "defaultValue": "[concat('NetworkWatcher_', parameters('networkWatcherLocation'))]", + "type": "string", + "metadata": { + "displayName": "Network Watcher name", + "description": "Name for the Network Watcher resource." + } + }, + "networkWatcherLocation": { + "defaultValue": "[parameters('hubLocation')]", + "type": "string", + "metadata": { + "displayName": "Network Watcher location", + "description": "Location for the Network Watcher resource." + } + }, + "networkWatcherResourceGroup": { + "defaultValue": "NetworkWatcherRG", + "type": "string", + "metadata": { + "displayName": "Network Watcher resource group name", + "description": "Name for the Network Watcher resource group." + } + }, + "networkWatcherResourceGroupLocation": { + "defaultValue": "[parameters('hubLocation')]", + "type": "string", + "metadata": { + "displayName": "Network Watcher resource group location", + "description": "Location of the Network Watcher resource group." + } + }, + "hub-shared-network-nsg_enableNsgFlowLogs": { + "type": "bool", + "defaultValue": true, + "metadata": { + "displayName": "Enable NSG flow logs", + "description": "Enter 'true' or 'false' to enable or disable NSG flow logs." + } + }, + "destinationAddresses": { + "type": "string", + "metadata": { + "displayName": "Destination IP addresses", + "description": "Destination IP addresses for outbound connectivity; comma-separated list of IP addresses or IP range prefixes." + }, + "defaultValue": "0.0.0.0" + }, + "hub-shared-network-vnet_vnetAddressPrefix": { + "type": "string", + "defaultValue": "10.0.0.0/16", + "metadata": { + "displayName": "Virtual network address prefix", + "description": "Virtual network address prefix for hub virtual network." + } + }, + "hub-shared-network-vnet_azureFirewallSubnetAddressPrefix": { + "type": "string", + "defaultValue": "10.0.0.0/26", + "metadata": { + "displayName": "Firewall subnet address prefix", + "description": "Firewall subnet address prefix for hub virtual network." + } + }, + "hub-shared-network-vnet_bastionSubnetAddressPrefix": { + "type": "string", + "defaultValue": "10.0.1.0/27", + "metadata": { + "displayName": "Bastion subnet address prefix", + "description": "Bastion subnet address prefix for hub virtual network." + } + }, + "hub-shared-network-vnet_gatewaySubnetAddressPrefix": { + "type": "string", + "defaultValue": "10.0.2.0/24", + "metadata": { + "displayName": "Gateway subnet address prefix", + "description": "Gateway subnet address prefix for hub virtual network." + } + }, + "hub-shared-network-vnet_managementSubnetAddressPrefix": { + "type": "string", + "defaultValue": "10.0.3.0/24", + "metadata": { + "displayName": "Management subnet address prefix", + "description": "Management subnet address prefix for hub virtual network." + } + }, + "hub-shared-network-vnet_jumpBoxSubnetAddressPrefix": { + "type": "string", + "defaultValue": "10.0.4.0/24", + "metadata": { + "displayName": "Jump box subnet address prefix", + "description": "Jump box subnet address prefix for hub virtual network." + } + }, + "hub-shared-network-vnet_optionalSubnetNames": { + "type": "array", + "defaultValue": [], + "metadata": { + "displayName": "Subnet address names (optional)", + "description": "Array of subnet names to deploy to the hub virtual network; for example, \"subnet1\",\"subnet2\"." + } + }, + "hub-shared-network-vnet_optionalSubnetPrefixes": { + "type": "array", + "defaultValue": [], + "metadata": { + "displayName": "Subnet address prefixes (optional)", + "description": "Array of IP address prefixes for optional subnets for hub virtual network; for example, \"10.0.7.0/24\",\"10.0.8.0/24\"." + } + }, + "enableDdosProtection": { + "type": "bool", + "defaultValue": true, + "metadata": { + "displayName": "Enable DDoS protection", + "description": "Enter 'true' or 'false' to specify whether or not DDoS Protection is enabled in the virtual network." + } + }, + "hub-shared-network-firewall_azureFirewallPrivateIP": { + "type": "string", + "defaultValue": "10.0.0.4", + "metadata": { + "displayName": "Azure Firewall private IP address", + "description": "Azure Firewall private IP address." + } + }, + "spoke-workload-network-vnet_spokeVnetAddressPrefix": { + "type": "string", + "defaultValue": "10.1.0.0/16", + "metadata": { + "displayName": "Virtual Network address prefix", + "description": "Virtual Network address prefix for spoke virtual network." + } + }, + "spoke-workload-network-vnet_spokeSubnetAddressPrefix": { + "type": "string", + "defaultValue": "10.1.0.0/24", + "metadata": { + "displayName": "Subnet address prefix", + "description": "Subnet address prefix for spoke virtual network." + } + }, + "spoke-workload-network-vnet_spokeOptionalSubnetNames": { + "type": "array", + "defaultValue": [], + "metadata": { + "displayName": "Subnet address names (optional)", + "description": "Array of subnet names to deploy to the spoke virtual network; for example, \"subnet1\",\"subnet2\"." + } + }, + "spoke-workload-network-vnet_spokeOptionalSubnetPrefixes": { + "type": "array", + "defaultValue": [], + "metadata": { + "displayName": "Subnet address prefixes (optional)", + "description": "Array of IP address prefixes for optional subnets for the spoke virtual network; for example, \"10.0.7.0/24\",\"10.0.8.0/24\"." + } + } + }, + "resourceGroups": { + "HubResourceGroup": { + "name": "[concat(parameters('namePrefix'), '-', parameters('hubName'), '-rg')]", + "location": "[parameters('hubLocation')]", + "metadata": { + "displayName": "Hub resource group" + } + }, + "SpokeResourceGroup": { + "name": "[concat(parameters('namePrefix'), '-', parameters('spokeName'), '-rg')]", + "location": "[parameters('hubLocation')]", + "metadata": { + "displayName": "Spoke resource group" + } + }, + "NetworkWatcherResourceGroup": { + "name": "[parameters('networkWatcherResourceGroup')]", + "location": "[parameters('networkWatcherResourceGroupLocation')]", + "metadata": { + "displayName": "Network Watcher resource group" + } + } + }, + "targetScope": "subscription", + "status": { + "timeCreated": "2020-12-04T23:25:37+00:00", + "lastModified": "2021-02-12T23:31:27.4720923+00:00" + }, + "displayName": "Azure Security Benchmark Foundation (Preview)", + "description": "Deploys and configures Azure Security Benchmark Foundation (Preview)." + }, + "id": "/providers/Microsoft.Blueprint/blueprints/ASBF_Gov", + "type": "Microsoft.Blueprint/blueprints", + "name": "ASBF_Gov" +} \ No newline at end of file diff --git a/samples/001-builtins/ASB_Gov/artifact.9360c414-c73d-4565-901b-107606917588.json b/samples/001-builtins/ASB_Gov/artifact.9360c414-c73d-4565-901b-107606917588.json new file mode 100644 index 0000000..75ca241 --- /dev/null +++ b/samples/001-builtins/ASB_Gov/artifact.9360c414-c73d-4565-901b-107606917588.json @@ -0,0 +1,51 @@ +{ + "properties": { + "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92", + "parameters": { + "listOfMembersToExcludeFromWindowsVMAdministratorsGroup": { + "value": "[parameters('listOfMembersToExcludeFromWindowsVMAdministratorsGroup')]" + }, + "listOfMembersToIncludeInWindowsVMAdministratorsGroup": { + "value": "[parameters('listOfMembersToIncludeInWindowsVMAdministratorsGroup')]" + }, + "listOfOnlyMembersInWindowsVMAdministratorsGroup": { + "value": "[parameters('listOfOnlyMembersInWindowsVMAdministratorsGroup')]" + }, + "listOfRegionsWhereNetworkWatcherShouldBeEnabled": { + "value": "[parameters('listOfRegionsWhereNetworkWatcherShouldBeEnabled')]" + }, + "approvedVirtualNetworkForVMs": { + "value": "[parameters('approvedVirtualNetworkForVMs')]" + }, + "approvedNetworkGatewayforVirtualNetworks": { + "value": "[parameters('approvedNetworkGatewayforVirtualNetworks')]" + }, + "listOfWorkspaceIDsForLogAnalyticsAgent": { + "value": "[parameters('listOfWorkspaceIDsForLogAnalyticsAgent')]" + }, + "listOfResourceTypesWithDiagnosticLogsEnabled": { + "value": "[parameters('listOfResourceTypesWithDiagnosticLogsEnabled')]" + }, + "PHPLatestVersion": { + "value": "[parameters('PHPLatestVersion')]" + }, + "JavaLatestVersion": { + "value": "[parameters('JavaLatestVersion')]" + }, + "WindowsPythonLatestVersion": { + "value": "[parameters('WindowsPythonLatestVersion')]" + }, + "LinuxPythonLatestVersion": { + "value": "[parameters('LinuxPythonLatestVersion')]" + } + }, + "dependsOn": [ + + ], + "displayName": "Azure Security Benchmark" + }, + "kind": "policyAssignment", + "id": "/providers/Microsoft.Blueprint/blueprints/ASB_Gov/artifacts/9360c414-c73d-4565-901b-107606917588", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "9360c414-c73d-4565-901b-107606917588" +} diff --git a/samples/001-builtins/ASB_Gov/blueprint.json b/samples/001-builtins/ASB_Gov/blueprint.json new file mode 100644 index 0000000..2240302 --- /dev/null +++ b/samples/001-builtins/ASB_Gov/blueprint.json @@ -0,0 +1,322 @@ +{ + "properties": { + "parameters": { + "listOfMembersToExcludeFromWindowsVMAdministratorsGroup": { + "type": "string", + "metadata": { + "displayName": "List of users excluded from Windows VM Administrators group", + "description": "A semicolon-separated list of members that should be excluded in the Administrators local group. Ex: Administrator; myUser1; myUser2" + }, + "allowedValues": [ + + ] + }, + "listOfMembersToIncludeInWindowsVMAdministratorsGroup": { + "type": "string", + "metadata": { + "displayName": "List of users that must be included in Windows VM Administrators group", + "description": "A semicolon-separated list of members that should be included in the Administrators local group. Ex: Administrator; myUser1; myUser2" + }, + "allowedValues": [ + + ] + }, + "listOfOnlyMembersInWindowsVMAdministratorsGroup": { + "type": "string", + "metadata": { + "displayName": "List of users that Windows VM Administrators group must *only* include", + "description": "A semicolon-separated list of all the expected members of the Administrators local group. Ex: Administrator; myUser1; myUser2" + }, + "allowedValues": [ + + ] + }, + "listOfRegionsWhereNetworkWatcherShouldBeEnabled": { + "type": "array", + "metadata": { + "displayName": "List of regions where Network Watcher should be enabled", + "description": "To see a complete list of regions use Get-AzLocation", + "strongType": "location" + }, + "defaultValue": [ + "australiacentral", + "australiacentral2", + "australiaeast", + "australiasoutheast", + "brazilsouth", + "canadacentral", + "canadaeast", + "centralindia", + "centralus", + "eastasia", + "eastus", + "eastus2", + "francecentral", + "francesouth", + "germanynorth", + "germanywestcentral", + "global", + "japaneast", + "japanwest", + "koreacentral", + "koreasouth", + "northcentralus", + "northeurope", + "norwayeast", + "norwaywest", + "southafricanorth", + "southafricawest", + "southcentralus", + "southeastasia", + "southindia", + "switzerlandnorth", + "switzerlandwest", + "uaecentral", + "uaenorth", + "uksouth", + "ukwest", + "westcentralus", + "westeurope", + "westindia", + "westus", + "westus2" + ], + "allowedValues": [ + "australiacentral", + "australiacentral2", + "australiaeast", + "australiasoutheast", + "brazilsouth", + "canadacentral", + "canadaeast", + "centralindia", + "centralus", + "eastasia", + "eastus", + "eastus2", + "francecentral", + "francesouth", + "germanynorth", + "germanywestcentral", + "global", + "japaneast", + "japanwest", + "koreacentral", + "koreasouth", + "northcentralus", + "northeurope", + "norwayeast", + "norwaywest", + "southafricanorth", + "southafricawest", + "southcentralus", + "southeastasia", + "southindia", + "switzerlandnorth", + "switzerlandwest", + "uaecentral", + "uaenorth", + "uksouth", + "ukwest", + "westcentralus", + "westeurope", + "westindia", + "westus", + "westus2" + ] + }, + "approvedVirtualNetworkForVMs": { + "type": "string", + "metadata": { + "displayName": "Virtual network where VMs should be connected", + "description": "Example: /subscriptions/YourSubscriptionId/resourceGroups/YourResourceGroupName/providers/Microsoft.Network/virtualNetworks/Name", + "strongType": "Microsoft.Network/virtualNetworks" + }, + "allowedValues": [ + + ] + }, + "approvedNetworkGatewayforVirtualNetworks": { + "type": "string", + "metadata": { + "displayName": "Network gateway that virtual networks should use", + "description": "Example: /subscriptions/YourSubscriptionId/resourceGroups/YourResourceGroup/providers/Microsoft.Network/virtualNetworkGateways/Name", + "strongType": "Microsoft.Network/virtualNetworkGateways" + }, + "allowedValues": [ + + ] + }, + "listOfWorkspaceIDsForLogAnalyticsAgent": { + "type": "string", + "metadata": { + "displayName": "List of workspace IDs where Log Analytics agents should connect", + "description": "A semicolon-separated list of the workspace IDs that the Log Analytics agent should be connected to" + }, + "allowedValues": [ + + ] + }, + "listOfResourceTypesWithDiagnosticLogsEnabled": { + "type": "array", + "metadata": { + "displayName": "List of resource types that should have diagnostic logs enabled", + "description": "Audit diagnostic setting for selected resource types" + }, + "defaultValue": [ + "Microsoft.AnalysisServices/servers", + "Microsoft.ApiManagement/service", + "Microsoft.Network/applicationGateways", + "Microsoft.Automation/automationAccounts", + "Microsoft.ContainerInstance/containerGroups", + "Microsoft.ContainerRegistry/registries", + "Microsoft.ContainerService/managedClusters", + "Microsoft.Batch/batchAccounts", + "Microsoft.Cdn/profiles/endpoints", + "Microsoft.CognitiveServices/accounts", + "Microsoft.DocumentDB/databaseAccounts", + "Microsoft.DataFactory/factories", + "Microsoft.DataLakeAnalytics/accounts", + "Microsoft.DataLakeStore/accounts", + "Microsoft.EventGrid/eventSubscriptions", + "Microsoft.EventGrid/topics", + "Microsoft.EventHub/namespaces", + "Microsoft.Network/expressRouteCircuits", + "Microsoft.Network/azureFirewalls", + "Microsoft.HDInsight/clusters", + "Microsoft.Devices/IotHubs", + "Microsoft.KeyVault/vaults", + "Microsoft.Network/loadBalancers", + "Microsoft.Logic/integrationAccounts", + "Microsoft.Logic/workflows", + "Microsoft.DBforMySQL/servers", + "Microsoft.Network/networkInterfaces", + "Microsoft.Network/networkSecurityGroups", + "Microsoft.DBforPostgreSQL/servers", + "Microsoft.PowerBIDedicated/capacities", + "Microsoft.Network/publicIPAddresses", + "Microsoft.RecoveryServices/vaults", + "Microsoft.Cache/redis", + "Microsoft.Relay/namespaces", + "Microsoft.Search/searchServices", + "Microsoft.ServiceBus/namespaces", + "Microsoft.SignalRService/SignalR", + "Microsoft.Sql/servers/databases", + "Microsoft.Sql/servers/elasticPools", + "Microsoft.StreamAnalytics/streamingjobs", + "Microsoft.TimeSeriesInsights/environments", + "Microsoft.Network/trafficManagerProfiles", + "Microsoft.Compute/virtualMachines", + "Microsoft.Compute/virtualMachineScaleSets", + "Microsoft.Network/virtualNetworks", + "Microsoft.Network/virtualNetworkGateways" + ], + "allowedValues": [ + "Microsoft.AnalysisServices/servers", + "Microsoft.ApiManagement/service", + "Microsoft.Network/applicationGateways", + "Microsoft.Automation/automationAccounts", + "Microsoft.ContainerInstance/containerGroups", + "Microsoft.ContainerRegistry/registries", + "Microsoft.ContainerService/managedClusters", + "Microsoft.Batch/batchAccounts", + "Microsoft.Cdn/profiles/endpoints", + "Microsoft.CognitiveServices/accounts", + "Microsoft.DocumentDB/databaseAccounts", + "Microsoft.DataFactory/factories", + "Microsoft.DataLakeAnalytics/accounts", + "Microsoft.DataLakeStore/accounts", + "Microsoft.EventGrid/eventSubscriptions", + "Microsoft.EventGrid/topics", + "Microsoft.EventHub/namespaces", + "Microsoft.Network/expressRouteCircuits", + "Microsoft.Network/azureFirewalls", + "Microsoft.HDInsight/clusters", + "Microsoft.Devices/IotHubs", + "Microsoft.KeyVault/vaults", + "Microsoft.Network/loadBalancers", + "Microsoft.Logic/integrationAccounts", + "Microsoft.Logic/workflows", + "Microsoft.DBforMySQL/servers", + "Microsoft.Network/networkInterfaces", + "Microsoft.Network/networkSecurityGroups", + "Microsoft.DBforPostgreSQL/servers", + "Microsoft.PowerBIDedicated/capacities", + "Microsoft.Network/publicIPAddresses", + "Microsoft.RecoveryServices/vaults", + "Microsoft.Cache/redis", + "Microsoft.Relay/namespaces", + "Microsoft.Search/searchServices", + "Microsoft.ServiceBus/namespaces", + "Microsoft.SignalRService/SignalR", + "Microsoft.Sql/servers/databases", + "Microsoft.Sql/servers/elasticPools", + "Microsoft.StreamAnalytics/streamingjobs", + "Microsoft.TimeSeriesInsights/environments", + "Microsoft.Network/trafficManagerProfiles", + "Microsoft.Compute/virtualMachines", + "Microsoft.Compute/virtualMachineScaleSets", + "Microsoft.Network/virtualNetworks", + "Microsoft.Network/virtualNetworkGateways" + ] + }, + "PHPLatestVersion": { + "type": "string", + "metadata": { + "displayName": "Latest PHP version", + "description": "Latest supported PHP version for App Services" + }, + "defaultValue": "7.3", + "allowedValues": [ + + ] + }, + "JavaLatestVersion": { + "type": "string", + "metadata": { + "displayName": "Latest Java version", + "description": "Latest supported Java version for App Services" + }, + "defaultValue": "11", + "allowedValues": [ + + ] + }, + "WindowsPythonLatestVersion": { + "type": "string", + "metadata": { + "displayName": "Latest Windows Python version", + "description": "Latest supported Python version for App Services" + }, + "defaultValue": "3.6", + "allowedValues": [ + + ] + }, + "LinuxPythonLatestVersion": { + "type": "string", + "metadata": { + "displayName": "Latest Linux Python version", + "description": "Latest supported Python version for App Services" + }, + "defaultValue": "3.8", + "allowedValues": [ + + ] + } + }, + "resourceGroups": { + + }, + "targetScope": "subscription", + "status": { + "timeCreated": "2020-04-15T07:47:59+00:00", + "lastModified": "2020-04-15T07:47:59.3837912+00:00" + }, + "displayName": "Azure Security Benchmark", + "description": "Assigns policies to address specific recommendations from the Azure Security Benchmark." + }, + "id": "/providers/Microsoft.Blueprint/blueprints/ASB_Gov", + "type": "Microsoft.Blueprint/blueprints", + "name": "ASB_Gov" +} \ No newline at end of file diff --git a/samples/001-builtins/Australia-IRAP/artifact.95a77cc6-3c46-4602-93b5-608962ae18fb.json b/samples/001-builtins/Australia-IRAP/artifact.95a77cc6-3c46-4602-93b5-608962ae18fb.json new file mode 100644 index 0000000..b3cf35a --- /dev/null +++ b/samples/001-builtins/Australia-IRAP/artifact.95a77cc6-3c46-4602-93b5-608962ae18fb.json @@ -0,0 +1,18 @@ +{ + "properties": { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988", + "parameters": { + "listOfAllowedLocations": { + "value": "[parameters('allowedlocationsforresourcegroups_listOfAllowedLocations')]" + } + }, + "dependsOn": [ + + ], + "displayName": "Allowed locations for resource groups" + }, + "kind": "policyAssignment", + "id": "/providers/Microsoft.Blueprint/blueprints/Australia-IRAP/artifacts/95a77cc6-3c46-4602-93b5-608962ae18fb", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "95a77cc6-3c46-4602-93b5-608962ae18fb" +} diff --git a/samples/001-builtins/Australia-IRAP/artifact.980566d2-be54-4883-a1bf-c019ee0940c3.json b/samples/001-builtins/Australia-IRAP/artifact.980566d2-be54-4883-a1bf-c019ee0940c3.json new file mode 100644 index 0000000..e9ca38c --- /dev/null +++ b/samples/001-builtins/Australia-IRAP/artifact.980566d2-be54-4883-a1bf-c019ee0940c3.json @@ -0,0 +1,18 @@ +{ + "properties": { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c", + "parameters": { + "listOfAllowedLocations": { + "value": "[parameters('allowedlocations_listOfAllowedLocations')]" + } + }, + "dependsOn": [ + + ], + "displayName": "Allowed locations" + }, + "kind": "policyAssignment", + "id": "/providers/Microsoft.Blueprint/blueprints/Australia-IRAP/artifacts/980566d2-be54-4883-a1bf-c019ee0940c3", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "980566d2-be54-4883-a1bf-c019ee0940c3" +} diff --git a/samples/001-builtins/Australia-IRAP/artifact.cc6a9858-19d4-4ec7-a02c-3595fe553133.json b/samples/001-builtins/Australia-IRAP/artifact.cc6a9858-19d4-4ec7-a02c-3595fe553133.json new file mode 100644 index 0000000..9bd2db7 --- /dev/null +++ b/samples/001-builtins/Australia-IRAP/artifact.cc6a9858-19d4-4ec7-a02c-3595fe553133.json @@ -0,0 +1,192 @@ +{ + "properties": { + "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/27272c0b-c225-4cc3-b8b0-f2534b093077", + "parameters": { + "membersToExclude": { + "value": "[parameters('membersToExclude')]" + }, + "logAnalyticsWorkspaceId": { + "value": "[parameters('logAnalyticsWorkspaceId')]" + }, + "vulnerabilityAssessmentEmailSettingForReceivingScanReportsEffect": { + "value": "[parameters('vulnerabilityAssessmentEmailSettingForReceivingScanReportsEffect')]" + }, + "adaptiveNetworkHardeningsMonitoringEffect": { + "value": "[parameters('adaptiveNetworkHardeningsMonitoringEffect')]" + }, + "identityDesignateMoreThanOneOwnerMonitoringEffect": { + "value": "[parameters('identityDesignateMoreThanOneOwnerMonitoringEffect')]" + }, + "diskEncryptionMonitoringEffect": { + "value": "[parameters('diskEncryptionMonitoringEffect')]" + }, + "functionAppDisableRemoteDebuggingMonitoringEffect": { + "value": "[parameters('functionAppDisableRemoteDebuggingMonitoringEffect')]" + }, + "sqlDbEncryptionMonitoringEffect": { + "value": "[parameters('sqlDbEncryptionMonitoringEffect')]" + }, + "vulnerabilityAssessmentOnManagedInstanceMonitoringEffect": { + "value": "[parameters('vulnerabilityAssessmentOnManagedInstanceMonitoringEffect')]" + }, + "aadAuthenticationInSqlServerMonitoringEffect": { + "value": "[parameters('aadAuthenticationInSqlServerMonitoringEffect')]" + }, + "diagnosticsLogsInRedisCacheMonitoringEffect": { + "value": "[parameters('diagnosticsLogsInRedisCacheMonitoringEffect')]" + }, + "vmssEndpointProtectionMonitoringEffect": { + "value": "[parameters('vmssEndpointProtectionMonitoringEffect')]" + }, + "listOfImageIdToIncludeWindows": { + "value": "[parameters('listOfImageIdToIncludeWindows')]" + }, + "listOfImageIdToIncludeLinux": { + "value": "[parameters('listOfImageIdToIncludeLinux')]" + }, + "auditUnrestrictedNetworkToStorageAccountMonitoringEffect": { + "value": "[parameters('auditUnrestrictedNetworkToStorageAccountMonitoringEffect')]" + }, + "vmssOsVulnerabilitiesMonitoringEffect": { + "value": "[parameters('vmssOsVulnerabilitiesMonitoringEffect')]" + }, + "secureTransferToStorageAccountMonitoringEffect": { + "value": "[parameters('secureTransferToStorageAccountMonitoringEffect')]" + }, + "adaptiveApplicationControlsMonitoringEffect": { + "value": "[parameters('adaptiveApplicationControlsMonitoringEffect')]" + }, + "identityDesignateLessThanOwnersMonitoringEffect": { + "value": "[parameters('identityDesignateLessThanOwnersMonitoringEffect')]" + }, + "serverVulnerabilityAssessmentEffect": { + "value": "[parameters('serverVulnerabilityAssessmentEffect')]" + }, + "webAppRestrictCORSAccessMonitoringEffect": { + "value": "[parameters('webAppRestrictCORSAccessMonitoringEffect')]" + }, + "identityRemoveExternalAccountWithWritePermissionsMonitoringEffect": { + "value": "[parameters('identityRemoveExternalAccountWithWritePermissionsMonitoringEffect')]" + }, + "identityRemoveDeprecatedAccountMonitoringEffect": { + "value": "[parameters('identityRemoveDeprecatedAccountMonitoringEffect')]" + }, + "functionAppEnforceHttpsMonitoringEffect": { + "value": "[parameters('functionAppEnforceHttpsMonitoringEffect')]" + }, + "vulnerabilityAssessmentMonitoringEffect": { + "value": "[parameters('vulnerabilityAssessmentMonitoringEffect')]" + }, + "logProfilesForActivityLogEffect": { + "value": "[parameters('logProfilesForActivityLogEffect')]" + }, + "listOfResourceTypes": { + "value": "[parameters('listOfResourceTypes')]" + }, + "systemUpdatesMonitoringEffect": { + "value": "[parameters('systemUpdatesMonitoringEffect')]" + }, + "apiAppRequireLatestTlsMonitoringEffect": { + "value": "[parameters('apiAppRequireLatestTlsMonitoringEffect')]" + }, + "identityEnableMFAForWritePermissionsMonitoringEffect": { + "value": "[parameters('identityEnableMFAForWritePermissionsMonitoringEffect')]" + }, + "anitmalwareRequiredForWindowsServersEffect": { + "value": "[parameters('anitmalwareRequiredForWindowsServersEffect')]" + }, + "webAppEnforceHttpsMonitoringEffect": { + "value": "[parameters('webAppEnforceHttpsMonitoringEffect')]" + }, + "vnetEnableDDoSProtectionMonitoringEffect": { + "value": "[parameters('vnetEnableDDoSProtectionMonitoringEffect')]" + }, + "identityEnableMFAForOwnerPermissionsMonitoringEffect": { + "value": "[parameters('identityEnableMFAForOwnerPermissionsMonitoringEffect')]" + }, + "sqlServerAdvancedDataSecurityMonitoringEffect": { + "value": "[parameters('sqlServerAdvancedDataSecurityMonitoringEffect')]" + }, + "sqlManagedInstanceAdvancedDataSecurityMonitoringEffect": { + "value": "[parameters('sqlManagedInstanceAdvancedDataSecurityMonitoringEffect')]" + }, + "endpointProtectionMonitoringEffect": { + "value": "[parameters('endpointProtectionMonitoringEffect')]" + }, + "jitNetworkAccessMonitoringEffect": { + "value": "[parameters('jitNetworkAccessMonitoringEffect')]" + }, + "minimumTLSVersion": { + "value": "[parameters('minimumTLSVersion')]" + }, + "aadAuthenticationInServiceFabricMonitoringEffect": { + "value": "[parameters('aadAuthenticationInServiceFabricMonitoringEffect')]" + }, + "apiAppEnforceHttpsMonitoringEffect": { + "value": "[parameters('apiAppEnforceHttpsMonitoringEffect')]" + }, + "vmssSystemUpdatesMonitoringEffect": { + "value": "[parameters('vmssSystemUpdatesMonitoringEffect')]" + }, + "webAppDisableRemoteDebuggingMonitoringEffect": { + "value": "[parameters('webAppDisableRemoteDebuggingMonitoringEffect')]" + }, + "systemConfigurationsMonitoringEffect": { + "value": "[parameters('systemConfigurationsMonitoringEffect')]" + }, + "identityEnableMFAForReadPermissionsMonitoringEffect": { + "value": "[parameters('identityEnableMFAForReadPermissionsMonitoringEffect')]" + }, + "enforcePasswordHistory": { + "value": "[parameters('enforcePasswordHistory')]" + }, + "maximumPasswordAge": { + "value": "[parameters('maximumPasswordAge')]" + }, + "minimumPasswordAge": { + "value": "[parameters('minimumPasswordAge')]" + }, + "minimumPasswordLength": { + "value": "[parameters('minimumPasswordLength')]" + }, + "passwordMustMeetComplexityRequirements": { + "value": "[parameters('passwordMustMeetComplexityRequirements')]" + }, + "containerBenchmarkMonitoringEffect": { + "value": "[parameters('containerBenchmarkMonitoringEffect')]" + }, + "apiAppDisableRemoteDebuggingMonitoringEffect": { + "value": "[parameters('apiAppDisableRemoteDebuggingMonitoringEffect')]" + }, + "identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect": { + "value": "[parameters('identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect')]" + }, + "vulnerabilityAssessmentOnServerMonitoringEffect": { + "value": "[parameters('vulnerabilityAssessmentOnServerMonitoringEffect')]" + }, + "webAppRequireLatestTlsMonitoringEffect": { + "value": "[parameters('webAppRequireLatestTlsMonitoringEffect')]" + }, + "networkSecurityGroupsOnVirtualMachinesMonitoringEffect": { + "value": "[parameters('networkSecurityGroupsOnVirtualMachinesMonitoringEffect')]" + }, + "identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect": { + "value": "[parameters('identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect')]" + }, + "functionAppRequireLatestTlsMonitoringEffect": { + "value": "[parameters('functionAppRequireLatestTlsMonitoringEffect')]" + }, + "sqlDbVulnerabilityAssesmentMonitoringEffect": { + "value": "[parameters('sqlDbVulnerabilityAssesmentMonitoringEffect')]" + } + }, + "dependsOn": [ + + ], + "displayName": "Australian Government ISM PROTECTED" + }, + "kind": "policyAssignment", + "id": "/providers/Microsoft.Blueprint/blueprints/Australia-IRAP/artifacts/cc6a9858-19d4-4ec7-a02c-3595fe553133", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "cc6a9858-19d4-4ec7-a02c-3595fe553133" +} diff --git a/samples/001-builtins/Australia-IRAP/blueprint.json b/samples/001-builtins/Australia-IRAP/blueprint.json new file mode 100644 index 0000000..7992358 --- /dev/null +++ b/samples/001-builtins/Australia-IRAP/blueprint.json @@ -0,0 +1,729 @@ +{ + "properties": { + "parameters": { + "membersToExclude": { + "type": "string", + "metadata": { + "displayName": "List of users excluded from Windows VM Administrators group", + "description": "A semicolon-separated list of members that should be excluded in the Administrators local group. Ex: Administrator; myUser1; myUser2" + } + }, + "logAnalyticsWorkspaceId": { + "type": "string", + "metadata": { + "displayName": "Log Analytics Workspace Id that VMs should be configured for", + "description": "This is the Id (GUID) of the Log Analytics Workspace that the VMs should be configured for." + } + }, + "vulnerabilityAssessmentEmailSettingForReceivingScanReportsEffect": { + "type": "string", + "metadata": { + "displayName": "Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports", + "description": "Enable or disable the monitoring of Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "adaptiveNetworkHardeningsMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Adaptive Network Hardening recommendations should be applied on internet facing virtual machines", + "description": "Enable or disable the monitoring of Internet-facing virtual machines for Network Security Group traffic hardening recommendations" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "identityDesignateMoreThanOneOwnerMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "There should be more than one owner assigned to your subscription", + "description": "Enable or disable the monitoring of minimum owners in subscription" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "diskEncryptionMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Disk encryption should be applied on virtual machines", + "description": "Enable or disable the monitoring for VM disk encryption" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "functionAppDisableRemoteDebuggingMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Remote debugging should be turned off for Function App", + "description": "Enable or disable the monitoring of remote debugging for Function App" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "sqlDbEncryptionMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Transparent Data Encryption on SQL databases should be enabled", + "description": "Enable or disable the monitoring of unencrypted SQL databases" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "vulnerabilityAssessmentOnManagedInstanceMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Vulnerability assessment should be enabled on your SQL managed instances", + "description": "Audit SQL managed instances which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities." + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "aadAuthenticationInSqlServerMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "An Azure Active Directory administrator should be provisioned for SQL servers", + "description": "Enable or disable the monitoring of an Azure AD admininistrator for SQL server" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "diagnosticsLogsInRedisCacheMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Only secure connections to your Redis Cache should be enabled", + "description": "Enable or disable the monitoring of diagnostic logs in Azure Redis Cache" + }, + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "vmssEndpointProtectionMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Endpoint protection solution should be installed on virtual machine scale sets", + "description": "Enable or disable the monitoring of virtual machine scale sets endpoint protection monitoring" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "listOfImageIdToIncludeWindows": { + "type": "array", + "metadata": { + "displayName": "Optional: List of VM images that have supported Windows OS to add to scope", + "description": "Example value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'" + }, + "defaultValue": [ + + ] + }, + "listOfImageIdToIncludeLinux": { + "type": "array", + "metadata": { + "displayName": "Optional: List of VM images that have supported Linux OS to add to scope", + "description": "Example value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'" + }, + "defaultValue": [ + + ] + }, + "auditUnrestrictedNetworkToStorageAccountMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Audit unrestricted network access to storage accounts", + "description": "Enable or disable the monitoring of network access to storage account" + }, + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ] + }, + "vmssOsVulnerabilitiesMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Vulnerabilities in security configuration on your virtual machine scale sets should be remediated", + "description": "Enable or disable the monitoring of virtual machine scale sets OS vulnerabilities monitoring" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "secureTransferToStorageAccountMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Secure transfer to storage accounts should be enabled", + "description": "Enable or disable the monitoring of secure transfer to storage account" + }, + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "adaptiveApplicationControlsMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Adaptive Application Controls should be enabled on virtual machines", + "description": "Enable or disable the monitoring of allowed application list in Azure Security Center" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "identityDesignateLessThanOwnersMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "A maximum of 3 owners should be designated for your subscription", + "description": "Enable or disable the monitoring of maximum owners in subscription" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "serverVulnerabilityAssessmentEffect": { + "type": "string", + "metadata": { + "displayName": "[Preview] Vulnerability Assessment should be enabled on Virtual Machines", + "description": "Enable or disable the detection of VM vulnerabilities by Azure Security Center Vulnerability Assessment" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "webAppRestrictCORSAccessMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "CORS should not allow every resource to access your Web Application", + "description": "Enable or disable the monitoring of CORS restrictions for Web Application" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "identityRemoveExternalAccountWithWritePermissionsMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "External accounts with write permissions should be removed from your subscription", + "description": "Enable or disable the monitoring of external acounts with write permissions in subscription" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "identityRemoveDeprecatedAccountMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Deprecated accounts should be removed from your subscription", + "description": "Enable or disable the monitoring of deprecated acounts in subscription" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "functionAppEnforceHttpsMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Function App should only be accessible over HTTPS v2", + "description": "Enable or disable the monitoring of the use of HTTPS in Function App v2" + }, + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ] + }, + "vulnerabilityAssessmentMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Vulnerabilities should be remediated by a Vulnerability Assessment solution", + "description": "Enable or disable the detection of VM vulnerabilities by a vulnerability assessment solution" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "logProfilesForActivityLogEffect": { + "type": "string", + "metadata": { + "displayName": "Azure subscriptions should have a log profile for Activity Log", + "description": "Enable or disable the monitoring of a log profile for Activity Log in subscription" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "listOfResourceTypes": { + "type": "array", + "metadata": { + "displayName": "List of resource types that should have diagnostic logs enabled", + "strongType": "resourceTypes" + } + }, + "systemUpdatesMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "System updates should be installed on your machines", + "description": "Enable or disable the monitoring of system updates reporting" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "apiAppRequireLatestTlsMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Latest TLS version should be used for App Service", + "description": "Enable or disable the monitoring of the latest TLS version in App Service" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "identityEnableMFAForWritePermissionsMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "MFA should be enabled accounts with write permissions on your subscription", + "description": "Enable or disable the monitoring of MFA for accounts with write permissions in subscription" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "anitmalwareRequiredForWindowsServersEffect": { + "type": "string", + "metadata": { + "displayName": "Microsoft IaaSAntimalware extension should be deployed on Windows servers", + "description": "Enable or disable the monitoring of Windows server VMs without Microsoft IaaSAntimalware extension deployed" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "webAppEnforceHttpsMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Web Application should only be accessible over HTTPS v2", + "description": "Enable or disable the monitoring of the use of HTTPS in Web App v2" + }, + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ] + }, + "vnetEnableDDoSProtectionMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "DDoS Protection Standard should be enabled", + "description": "Enable or disable the monitoring of DDoS protection for all virtual networks with a subnet that is part of an application gateway with a public IP." + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "identityEnableMFAForOwnerPermissionsMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "MFA should be enabled on accounts with owner permissions on your subscription", + "description": "Enable or disable the monitoring of MFA for accounts with owner permissions in subscription" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "sqlServerAdvancedDataSecurityMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Advanced data security should be enabled on your SQL servers", + "description": "Enable or disable the monitoring of SQL servers without Advanced Data Security" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "sqlManagedInstanceAdvancedDataSecurityMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Advanced data security should be enabled on your SQL managed instances", + "description": "Enable or disable the monitoring of SQL managed instances without Advanced Data Security" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "endpointProtectionMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Monitor missing endpoint protection in Azure Security Center", + "description": "Enable or disable the monitoring of endpoint protection" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "jitNetworkAccessMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Just-in-time network access control should be applied on virtual machines", + "description": "Enable or disable the monitoring of network just-in-time access" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "minimumTLSVersion": { + "type": "string", + "metadata": { + "displayName": "Minimum TLS version", + "description": "The minimum TLS protocol version that should be enabled. Windows web servers with lower TLS versions will be marked as non-compliant." + }, + "defaultValue": "1.2", + "allowedValues": [ + "1.2" + ] + }, + "aadAuthenticationInServiceFabricMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Service Fabric clusters should only use Azure Active Directory for client authentication", + "description": "Enable or disable the monitoring of Azure Active Directory for client authentication in Service Fabric" + }, + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ] + }, + "apiAppEnforceHttpsMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "App Service should only be accessible over HTTPS v2", + "description": "Enable or disable the monitoring of the use of HTTPS v2 in App Service" + }, + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ] + }, + "vmssSystemUpdatesMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "System updates on virtual machine scale sets should be installed", + "description": "Enable or disable the monitoring of virtual machine scale sets system updates reporting" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "webAppDisableRemoteDebuggingMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Remote debugging should be turned off for Web Application", + "description": "Enable or disable the monitoring of remote debugging for Web App" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "systemConfigurationsMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Vulnerabilities in security configuration on your machines should be remediated", + "description": "Enable or disable the monitoring of OS vulnerabilities (based on a configured baseline)" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "identityEnableMFAForReadPermissionsMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "MFA should be enabled on accounts with read permissions on your subscription", + "description": "Enable or disable the monitoring of MFA for accounts with read permissions in subscription" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "enforcePasswordHistory": { + "type": "string", + "metadata": { + "displayName": "Enforce password history", + "description": "Specifies limits on password reuse - how many times a new password must be created for a user account before the password can be repeated." + }, + "defaultValue": "24" + }, + "maximumPasswordAge": { + "type": "string", + "metadata": { + "displayName": "Maximum password age", + "description": "Specifies the maximum number of days that may elapse before a user account password must be changed. The format of the value is two integers separated by a comma, denoting an inclusive range." + }, + "defaultValue": "1,70" + }, + "minimumPasswordAge": { + "type": "string", + "metadata": { + "displayName": "Minimum password age", + "description": "Specifies the minimum number of days that must elapse before a user account password can be changed." + }, + "defaultValue": "1" + }, + "minimumPasswordLength": { + "type": "string", + "metadata": { + "displayName": "Minimum password length", + "description": "Specifies the minimum number of characters that a user account password may contain." + }, + "defaultValue": "10" + }, + "passwordMustMeetComplexityRequirements": { + "type": "string", + "metadata": { + "displayName": "Password must meet complexity requirements", + "description": "Specifies whether a user account password must be complex. If required, a complex password must not contain part of user's account name or full name; be at least 6 characters long; contain a mix of uppercase, lowercase, number, and non-alphabetic characters." + }, + "defaultValue": "1", + "allowedValues": [ + "0", + "1" + ] + }, + "containerBenchmarkMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Vulnerabilities in container security configurations should be remediated", + "description": "Enable or disable the monitoring of container benchmark" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "apiAppDisableRemoteDebuggingMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Remote debugging should be turned off for App Service", + "description": "Enable or disable the monitoring of remote debugging for App Service" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Deprecated accounts with owner permissions should be removed from your subscription", + "description": "Enable or disable the monitoring of deprecated acounts with owner permissions in subscription" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "vulnerabilityAssessmentOnServerMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Vulnerability assessment should be enabled on your SQL servers", + "description": "Audit Azure SQL servers which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities." + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "webAppRequireLatestTlsMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Latest TLS version should be used in your Web App", + "description": "Enable or disable the monitoring of the latest TLS version in Web App" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "networkSecurityGroupsOnVirtualMachinesMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Internet-facing virtual machines should be protected with Network Security Groups", + "description": "Enable or disable the monitoring of NSGs on VMs" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "External accounts with owner permissions should be removed from your subscription", + "description": "Enable or disable the monitoring of external acounts with owner permissions in subscription" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "functionAppRequireLatestTlsMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Latest TLS version should be used in your Function App", + "description": "Enable or disable the monitoring of the latest TLS version in Function App" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "sqlDbVulnerabilityAssesmentMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Vulnerabilities on your SQL databases should be remediated", + "description": "Enable or disable the monitoring of Vulnerability Assessment scan results and recommendations for how to remediate database vulnerabilities." + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "allowedlocationsforresourcegroups_listOfAllowedLocations": { + "type": "array", + "metadata": { + "displayName": "Allowed locations for resource groups" + }, + "defaultValue": [ + "Australia Central", + "Australia Central2", + "Australia East", + "Australia Southeast" + ], + "allowedValues": [ + "Australia Central", + "Australia Central2", + "Australia East", + "Australia Southeast" + ] + }, + "allowedlocations_listOfAllowedLocations": { + "type": "array", + "metadata": { + "displayName": "Allowed locations" + }, + "defaultValue": [ + "Australia Central", + "Australia Central2", + "Australia East", + "Australia Southeast" + ], + "allowedValues": [ + "Australia Central", + "Australia Central2", + "Australia East", + "Australia Southeast" + ] + } + }, + "resourceGroups": { + + }, + "targetScope": "subscription", + "status": { + "timeCreated": "2020-05-20T07:56:32+00:00", + "lastModified": "2020-05-20T07:56:32.0602492+00:00" + }, + "displayName": "Australian Government ISM PROTECTED", + "description": "Deploys and configures policies mapped to specific Australian Government Information Security Manual (ISM) controls." + }, + "id": "/providers/Microsoft.Blueprint/blueprints/Australia-IRAP", + "type": "Microsoft.Blueprint/blueprints", + "name": "Australia-IRAP" +} diff --git a/samples/001-builtins/Canada-Federal-PBMM/artifact.07420a8e-b772-4d6a-a1f5-27bbb6ba1446.json b/samples/001-builtins/Canada-Federal-PBMM/artifact.07420a8e-b772-4d6a-a1f5-27bbb6ba1446.json index 0553449..f16bd00 100644 --- a/samples/001-builtins/Canada-Federal-PBMM/artifact.07420a8e-b772-4d6a-a1f5-27bbb6ba1446.json +++ b/samples/001-builtins/Canada-Federal-PBMM/artifact.07420a8e-b772-4d6a-a1f5-27bbb6ba1446.json @@ -18,7 +18,7 @@ "dependsOn": [ ], - "displayName": "[Preview]: Audit Canada Federal PBMM controls and deploy specific VM Extensions to support audit requirements" + "displayName": "Canada Federal PBMM" }, "kind": "policyAssignment", "id": "/providers/Microsoft.Blueprint/blueprints/CanadaFederalPBMMBlueprint4/artifacts/07420a8e-b772-4d6a-a1f5-27bbb6ba1446", diff --git a/samples/001-builtins/DOD_IL4_Gov/artifact.0bf6c09a-e68c-4874-bf64-a568d4f5bc21.json b/samples/001-builtins/DOD_IL4_Gov/artifact.0bf6c09a-e68c-4874-bf64-a568d4f5bc21.json index efd8544..3c8ac59 100644 --- a/samples/001-builtins/DOD_IL4_Gov/artifact.0bf6c09a-e68c-4874-bf64-a568d4f5bc21.json +++ b/samples/001-builtins/DOD_IL4_Gov/artifact.0bf6c09a-e68c-4874-bf64-a568d4f5bc21.json @@ -2,9 +2,6 @@ "properties": { "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133", "parameters": { - "listOfAllowedLocationsForResourcesAndResourceGroups": { - "value": "[parameters('listOfAllowedLocationsForResourcesAndResourceGroups')]" - }, "membersToIncludeInAdministratorsLocalGroup": { "value": "[parameters('membersToIncludeInAdministratorsLocalGroup')]" }, @@ -70,10 +67,217 @@ }, "identityEnableMFAForWritePermissionsMonitoringEffect": { "value": "[parameters('identityEnableMFAForWritePermissionsMonitoringEffect')]" + }, + "listOfLocationsForNetworkWatcher": { + "value": "[parameters('listOfLocationsForNetworkWatcher')]" + }, + "MinimumTLSVersionForWindowsServers": { + "value": "[parameters('MinimumTLSVersionForWindowsServers')]" + }, + "PHPLatestVersionForAppServices": { + "value": "[parameters('PHPLatestVersionForAppServices')]" + }, + "JavaLatestVersionForAppServices": { + "value": "[parameters('JavaLatestVersionForAppServices')]" + }, + "WindowsPythonLatestVersionForAppServices": { + "value": "[parameters('WindowsPythonLatestVersionForAppServices')]" + }, + "LinuxPythonLatestVersionForAppServices": { + "value": "[parameters('LinuxPythonLatestVersionForAppServices')]" + }, + "WindowsImagesToAddToLogAgentAuditScope": { + "value": "[parameters('WindowsImagesToAddToLogAgentAuditScope')]" + }, + "LinuxImagesToAddToLogAgentAuditScope": { + "value": "[parameters('LinuxImagesToAddToLogAgentAuditScope')]" + }, + "identityDesignateMoreThanOneOwnerMonitoringEffect": { + "value": "[parameters('identityDesignateMoreThanOneOwnerMonitoringEffect')]" + }, + "diskEncryptionMonitoringEffect": { + "value": "[parameters('diskEncryptionMonitoringEffect')]" + }, + "emailNotificationToSubscriptionOwnerHighSeverityAlertsEnabledEffect": { + "value": "[parameters('emailNotificationToSubscriptionOwnerHighSeverityAlertsEnabledEffect')]" + }, + "functionAppDisableRemoteDebuggingMonitoringEffect": { + "value": "[parameters('functionAppDisableRemoteDebuggingMonitoringEffect')]" + }, + "ensureDotNetFrameworkLatestForFunctionAppEffect": { + "value": "[parameters('ensureDotNetFrameworkLatestForFunctionAppEffect')]" + }, + "sqlDbEncryptionMonitoringEffect": { + "value": "[parameters('sqlDbEncryptionMonitoringEffect')]" + }, + "ensurePHPVersionLatestForAPIAppEffect": { + "value": "[parameters('ensurePHPVersionLatestForAPIAppEffect')]" + }, + "aadAuthenticationInSqlServerMonitoringEffect": { + "value": "[parameters('aadAuthenticationInSqlServerMonitoringEffect')]" + }, + "diagnosticsLogsInRedisCacheMonitoringEffect": { + "value": "[parameters('diagnosticsLogsInRedisCacheMonitoringEffect')]" + }, + "vmssEndpointProtectionMonitoringEffect": { + "value": "[parameters('vmssEndpointProtectionMonitoringEffect')]" + }, + "disableUnrestrictedNetworkToStorageAccountMonitoringEffect": { + "value": "[parameters('disableUnrestrictedNetworkToStorageAccountMonitoringEffect')]" + }, + "sqlManagedInstanceAdvancedDataSecurityEmailsMonitoringEffect": { + "value": "[parameters('sqlManagedInstanceAdvancedDataSecurityEmailsMonitoringEffect')]" + }, + "vmssOsVulnerabilitiesMonitoringEffect": { + "value": "[parameters('vmssOsVulnerabilitiesMonitoringEffect')]" + }, + "secureTransferToStorageAccountMonitoringEffect": { + "value": "[parameters('secureTransferToStorageAccountMonitoringEffect')]" + }, + "adaptiveApplicationControlsMonitoringEffect": { + "value": "[parameters('adaptiveApplicationControlsMonitoringEffect')]" + }, + "ensureJavaVersionLatestForWebAppEffect": { + "value": "[parameters('ensureJavaVersionLatestForWebAppEffect')]" + }, + "identityDesignateLessThanOwnersMonitoringEffect": { + "value": "[parameters('identityDesignateLessThanOwnersMonitoringEffect')]" + }, + "securityContactEmailAddressForSubscriptionEffect": { + "value": "[parameters('securityContactEmailAddressForSubscriptionEffect')]" + }, + "ensurePythonVersionLatestForWebAppEffect": { + "value": "[parameters('ensurePythonVersionLatestForWebAppEffect')]" + }, + "ensurePythonVersionLatestForFunctionAppEffect": { + "value": "[parameters('ensurePythonVersionLatestForFunctionAppEffect')]" + }, + "ensurePHPVersionLatestForWebAppEffect": { + "value": "[parameters('ensurePHPVersionLatestForWebAppEffect')]" + }, + "ensurePythonVersionLatestForAPIAppEffect": { + "value": "[parameters('ensurePythonVersionLatestForAPIAppEffect')]" + }, + "vulnerabilityAssessmentMonitoringEffect": { + "value": "[parameters('vulnerabilityAssessmentMonitoringEffect')]" + }, + "ensureDotNetFrameworkLatestForWebAppEffect": { + "value": "[parameters('ensureDotNetFrameworkLatestForWebAppEffect')]" + }, + "systemUpdatesMonitoringEffect": { + "value": "[parameters('systemUpdatesMonitoringEffect')]" + }, + "ensureJavaVersionLatestForAPIAppEffect": { + "value": "[parameters('ensureJavaVersionLatestForAPIAppEffect')]" + }, + "ensureHTTPVersionLatestForWebAppEffect": { + "value": "[parameters('ensureHTTPVersionLatestForWebAppEffect')]" + }, + "apiAppRequireLatestTlsMonitoringEffect": { + "value": "[parameters('apiAppRequireLatestTlsMonitoringEffect')]" + }, + "sqlServerAdvancedDataSecurityEmailsMonitoringEffect": { + "value": "[parameters('sqlServerAdvancedDataSecurityEmailsMonitoringEffect')]" + }, + "ensureHTTPVersionLatestForAPIAppEffect": { + "value": "[parameters('ensureHTTPVersionLatestForAPIAppEffect')]" + }, + "microsoftIaaSAntimalwareExtensionShouldBeDeployedOnWindowsServersEffect": { + "value": "[parameters('microsoftIaaSAntimalwareExtensionShouldBeDeployedOnWindowsServersEffect')]" + }, + "ensureJavaVersionLatestForFunctionAppEffect": { + "value": "[parameters('ensureJavaVersionLatestForFunctionAppEffect')]" + }, + "nextGenerationFirewallMonitoringEffect": { + "value": "[parameters('nextGenerationFirewallMonitoringEffect')]" + }, + "securityCenterStandardPricingTierShouldBeSelectedEffect": { + "value": "[parameters('securityCenterStandardPricingTierShouldBeSelectedEffect')]" + }, + "useRbacRulesMonitoringEffect": { + "value": "[parameters('useRbacRulesMonitoringEffect')]" + }, + "sqlServerAuditingMonitoringEffect": { + "value": "[parameters('sqlServerAuditingMonitoringEffect')]" + }, + "theLogAnalyticsAgentShouldBeInstalledOnVirtualMachinesEffect": { + "value": "[parameters('theLogAnalyticsAgentShouldBeInstalledOnVirtualMachinesEffect')]" + }, + "vnetEnableDDoSProtectionMonitoringEffect": { + "value": "[parameters('vnetEnableDDoSProtectionMonitoringEffect')]" + }, + "ensurePHPVersionLatestForFunctionAppEffect": { + "value": "[parameters('ensurePHPVersionLatestForFunctionAppEffect')]" + }, + "sqlServerAdvancedDataSecurityMonitoringEffect": { + "value": "[parameters('sqlServerAdvancedDataSecurityMonitoringEffect')]" + }, + "sqlManagedInstanceAdvancedDataSecurityMonitoringEffect": { + "value": "[parameters('sqlManagedInstanceAdvancedDataSecurityMonitoringEffect')]" + }, + "sqlManagedInstanceAdvancedDataSecurityEmailAdminsMonitoringEffect": { + "value": "[parameters('sqlManagedInstanceAdvancedDataSecurityEmailAdminsMonitoringEffect')]" + }, + "endpointProtectionMonitoringEffect": { + "value": "[parameters('endpointProtectionMonitoringEffect')]" + }, + "jitNetworkAccessMonitoringEffect": { + "value": "[parameters('jitNetworkAccessMonitoringEffect')]" + }, + "securityContactPhoneNumberShouldBeProvidedForSubscriptionEffect": { + "value": "[parameters('securityContactPhoneNumberShouldBeProvidedForSubscriptionEffect')]" + }, + "aadAuthenticationInServiceFabricMonitoringEffect": { + "value": "[parameters('aadAuthenticationInServiceFabricMonitoringEffect')]" + }, + "apiAppEnforceHttpsMonitoringEffect": { + "value": "[parameters('apiAppEnforceHttpsMonitoringEffect')]" + }, + "threatDetectionTypesOnManagedInstanceMonitoringEffect": { + "value": "[parameters('threatDetectionTypesOnManagedInstanceMonitoringEffect')]" + }, + "ensureDotNetFrameworkLatestForAPIAppEffect": { + "value": "[parameters('ensureDotNetFrameworkLatestForAPIAppEffect')]" + }, + "sqlServerAdvancedDataSecurityEmailAdminsMonitoringEffect": { + "value": "[parameters('sqlServerAdvancedDataSecurityEmailAdminsMonitoringEffect')]" + }, + "webAppDisableRemoteDebuggingMonitoringEffect": { + "value": "[parameters('webAppDisableRemoteDebuggingMonitoringEffect')]" + }, + "systemConfigurationsMonitoringEffect": { + "value": "[parameters('systemConfigurationsMonitoringEffect')]" + }, + "ensureHTTPVersionLatestForFunctionAppEffect": { + "value": "[parameters('ensureHTTPVersionLatestForFunctionAppEffect')]" + }, + "threatDetectionTypesOnServerMonitoringEffect": { + "value": "[parameters('threatDetectionTypesOnServerMonitoringEffect')]" + }, + "containerBenchmarkMonitoringEffect": { + "value": "[parameters('containerBenchmarkMonitoringEffect')]" + }, + "apiAppDisableRemoteDebuggingMonitoringEffect": { + "value": "[parameters('apiAppDisableRemoteDebuggingMonitoringEffect')]" + }, + "theLogAnalyticsAgentShouldBeInstalledOnVirtualMachineScaleSetsEffect": { + "value": "[parameters('theLogAnalyticsAgentShouldBeInstalledOnVirtualMachineScaleSetsEffect')]" + }, + "webAppRequireLatestTlsMonitoringEffect": { + "value": "[parameters('webAppRequireLatestTlsMonitoringEffect')]" + }, + "functionAppRequireLatestTlsMonitoringEffect": { + "value": "[parameters('functionAppRequireLatestTlsMonitoringEffect')]" + }, + "kubernetesServiceVersionUpToDateMonitoringEffect": { + "value": "[parameters('kubernetesServiceVersionUpToDateMonitoringEffect')]" + }, + "sqlDbVulnerabilityAssesmentMonitoringEffect": { + "value": "[parameters('sqlDbVulnerabilityAssesmentMonitoringEffect')]" } }, "dependsOn": [ - + ], "displayName": "DoD Impact Level 4" }, diff --git a/samples/001-builtins/DOD_IL4_Gov/blueprint.json b/samples/001-builtins/DOD_IL4_Gov/blueprint.json index 33e83fc..d9203b3 100644 --- a/samples/001-builtins/DOD_IL4_Gov/blueprint.json +++ b/samples/001-builtins/DOD_IL4_Gov/blueprint.json @@ -9,7 +9,7 @@ }, "defaultValue": "180", "allowedValues": [ - + ] }, "deployAuditingonSQLservers_storageAccountsResourceGroup": { @@ -20,7 +20,7 @@ "strongType": "existingResourceGroups" }, "allowedValues": [ - + ] }, "DeployLogAnalyticsAgentforWindowsVMScaleSets(VMSS)_logAnalytics": { @@ -31,7 +31,7 @@ "strongType": "omsWorkspace" }, "allowedValues": [ - + ] }, "DeployLogAnalyticsAgentforWindowsVMScaleSets(VMSS)_listOfImageIdToInclude": { @@ -41,10 +41,10 @@ "description": "Example value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'" }, "defaultValue": [ - + ], "allowedValues": [ - + ] }, "DeployLogAnalyticsAgentforLinuxVMScaleSets(VMSS)_logAnalytics": { @@ -55,7 +55,7 @@ "strongType": "omsWorkspace" }, "allowedValues": [ - + ] }, "DeployLogAnalyticsAgentforLinuxVMScaleSets(VMSS)_listOfImageIdToInclude": { @@ -65,10 +65,10 @@ "description": "Example value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'" }, "defaultValue": [ - + ], "allowedValues": [ - + ] }, "deployDiagnosticSettingsforNetworkSecurityGroups_storagePrefix": { @@ -78,7 +78,7 @@ "description": "This prefix will be combined with the network security group location to form the created storage account name." }, "allowedValues": [ - + ] }, "deployDiagnosticSettingsforNetworkSecurityGroups_rgName": { @@ -89,7 +89,7 @@ "strongType": "ExistingResourceGroups" }, "allowedValues": [ - + ] }, "DeployLogAnalyticsAgentforLinuxVMs_logAnalytics": { @@ -100,7 +100,7 @@ "strongType": "omsWorkspace" }, "allowedValues": [ - + ] }, "DeployLogAnalyticsAgentforLinuxVMs_listOfImageIdToInclude": { @@ -110,10 +110,10 @@ "description": "Example value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'" }, "defaultValue": [ - + ], "allowedValues": [ - + ] }, "DeployLogAnalyticsAgentforWindowsVMs_logAnalytics": { @@ -124,7 +124,7 @@ "strongType": "omsWorkspace" }, "allowedValues": [ - + ] }, "DeployLogAnalyticsAgentforWindowsVMs_listOfImageIdToInclude": { @@ -134,369 +134,1165 @@ "description": "Example values: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'" }, "defaultValue": [ - + ], "allowedValues": [ - - ] - }, - "listOfAllowedLocationsForResourcesAndResourceGroups": { - "type": "array", - "metadata": { - "displayName": "Allowed locations for resources and resource groups", - "description": "This policy enables you to restrict the locations your organization can specify when creating resource groups or deploying resources. Use to enforce your geo-compliance requirements. Excludes Microsoft.AzureActiveDirectory/b2cDirectories, and resources that use the 'global' region.", - "strongType": "location" - }, - "allowedValues": [ - + ] }, "membersToIncludeInAdministratorsLocalGroup": { "type": "string", "metadata": { - "displayName": "Members to be included in the Administrators local group", + "displayName": "List of users that must be included in Windows VM Administrators group", "description": "A semicolon-separated list of members that should be included in the Administrators local group. Ex: Administrator; myUser1; myUser2" }, "allowedValues": [ - + ] }, "membersToExcludeInAdministratorsLocalGroup": { "type": "string", "metadata": { - "displayName": "Members that should be excluded in the Administrators local group", - "description": "A semicolon-separated list of members that should be excluded in the Administrators local group. Ex: Administrator; myUser1; myUser2" + "displayName": "List of users excluded from Windows VM Administrators group", + "description": "A semicolon-separated list of users that should be excluded in the Administrators local group; Ex: Administrator; myUser1; myUser2", }, "allowedValues": [ - + ] }, "listOfResourceTypes": { "type": "array", "metadata": { - "displayName": "List of resource types that should have diagnostic logs enabled (Policy: DoD Impact Level 4)" + "displayName": "List of resource types that should have diagnostic logs enabled" }, "defaultValue": [ - "Microsoft.AnalysisServices/servers", - "Microsoft.ApiManagement/service", - "Microsoft.Network/applicationGateways", - "Microsoft.Automation/automationAccounts", - "Microsoft.ContainerInstance/containerGroups", - "Microsoft.ContainerRegistry/registries", - "Microsoft.ContainerService/managedClusters", - "Microsoft.Batch/batchAccounts", - "Microsoft.Cdn/profiles/endpoints", - "Microsoft.CognitiveServices/accounts", - "Microsoft.DocumentDB/databaseAccounts", - "Microsoft.DataFactory/factories", - "Microsoft.DataLakeAnalytics/accounts", - "Microsoft.DataLakeStore/accounts", - "Microsoft.EventGrid/eventSubscriptions", - "Microsoft.EventGrid/topics", - "Microsoft.EventHub/namespaces", - "Microsoft.Network/expressRouteCircuits", - "Microsoft.Network/azureFirewalls", - "Microsoft.HDInsight/clusters", - "Microsoft.Devices/IotHubs", - "Microsoft.KeyVault/vaults", - "Microsoft.Network/loadBalancers", - "Microsoft.Logic/integrationAccounts", - "Microsoft.Logic/workflows", - "Microsoft.DBforMySQL/servers", - "Microsoft.Network/networkInterfaces", - "Microsoft.Network/networkSecurityGroups", - "Microsoft.DBforPostgreSQL/servers", - "Microsoft.PowerBIDedicated/capacities", - "Microsoft.Network/publicIPAddresses", - "Microsoft.RecoveryServices/vaults", - "Microsoft.Cache/redis", - "Microsoft.Relay/namespaces", - "Microsoft.Search/searchServices", - "Microsoft.ServiceBus/namespaces", - "Microsoft.SignalRService/SignalR", - "Microsoft.Sql/servers/databases", - "Microsoft.Sql/servers/elasticPools", - "Microsoft.StreamAnalytics/streamingjobs", - "Microsoft.TimeSeriesInsights/environments", - "Microsoft.Network/trafficManagerProfiles", - "Microsoft.Compute/virtualMachines", - "Microsoft.Compute/virtualMachineScaleSets", - "Microsoft.Network/virtualNetworks", - "Microsoft.Network/virtualNetworkGateways" + "Microsoft.AnalysisServices/servers", + "Microsoft.ApiManagement/service", + "Microsoft.Network/applicationGateways", + "Microsoft.Automation/automationAccounts", + "Microsoft.ContainerInstance/containerGroups", + "Microsoft.ContainerRegistry/registries", + "Microsoft.ContainerService/managedClusters", + "Microsoft.Batch/batchAccounts", + "Microsoft.Cdn/profiles/endpoints", + "Microsoft.CognitiveServices/accounts", + "Microsoft.DocumentDB/databaseAccounts", + "Microsoft.DataFactory/factories", + "Microsoft.DataLakeAnalytics/accounts", + "Microsoft.DataLakeStore/accounts", + "Microsoft.EventGrid/eventSubscriptions", + "Microsoft.EventGrid/topics", + "Microsoft.EventHub/namespaces", + "Microsoft.Network/expressRouteCircuits", + "Microsoft.Network/azureFirewalls", + "Microsoft.HDInsight/clusters", + "Microsoft.Devices/IotHubs", + "Microsoft.KeyVault/vaults", + "Microsoft.Network/loadBalancers", + "Microsoft.Logic/integrationAccounts", + "Microsoft.Logic/workflows", + "Microsoft.DBforMySQL/servers", + "Microsoft.Network/networkInterfaces", + "Microsoft.Network/networkSecurityGroups", + "Microsoft.DBforPostgreSQL/servers", + "Microsoft.PowerBIDedicated/capacities", + "Microsoft.Network/publicIPAddresses", + "Microsoft.RecoveryServices/vaults", + "Microsoft.Cache/redis", + "Microsoft.Relay/namespaces", + "Microsoft.Search/searchServices", + "Microsoft.ServiceBus/namespaces", + "Microsoft.SignalRService/SignalR", + "Microsoft.Sql/servers/databases", + "Microsoft.Sql/servers/elasticPools", + "Microsoft.StreamAnalytics/streamingjobs", + "Microsoft.TimeSeriesInsights/environments", + "Microsoft.Network/trafficManagerProfiles", + "Microsoft.Compute/virtualMachines", + "Microsoft.Compute/virtualMachineScaleSets", + "Microsoft.Network/virtualNetworks", + "Microsoft.Network/virtualNetworkGateways" ], "allowedValues": [ - "Microsoft.AnalysisServices/servers", - "Microsoft.ApiManagement/service", - "Microsoft.Network/applicationGateways", - "Microsoft.Automation/automationAccounts", - "Microsoft.ContainerInstance/containerGroups", - "Microsoft.ContainerRegistry/registries", - "Microsoft.ContainerService/managedClusters", - "Microsoft.Batch/batchAccounts", - "Microsoft.Cdn/profiles/endpoints", - "Microsoft.CognitiveServices/accounts", - "Microsoft.DocumentDB/databaseAccounts", - "Microsoft.DataFactory/factories", - "Microsoft.DataLakeAnalytics/accounts", - "Microsoft.DataLakeStore/accounts", - "Microsoft.EventGrid/eventSubscriptions", - "Microsoft.EventGrid/topics", - "Microsoft.EventHub/namespaces", - "Microsoft.Network/expressRouteCircuits", - "Microsoft.Network/azureFirewalls", - "Microsoft.HDInsight/clusters", - "Microsoft.Devices/IotHubs", - "Microsoft.KeyVault/vaults", - "Microsoft.Network/loadBalancers", - "Microsoft.Logic/integrationAccounts", - "Microsoft.Logic/workflows", - "Microsoft.DBforMySQL/servers", - "Microsoft.Network/networkInterfaces", - "Microsoft.Network/networkSecurityGroups", - "Microsoft.DBforPostgreSQL/servers", - "Microsoft.PowerBIDedicated/capacities", - "Microsoft.Network/publicIPAddresses", - "Microsoft.RecoveryServices/vaults", - "Microsoft.Cache/redis", - "Microsoft.Relay/namespaces", - "Microsoft.Search/searchServices", - "Microsoft.ServiceBus/namespaces", - "Microsoft.SignalRService/SignalR", - "Microsoft.Sql/servers/databases", - "Microsoft.Sql/servers/elasticPools", - "Microsoft.StreamAnalytics/streamingjobs", - "Microsoft.TimeSeriesInsights/environments", - "Microsoft.Network/trafficManagerProfiles", - "Microsoft.Compute/virtualMachines", - "Microsoft.Compute/virtualMachineScaleSets", - "Microsoft.Network/virtualNetworks", - "Microsoft.Network/virtualNetworkGateways" + "Microsoft.AnalysisServices/servers", + "Microsoft.ApiManagement/service", + "Microsoft.Network/applicationGateways", + "Microsoft.Automation/automationAccounts", + "Microsoft.ContainerInstance/containerGroups", + "Microsoft.ContainerRegistry/registries", + "Microsoft.ContainerService/managedClusters", + "Microsoft.Batch/batchAccounts", + "Microsoft.Cdn/profiles/endpoints", + "Microsoft.CognitiveServices/accounts", + "Microsoft.DocumentDB/databaseAccounts", + "Microsoft.DataFactory/factories", + "Microsoft.DataLakeAnalytics/accounts", + "Microsoft.DataLakeStore/accounts", + "Microsoft.EventGrid/eventSubscriptions", + "Microsoft.EventGrid/topics", + "Microsoft.EventHub/namespaces", + "Microsoft.Network/expressRouteCircuits", + "Microsoft.Network/azureFirewalls", + "Microsoft.HDInsight/clusters", + "Microsoft.Devices/IotHubs", + "Microsoft.KeyVault/vaults", + "Microsoft.Network/loadBalancers", + "Microsoft.Logic/integrationAccounts", + "Microsoft.Logic/workflows", + "Microsoft.DBforMySQL/servers", + "Microsoft.Network/networkInterfaces", + "Microsoft.Network/networkSecurityGroups", + "Microsoft.DBforPostgreSQL/servers", + "Microsoft.PowerBIDedicated/capacities", + "Microsoft.Network/publicIPAddresses", + "Microsoft.RecoveryServices/vaults", + "Microsoft.Cache/redis", + "Microsoft.Relay/namespaces", + "Microsoft.Search/searchServices", + "Microsoft.ServiceBus/namespaces", + "Microsoft.SignalRService/SignalR", + "Microsoft.Sql/servers/databases", + "Microsoft.Sql/servers/elasticPools", + "Microsoft.StreamAnalytics/streamingjobs", + "Microsoft.TimeSeriesInsights/environments", + "Microsoft.Network/trafficManagerProfiles", + "Microsoft.Compute/virtualMachines", + "Microsoft.Compute/virtualMachineScaleSets", + "Microsoft.Network/virtualNetworks", + "Microsoft.Network/virtualNetworkGateways" ] }, "logAnalyticsWorkspaceIdForVMs": { "type": "string", "metadata": { - "displayName": "Log Analytics Workspace Id that VMs should be configured for", + "displayName": "Log Analytics workspace ID for VM agent reporting", "description": "This is the Id (GUID) of the Log Analytics Workspace that the VMs should be configured for" }, "allowedValues": [ - + + ] + }, + "listOfLocationsForNetworkWatcher": { + "type": "array", + "metadata": { + "displayName": "List of regions where Network Watcher should be enabled", + "description": "To see a complete list of regions use Get-AzLocation", + "strongType": "location" + }, + "defaultValue": [ + "usdodcentral" + ], + "allowedValues": [] + }, + "MinimumTLSVersionForWindowsServers": { + "type": "string", + "metadata": { + "displayName": "Minimum TLS version for Windows web servers", + "description": "The minimum TLS protocol version that should be enabled on Windows web servers" + }, + "defaultValue": "1.2", + "allowedValues": [ + "1.1", + "1.2" + ] + }, + "PHPLatestVersionForAppServices": { + "type": "string", + "metadata": { + "displayName": "Latest PHP version", + "description": "Latest supported PHP version for App Services" + }, + "defaultValue": "7.3", + "allowedValues": [] + }, + "JavaLatestVersionForAppServices": { + "type": "string", + "metadata": { + "displayName": "Latest Java version" + }, + "defaultValue": "11", + "allowedValues": [] + }, + "WindowsPythonLatestVersionForAppServices": { + "type": "string", + "metadata": { + "displayName": "Latest Windows Python version" + }, + "defaultValue": "3.6", + "allowedValues": [] + }, + "LinuxPythonLatestVersionForAppServices": { + "type": "string", + "metadata": { + "displayName": "Latest Linux Python version" + }, + "defaultValue": "3.8", + "allowedValues": [] + }, + "WindowsImagesToAddToLogAgentAuditScope": { + "type": "array", + "metadata": { + "displayName": "Optional: List of Windows VM images that support Log Analytics agent to add to audit scope" + }, + "defaultValue": [], + "allowedValues": [] + }, + "LinuxImagesToAddToLogAgentAuditScope": { + "type": "array", + "metadata": { + "displayName": "Optional: List of Linux VM images that support Log Analytics agent to add to audit scope" + }, + "defaultValue": [], + "allowedValues": [] + }, + "identityDesignateMoreThanOneOwnerMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Effect for policy: There should be more than one owner assigned to your subscription", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "diskEncryptionMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Effect for policy: Disk encryption should be applied on virtual machines", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "emailNotificationToSubscriptionOwnerHighSeverityAlertsEnabledEffect": { + "type": "string", + "metadata": { + "displayName": "Effect for policy: Email notification to subscription owner for high severity alerts should be enabled", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "functionAppDisableRemoteDebuggingMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Effect for policy: Remote debugging should be turned off for Function Apps", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "ensureDotNetFrameworkLatestForFunctionAppEffect": { + "type": "string", + "metadata": { + "displayName": "Effect for policy: Ensure that '.NET Framework' version is the latest, if used as a part of the Function App", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "sqlDbEncryptionMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Effect for policy: Transparent Data Encryption on SQL databases should be enabled", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" ] }, "longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect": { "type": "string", "metadata": { - "displayName": "Long-term geo-redundant backup should be enabled for Azure SQL Databases", - "description": "This policy audits any Azure SQL Database with long-term geo-redundant backup not enabled" + "displayName": "Effect for policy: Long-term geo-redundant backup should be enabled for Azure SQL Databases", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects", }, "defaultValue": "AuditIfNotExists", "allowedValues": [ - "AuditIfNotExists", - "Disabled" + "AuditIfNotExists", + "Disabled" ] }, "vulnerabilityAssessmentOnManagedInstanceMonitoringEffect": { "type": "string", "metadata": { - "displayName": "Vulnerability assessment should be enabled on your SQL managed instances", - "description": "Audit SQL managed instances which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities." + "displayName": "Effect for policy: Vulnerability assessment should be enabled on SQL Managed Instance", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects", }, "defaultValue": "AuditIfNotExists", "allowedValues": [ - "AuditIfNotExists", - "Disabled" + "AuditIfNotExists", + "Disabled" ] }, "vulnerabilityAssessmentOnServerMonitoringEffect": { "type": "string", "metadata": { - "displayName": "Vulnerability assessment should be enabled on your SQL servers", - "description": "Audit Azure SQL servers which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities." + "displayName": "Effect for policy: Vulnerability assessment should be enabled on your SQL servers", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" }, "defaultValue": "AuditIfNotExists", "allowedValues": [ - "AuditIfNotExists", - "Disabled" + "AuditIfNotExists", + "Disabled" ] }, "geoRedundancyEnabledForStorageAccountsEffect": { "type": "string", "metadata": { - "displayName": "Geo-redundant storage should be enabled for Storage Accounts", - "description": "This policy audits any Storage Account with geo-redundant storage not enabled." + "displayName": "Effect for policy: Geo-redundant storage should be enabled for Storage Accounts", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" }, "defaultValue": "Audit", "allowedValues": [ - "Audit", - "Disabled" + "Audit", + "Disabled" ] }, "geoRedundancyEnabledForAzureDatabaseForMySQLEffect": { "type": "string", "metadata": { - "displayName": "Geo-redundant backup should be enabled for Azure Database for MySQL", - "description": "This policy audits any Azure Database for MySQL with geo-redundant backup not enabled." + "displayName": "Effect for policy: Geo-redundant backup should be enabled for Azure Database for MySQL", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" }, "defaultValue": "Audit", "allowedValues": [ - "Audit", - "Disabled" + "Audit", + "Disabled" ] }, "geoRedundancyEnabledForAzureDatabaseForPostgreSQLEffect": { "type": "string", "metadata": { - "displayName": "Geo-redundant backup should be enabled for Azure Database for PostgreSQL", - "description": "This policy audits any Azure Database for PostgreSQL with geo-redundant backup not enabled." + "displayName": "Effect for policy: Geo-redundant backup should be enabled for Azure Database for PostgreSQL", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" }, "defaultValue": "Audit", "allowedValues": [ - "Audit", - "Disabled" + "Audit", + "Disabled" ] }, "webAppEnforceHttpsMonitoringEffect": { "type": "string", "metadata": { - "displayName": "Web Application should only be accessible over HTTPS", - "description": "Enable or disable the monitoring of the use of HTTPS in Web App" + "displayName": "Effect for policy: Web Application should only be accessible over HTTPS", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" }, "defaultValue": "Audit", "allowedValues": [ - "Audit", - "Disabled" + "Audit", + "Disabled" ] }, "functionAppEnforceHttpsMonitoringEffect": { "type": "string", "metadata": { - "displayName": "Function App should only be accessible over HTTPS", - "description": "Enable or disable the monitoring of the use of HTTPS in function App" + "displayName": "Effect for policy: Function App should only be accessible over HTTPS", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" }, "defaultValue": "Audit", "allowedValues": [ - "Audit", - "Disabled" + "Audit", + "Disabled" ] }, "identityRemoveExternalAccountWithWritePermissionsMonitoringEffect": { "type": "string", "metadata": { - "displayName": "External accounts with write permissions should be removed from your subscription", - "description": "Enable or disable the monitoring of external acounts with write permissions in subscription" + "displayName": "Effect for policy: External accounts with write permissions should be removed from your subscription", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" }, "defaultValue": "AuditIfNotExists", "allowedValues": [ - "AuditIfNotExists", - "Disabled" + "AuditIfNotExists", + "Disabled" ] }, "identityRemoveExternalAccountWithReadPermissionsMonitoringEffect": { "type": "string", "metadata": { - "displayName": "External accounts with read permissions should be removed from your subscription", - "description": "Enable or disable the monitoring of external acounts with read permissions in subscription" + "displayName": "Effect for policy: External accounts with read permissions should be removed from your subscription", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" }, "defaultValue": "AuditIfNotExists", "allowedValues": [ - "AuditIfNotExists", - "Disabled" + "AuditIfNotExists", + "Disabled" ] }, "identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect": { "type": "string", "metadata": { - "displayName": "External accounts with owner permissions should be removed from your subscription", - "description": "Enable or disable the monitoring of external acounts with owner permissions in subscription" + "displayName": "Effect for policy: External accounts with owner permissions should be removed from your subscription", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" }, "defaultValue": "AuditIfNotExists", "allowedValues": [ - "AuditIfNotExists", - "Disabled" + "AuditIfNotExists", + "Disabled" ] }, "identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect": { "type": "string", "metadata": { - "displayName": "Deprecated accounts with owner permissions should be removed from your subscription", - "description": "Enable or disable the monitoring of deprecated acounts with owner permissions in subscription" + "displayName": "Effect for policy: Deprecated accounts with owner permissions should be removed from your subscription", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects", }, "defaultValue": "AuditIfNotExists", "allowedValues": [ - "AuditIfNotExists", - "Disabled" + "AuditIfNotExists", + "Disabled" ] }, "identityRemoveDeprecatedAccountMonitoringEffect": { "type": "string", "metadata": { - "displayName": "Deprecated accounts should be removed from your subscription", - "description": "Enable or disable the monitoring of deprecated acounts in subscription" + "displayName": "Effect for policy: Deprecated accounts should be removed from your subscription", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" }, "defaultValue": "AuditIfNotExists", "allowedValues": [ - "AuditIfNotExists", - "Disabled" + "AuditIfNotExists", + "Disabled" ] }, "webAppRestrictCORSAccessMonitoringEffect": { "type": "string", "metadata": { - "displayName": "CORS should not allow every resource to access your Web Application", - "description": "Enable or disable the monitoring of CORS restrictions for API Web" + "displayName": "Effect for policy: CORS should not allow every resource to access your Web Applications", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" }, "defaultValue": "AuditIfNotExists", "allowedValues": [ - "AuditIfNotExists", - "Disabled" + "AuditIfNotExists", + "Disabled" ] }, "vmssSystemUpdatesMonitoringEffect": { "type": "string", "metadata": { - "displayName": "System updates on virtual machine scale sets should be installed", - "description": "Enable or disable virtual machine scale sets reporting of system updates" + "displayName": "Effect for policy: System updates on virtual machine scale sets should be installed", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects", }, "defaultValue": "AuditIfNotExists", "allowedValues": [ - "AuditIfNotExists", - "Disabled" + "AuditIfNotExists", + "Disabled" ] }, "identityEnableMFAForReadPermissionsMonitoringEffect": { "type": "string", "metadata": { - "displayName": "MFA should be enabled on accounts with read permissions on your subscription", - "description": "Enable or disable the monitoring of MFA for accounts with read permissions in subscription" + "displayName": "Effect for policy: MFA should be enabled on accounts with read permissions on your subscription", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects", }, "defaultValue": "AuditIfNotExists", "allowedValues": [ - "AuditIfNotExists", - "Disabled" + "AuditIfNotExists", + "Disabled" ] }, "identityEnableMFAForOwnerPermissionsMonitoringEffect": { "type": "string", "metadata": { - "displayName": "MFA should be enabled on accounts with owner permissions on your subscription", - "description": "Enable or disable the monitoring of MFA for accounts with owner permissions in subscription" + "displayName": "Effect for policy: MFA should be enabled on accounts with owner permissions on your subscription", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects", }, "defaultValue": "AuditIfNotExists", "allowedValues": [ - "AuditIfNotExists", - "Disabled" + "AuditIfNotExists", + "Disabled" ] }, "identityEnableMFAForWritePermissionsMonitoringEffect": { "type": "string", "metadata": { - "displayName": "MFA should be enabled accounts with write permissions on your subscription", - "description": "Enable or disable the monitoring of MFA for accounts with write permissions in subscription" + "displayName": "Effect for policy: MFA should be enabled accounts with write permissions on your subscription", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects", + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "systemConfigurationsMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Effect for policy: Vulnerabilities in security configuration on your machines should be remediated", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "ensureHTTPVersionLatestForFunctionAppEffect": { + "type": "string", + "metadata": { + "displayName": "Effect for policy: Ensure that 'HTTP Version' is the latest, if used to run the Function app", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "ensurePHPVersionLatestForAPIAppEffect": { + "type": "string", + "metadata": { + "displayName": "Effect for policy: Ensure that 'PHP version' is the latest, if used as a part of the Api app", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "aadAuthenticationInSqlServerMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Effect for policy: An Azure Active Directory administrator should be provisioned for SQL servers", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "diagnosticsLogsInRedisCacheMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Effect for policy: Only secure connections to your Redis Cache should be enabled", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + }, + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "vmssEndpointProtectionMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Effect for policy: Endpoint protection solution should be installed on virtual machine scale sets", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "disableUnrestrictedNetworkToStorageAccountMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Effect for policy: Audit unrestricted network access to storage accounts", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + }, + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ] + }, + "sqlManagedInstanceAdvancedDataSecurityEmailsMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Effect for policy: Advanced data security settings for SQL Managed Instance should contain an email address to receive security alerts", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "vmssOsVulnerabilitiesMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Effect for policy: Vulnerabilities in security configuration on your virtual machine scale sets should be remediated", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "secureTransferToStorageAccountMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Effect for policy: Secure transfer to storage accounts should be enabled", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + }, + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "adaptiveApplicationControlsMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Effect for policy: Adaptive Application Controls should be enabled on virtual machines", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "ensureJavaVersionLatestForWebAppEffect": { + "type": "string", + "metadata": { + "displayName": "Effect for policy: Ensure that 'Java version' is the latest, if used as a part of the Web app", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "identityDesignateLessThanOwnersMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Effect for policy: A maximum of 3 owners should be designated for your subscription", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "securityContactEmailAddressForSubscriptionEffect": { + "type": "string", + "metadata": { + "displayName": "Effect for policy: A security contact email address should be provided for your subscription", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "ensurePythonVersionLatestForWebAppEffect": { + "type": "string", + "metadata": { + "displayName": "Effect for policy: Ensure that 'Python version' is the latest, if used as a part of the Web app", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "ensurePythonVersionLatestForFunctionAppEffect": { + "type": "string", + "metadata": { + "displayName": "Effect for policy: Ensure that 'Python version' is the latest, if used as a part of the Function app", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "ensurePHPVersionLatestForWebAppEffect": { + "type": "string", + "metadata": { + "displayName": "Effect for policy: Ensure that 'PHP version' is the latest, if used as a part of the WEB app", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "ensurePythonVersionLatestForAPIAppEffect": { + "type": "string", + "metadata": { + "displayName": "Effect for policy: Ensure that 'Python version' is the latest, if used as a part of the Api app", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "vulnerabilityAssessmentMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Effect for policy: Vulnerabilities should be remediated by a Vulnerability Assessment solution", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "ensureDotNetFrameworkLatestForWebAppEffect": { + "type": "string", + "metadata": { + "displayName": "Effect for policy: Ensure that '.NET Framework' version is the latest, if used as a part of the Web app", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "systemUpdatesMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Effect for policy: System updates should be installed on your machines", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "ensureJavaVersionLatestForAPIAppEffect": { + "type": "string", + "metadata": { + "displayName": "Effect for policy: Ensure that 'Java version' is the latest, if used as a part of the Api app", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "ensureHTTPVersionLatestForWebAppEffect": { + "type": "string", + "metadata": { + "displayName": "Effect for policy: Ensure that 'HTTP Version' is the latest, if used to run the Web app", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "apiAppRequireLatestTlsMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Effect for policy: Latest TLS version should be used in your API App", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "sqlServerAdvancedDataSecurityEmailsMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Effect for policy: Advanced data security settings for SQL server should contain an email address to receive security alerts", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "ensureHTTPVersionLatestForAPIAppEffect": { + "type": "string", + "metadata": { + "displayName": "Effect for policy: Ensure that 'HTTP Version' is the latest, if used to run the Api app", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "microsoftIaaSAntimalwareExtensionShouldBeDeployedOnWindowsServersEffect": { + "type": "string", + "metadata": { + "displayName": "Effect for policy: Microsoft IaaSAntimalware extension should be deployed on Windows servers", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "ensureJavaVersionLatestForFunctionAppEffect": { + "type": "string", + "metadata": { + "displayName": "Effect for policy: Ensure that 'Java version' is the latest, if used as a part of the Function app", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "nextGenerationFirewallMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Effect for policy: Access through Internet facing endpoint should be restricted", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "securityCenterStandardPricingTierShouldBeSelectedEffect": { + "type": "string", + "metadata": { + "displayName": "Effect for policy: Security Center standard pricing tier should be selected", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + }, + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ] + }, + "useRbacRulesMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Effect for policy: Audit usage of custom RBAC rules", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + }, + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ] + }, + "sqlServerAuditingMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Effect for policy: Auditing on SQL server should be enabled", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "theLogAnalyticsAgentShouldBeInstalledOnVirtualMachinesEffect": { + "type": "string", + "metadata": { + "displayName": "Effect for policy: The Log Analytics agent should be installed on virtual machines", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "vnetEnableDDoSProtectionMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Effect for policy: DDoS Protection Standard should be enabled", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "ensurePHPVersionLatestForFunctionAppEffect": { + "type": "string", + "metadata": { + "displayName": "Effect for policy: Ensure that 'PHP version' is the latest, if used as a part of the Function app", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "sqlServerAdvancedDataSecurityMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Effect for policy: Advanced data security should be enabled on your SQL servers", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "sqlManagedInstanceAdvancedDataSecurityMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Effect for policy: Advanced data security should be enabled on SQL Managed Instance", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "sqlManagedInstanceAdvancedDataSecurityEmailAdminsMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Effect for policy: Email notifications to admins and subscription owners should be enabled in SQL Managed Instance advanced data security settings", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "endpointProtectionMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Effect for policy: Monitor missing Endpoint Protection in Azure Security Center", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "jitNetworkAccessMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Effect for policy: Just-In-Time network access control should be applied on virtual machines", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "securityContactPhoneNumberShouldBeProvidedForSubscriptionEffect": { + "type": "string", + "metadata": { + "displayName": "Effect for policy: A security contact phone number should be provided for your subscription", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "aadAuthenticationInServiceFabricMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Effect for policy: Service Fabric clusters should only use Azure Active Directory for client authentication", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + }, + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ] + }, + "apiAppEnforceHttpsMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Effect for policy: API App should only be accessible over HTTPS", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + }, + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ] + }, + "threatDetectionTypesOnManagedInstanceMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Effect for policy: Advanced Threat Protection types should be set to 'All' in SQL Managed Instance advanced data security settings", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "ensureDotNetFrameworkLatestForAPIAppEffect": { + "type": "string", + "metadata": { + "displayName": "Effect for policy: Ensure that '.NET Framework' version is the latest, if used as a part of the API app", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "sqlServerAdvancedDataSecurityEmailAdminsMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Effect for policy: Email notifications to admins and subscription owners should be enabled in SQL server advanced data security settings", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "webAppDisableRemoteDebuggingMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Effect for policy: Remote debugging should be turned off for Web Applications", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "threatDetectionTypesOnServerMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Effect for policy: Advanced Threat Protection types should be set to 'All' in SQL server Advanced Data Security settings", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "containerBenchmarkMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Effect for policy: Vulnerabilities in container security configurations should be remediated", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "apiAppDisableRemoteDebuggingMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Effect for policy: Remote debugging should be turned off for API Apps", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "theLogAnalyticsAgentShouldBeInstalledOnVirtualMachineScaleSetsEffect": { + "type": "string", + "metadata": { + "displayName": "Effect for policy: The Log Analytics agent should be installed on Virtual Machine Scale Sets", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "webAppRequireLatestTlsMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Effect for policy: Latest TLS version should be used in your Web App", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "functionAppRequireLatestTlsMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Effect for policy: Latest TLS version should be used in your Function App", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + }, + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "kubernetesServiceVersionUpToDateMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Effect for policy: Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + }, + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ] + }, + "sqlDbVulnerabilityAssesmentMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Effect for policy: Vulnerabilities on your SQL databases should be remediated", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" }, "defaultValue": "AuditIfNotExists", "allowedValues": [ - "AuditIfNotExists", - "Disabled" + "AuditIfNotExists", + "Disabled" ] }, "allowedlocations_listOfAllowedLocations": { @@ -506,7 +1302,7 @@ "strongType": "location" }, "allowedValues": [ - + ] }, "allowedlocationsforresourcegroups_listOfAllowedLocations": { @@ -516,12 +1312,12 @@ "strongType": "location" }, "allowedValues": [ - + ] } }, "resourceGroups": { - + }, "targetScope": "subscription", "status": { diff --git a/samples/001-builtins/DOD_IL5_Gov/artifact.d580751b-2c43-40ce-8e51-34dccadabaef.json b/samples/001-builtins/DOD_IL5_Gov/artifact.d580751b-2c43-40ce-8e51-34dccadabaef.json new file mode 100644 index 0000000..c48a9d7 --- /dev/null +++ b/samples/001-builtins/DOD_IL5_Gov/artifact.d580751b-2c43-40ce-8e51-34dccadabaef.json @@ -0,0 +1,288 @@ +{ + "properties": { + "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/f9a961fa-3241-4b20-adc4-bbf8ad9d7197", + "parameters": { + "membersToIncludeInLocalAdministratorsGroup": { + "value": "[parameters('membersToIncludeInLocalAdministratorsGroup')]" + }, + "membersToExcludeInLocalAdministratorsGroup": { + "value": "[parameters('membersToExcludeInLocalAdministratorsGroup')]" + }, + "listOfResourceTypesForDiagnosticLogs": { + "value": "[parameters('listOfResourceTypesForDiagnosticLogs')]" + }, + "logAnalyticsWorkspaceIDForVMAgents": { + "value": "[parameters('logAnalyticsWorkspaceIDForVMAgents')]" + }, + "listOfLocationsForNetworkWatcher": { + "value": "[parameters('listOfLocationsForNetworkWatcher')]" + }, + "MinimumTLSVersionForWindowsServers": { + "value": "[parameters('MinimumTLSVersionForWindowsServers')]" + }, + "PHPLatestVersionForAppServices": { + "value": "[parameters('PHPLatestVersionForAppServices')]" + }, + "JavaLatestVersionForAppServices": { + "value": "[parameters('JavaLatestVersionForAppServices')]" + }, + "WindowsPythonLatestVersionForAppServices": { + "value": "[parameters('WindowsPythonLatestVersionForAppServices')]" + }, + "LinuxPythonLatestVersionForAppServices": { + "value": "[parameters('LinuxPythonLatestVersionForAppServices')]" + }, + "WindowsImagesToAddToLogAgentAuditScope": { + "value": "[parameters('WindowsImagesToAddToLogAgentAuditScope')]" + }, + "LinuxImagesToAddToLogAgentAuditScope": { + "value": "[parameters('LinuxImagesToAddToLogAgentAuditScope')]" + }, + "identityDesignateMoreThanOneOwnerMonitoringEffect": { + "value": "[parameters('identityDesignateMoreThanOneOwnerMonitoringEffect')]" + }, + "diskEncryptionMonitoringEffect": { + "value": "[parameters('diskEncryptionMonitoringEffect')]" + }, + "emailNotificationToSubscriptionOwnerHighSeverityAlertsEnabledEffect": { + "value": "[parameters('emailNotificationToSubscriptionOwnerHighSeverityAlertsEnabledEffect')]" + }, + "functionAppDisableRemoteDebuggingMonitoringEffect": { + "value": "[parameters('functionAppDisableRemoteDebuggingMonitoringEffect')]" + }, + "ensureDotNetFrameworkLatestForFunctionAppEffect": { + "value": "[parameters('ensureDotNetFrameworkLatestForFunctionAppEffect')]" + }, + "sqlDbEncryptionMonitoringEffect": { + "value": "[parameters('sqlDbEncryptionMonitoringEffect')]" + }, + "vulnerabilityAssessmentOnManagedInstanceMonitoringEffect": { + "value": "[parameters('vulnerabilityAssessmentOnManagedInstanceMonitoringEffect')]" + }, + "ensurePHPVersionLatestForAPIAppEffect": { + "value": "[parameters('ensurePHPVersionLatestForAPIAppEffect')]" + }, + "aadAuthenticationInSqlServerMonitoringEffect": { + "value": "[parameters('aadAuthenticationInSqlServerMonitoringEffect')]" + }, + "diagnosticsLogsInRedisCacheMonitoringEffect": { + "value": "[parameters('diagnosticsLogsInRedisCacheMonitoringEffect')]" + }, + "vmssEndpointProtectionMonitoringEffect": { + "value": "[parameters('vmssEndpointProtectionMonitoringEffect')]" + }, + "disableUnrestrictedNetworkToStorageAccountMonitoringEffect": { + "value": "[parameters('disableUnrestrictedNetworkToStorageAccountMonitoringEffect')]" + }, + "sqlManagedInstanceAdvancedDataSecurityEmailsMonitoringEffect": { + "value": "[parameters('sqlManagedInstanceAdvancedDataSecurityEmailsMonitoringEffect')]" + }, + "vmssOsVulnerabilitiesMonitoringEffect": { + "value": "[parameters('vmssOsVulnerabilitiesMonitoringEffect')]" + }, + "secureTransferToStorageAccountMonitoringEffect": { + "value": "[parameters('secureTransferToStorageAccountMonitoringEffect')]" + }, + "adaptiveApplicationControlsMonitoringEffect": { + "value": "[parameters('adaptiveApplicationControlsMonitoringEffect')]" + }, + "geoRedundantBackupShouldBeEnabledForAzureDatabaseForPostgreSQLEffect": { + "value": "[parameters('geoRedundantBackupShouldBeEnabledForAzureDatabaseForPostgreSQLEffect')]" + }, + "ensureJavaVersionLatestForWebAppEffect": { + "value": "[parameters('ensureJavaVersionLatestForWebAppEffect')]" + }, + "identityDesignateLessThanOwnersMonitoringEffect": { + "value": "[parameters('identityDesignateLessThanOwnersMonitoringEffect')]" + }, + "securityContactEmailAddressForSubscriptionEffect": { + "value": "[parameters('securityContactEmailAddressForSubscriptionEffect')]" + }, + "webAppRestrictCORSAccessMonitoringEffect": { + "value": "[parameters('webAppRestrictCORSAccessMonitoringEffect')]" + }, + "identityRemoveExternalAccountWithWritePermissionsMonitoringEffect": { + "value": "[parameters('identityRemoveExternalAccountWithWritePermissionsMonitoringEffect')]" + }, + "identityRemoveExternalAccountWithReadPermissionsMonitoringEffect": { + "value": "[parameters('identityRemoveExternalAccountWithReadPermissionsMonitoringEffect')]" + }, + "identityRemoveDeprecatedAccountMonitoringEffect": { + "value": "[parameters('identityRemoveDeprecatedAccountMonitoringEffect')]" + }, + "functionAppEnforceHttpsMonitoringEffect": { + "value": "[parameters('functionAppEnforceHttpsMonitoringEffect')]" + }, + "ensurePythonVersionLatestForWebAppEffect": { + "value": "[parameters('ensurePythonVersionLatestForWebAppEffect')]" + }, + "ensurePythonVersionLatestForFunctionAppEffect": { + "value": "[parameters('ensurePythonVersionLatestForFunctionAppEffect')]" + }, + "ensurePHPVersionLatestForWebAppEffect": { + "value": "[parameters('ensurePHPVersionLatestForWebAppEffect')]" + }, + "ensurePythonVersionLatestForAPIAppEffect": { + "value": "[parameters('ensurePythonVersionLatestForAPIAppEffect')]" + }, + "vulnerabilityAssessmentMonitoringEffect": { + "value": "[parameters('vulnerabilityAssessmentMonitoringEffect')]" + }, + "geoRedundantBackupShouldBeEnabledForAzureDatabaseForMySQLEffect": { + "value": "[parameters('geoRedundantBackupShouldBeEnabledForAzureDatabaseForMySQLEffect')]" + }, + "ensureDotNetFrameworkLatestForWebAppEffect": { + "value": "[parameters('ensureDotNetFrameworkLatestForWebAppEffect')]" + }, + "systemUpdatesMonitoringEffect": { + "value": "[parameters('systemUpdatesMonitoringEffect')]" + }, + "ensureJavaVersionLatestForAPIAppEffect": { + "value": "[parameters('ensureJavaVersionLatestForAPIAppEffect')]" + }, + "ensureHTTPVersionLatestForWebAppEffect": { + "value": "[parameters('ensureHTTPVersionLatestForWebAppEffect')]" + }, + "apiAppRequireLatestTlsMonitoringEffect": { + "value": "[parameters('apiAppRequireLatestTlsMonitoringEffect')]" + }, + "identityEnableMFAForWritePermissionsMonitoringEffect": { + "value": "[parameters('identityEnableMFAForWritePermissionsMonitoringEffect')]" + }, + "sqlServerAdvancedDataSecurityEmailsMonitoringEffect": { + "value": "[parameters('sqlServerAdvancedDataSecurityEmailsMonitoringEffect')]" + }, + "ensureHTTPVersionLatestForAPIAppEffect": { + "value": "[parameters('ensureHTTPVersionLatestForAPIAppEffect')]" + }, + "microsoftIaaSAntimalwareExtensionShouldBeDeployedOnWindowsServersEffect": { + "value": "[parameters('microsoftIaaSAntimalwareExtensionShouldBeDeployedOnWindowsServersEffect')]" + }, + "ensureJavaVersionLatestForFunctionAppEffect": { + "value": "[parameters('ensureJavaVersionLatestForFunctionAppEffect')]" + }, + "nextGenerationFirewallMonitoringEffect": { + "value": "[parameters('nextGenerationFirewallMonitoringEffect')]" + }, + "securityCenterStandardPricingTierShouldBeSelectedEffect": { + "value": "[parameters('securityCenterStandardPricingTierShouldBeSelectedEffect')]" + }, + "useRbacRulesMonitoringEffect": { + "value": "[parameters('useRbacRulesMonitoringEffect')]" + }, + "webAppEnforceHttpsMonitoringEffect": { + "value": "[parameters('webAppEnforceHttpsMonitoringEffect')]" + }, + "sqlServerAuditingMonitoringEffect": { + "value": "[parameters('sqlServerAuditingMonitoringEffect')]" + }, + "theLogAnalyticsAgentShouldBeInstalledOnVirtualMachinesEffect": { + "value": "[parameters('theLogAnalyticsAgentShouldBeInstalledOnVirtualMachinesEffect')]" + }, + "vnetEnableDDoSProtectionMonitoringEffect": { + "value": "[parameters('vnetEnableDDoSProtectionMonitoringEffect')]" + }, + "identityEnableMFAForOwnerPermissionsMonitoringEffect": { + "value": "[parameters('identityEnableMFAForOwnerPermissionsMonitoringEffect')]" + }, + "ensurePHPVersionLatestForFunctionAppEffect": { + "value": "[parameters('ensurePHPVersionLatestForFunctionAppEffect')]" + }, + "sqlServerAdvancedDataSecurityMonitoringEffect": { + "value": "[parameters('sqlServerAdvancedDataSecurityMonitoringEffect')]" + }, + "sqlManagedInstanceAdvancedDataSecurityMonitoringEffect": { + "value": "[parameters('sqlManagedInstanceAdvancedDataSecurityMonitoringEffect')]" + }, + "sqlManagedInstanceAdvancedDataSecurityEmailAdminsMonitoringEffect": { + "value": "[parameters('sqlManagedInstanceAdvancedDataSecurityEmailAdminsMonitoringEffect')]" + }, + "endpointProtectionMonitoringEffect": { + "value": "[parameters('endpointProtectionMonitoringEffect')]" + }, + "jitNetworkAccessMonitoringEffect": { + "value": "[parameters('jitNetworkAccessMonitoringEffect')]" + }, + "securityContactPhoneNumberShouldBeProvidedForSubscriptionEffect": { + "value": "[parameters('securityContactPhoneNumberShouldBeProvidedForSubscriptionEffect')]" + }, + "aadAuthenticationInServiceFabricMonitoringEffect": { + "value": "[parameters('aadAuthenticationInServiceFabricMonitoringEffect')]" + }, + "apiAppEnforceHttpsMonitoringEffect": { + "value": "[parameters('apiAppEnforceHttpsMonitoringEffect')]" + }, + "threatDetectionTypesOnManagedInstanceMonitoringEffect": { + "value": "[parameters('threatDetectionTypesOnManagedInstanceMonitoringEffect')]" + }, + "geoRedundantStorageShouldBeEnabledForStorageAccountsEffect": { + "value": "[parameters('geoRedundantStorageShouldBeEnabledForStorageAccountsEffect')]" + }, + "ensureDotNetFrameworkLatestForAPIAppEffect": { + "value": "[parameters('ensureDotNetFrameworkLatestForAPIAppEffect')]" + }, + "vmssSystemUpdatesMonitoringEffect": { + "value": "[parameters('vmssSystemUpdatesMonitoringEffect')]" + }, + "sqlServerAdvancedDataSecurityEmailAdminsMonitoringEffect": { + "value": "[parameters('sqlServerAdvancedDataSecurityEmailAdminsMonitoringEffect')]" + }, + "webAppDisableRemoteDebuggingMonitoringEffect": { + "value": "[parameters('webAppDisableRemoteDebuggingMonitoringEffect')]" + }, + "longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect": { + "value": "[parameters('longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect')]" + }, + "systemConfigurationsMonitoringEffect": { + "value": "[parameters('systemConfigurationsMonitoringEffect')]" + }, + "ensureHTTPVersionLatestForFunctionAppEffect": { + "value": "[parameters('ensureHTTPVersionLatestForFunctionAppEffect')]" + }, + "identityEnableMFAForReadPermissionsMonitoringEffect": { + "value": "[parameters('identityEnableMFAForReadPermissionsMonitoringEffect')]" + }, + "threatDetectionTypesOnServerMonitoringEffect": { + "value": "[parameters('threatDetectionTypesOnServerMonitoringEffect')]" + }, + "containerBenchmarkMonitoringEffect": { + "value": "[parameters('containerBenchmarkMonitoringEffect')]" + }, + "apiAppDisableRemoteDebuggingMonitoringEffect": { + "value": "[parameters('apiAppDisableRemoteDebuggingMonitoringEffect')]" + }, + "identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect": { + "value": "[parameters('identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect')]" + }, + "vulnerabilityAssessmentOnServerMonitoringEffect": { + "value": "[parameters('vulnerabilityAssessmentOnServerMonitoringEffect')]" + }, + "theLogAnalyticsAgentShouldBeInstalledOnVirtualMachineScaleSetsEffect": { + "value": "[parameters('theLogAnalyticsAgentShouldBeInstalledOnVirtualMachineScaleSetsEffect')]" + }, + "webAppRequireLatestTlsMonitoringEffect": { + "value": "[parameters('webAppRequireLatestTlsMonitoringEffect')]" + }, + "identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect": { + "value": "[parameters('identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect')]" + }, + "functionAppRequireLatestTlsMonitoringEffect": { + "value": "[parameters('functionAppRequireLatestTlsMonitoringEffect')]" + }, + "kubernetesServiceVersionUpToDateMonitoringEffect": { + "value": "[parameters('kubernetesServiceVersionUpToDateMonitoringEffect')]" + }, + "sqlDbVulnerabilityAssesmentMonitoringEffect": { + "value": "[parameters('sqlDbVulnerabilityAssesmentMonitoringEffect')]" + } + }, + "dependsOn": [ + + ], + "displayName": "DoD Impact Level 5" + }, + "kind": "policyAssignment", + "id": "/providers/Microsoft.Blueprint/blueprints/DOD_IL5_Gov/artifacts/d580751b-2c43-40ce-8e51-34dccadabaef", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "d580751b-2c43-40ce-8e51-34dccadabaef" +} \ No newline at end of file diff --git a/samples/001-builtins/DOD_IL5_Gov/blueprint.json b/samples/001-builtins/DOD_IL5_Gov/blueprint.json new file mode 100644 index 0000000..a5f4b17 --- /dev/null +++ b/samples/001-builtins/DOD_IL5_Gov/blueprint.json @@ -0,0 +1,1160 @@ +{ + "properties": { + "parameters": { + "membersToIncludeInLocalAdministratorsGroup": { + "type": "string", + "metadata": { + "displayName": "List of users that must be included in Windows VM Administrators group", + "description": "A semicolon-separated list of users that should be included in the Administrators local group; Ex: Administrator; myUser1; myUser2" + } + }, + "membersToExcludeInLocalAdministratorsGroup": { + "type": "string", + "metadata": { + "displayName": "List of users excluded from Windows VM Administrators group", + "description": "A semicolon-separated list of users that should be excluded in the Administrators local group; Ex: Administrator; myUser1; myUser2" + } + }, + "listOfResourceTypesForDiagnosticLogs": { + "type": "array", + "metadata": { + "displayName": "List of resource types that should have diagnostic logs enabled" + }, + "defaultValue": [ + "Microsoft.AnalysisServices/servers", + "Microsoft.ApiManagement/service", + "Microsoft.Network/applicationGateways", + "Microsoft.Automation/automationAccounts", + "Microsoft.ContainerInstance/containerGroups", + "Microsoft.ContainerRegistry/registries", + "Microsoft.ContainerService/managedClusters", + "Microsoft.Batch/batchAccounts", + "Microsoft.Cdn/profiles/endpoints", + "Microsoft.CognitiveServices/accounts", + "Microsoft.DocumentDB/databaseAccounts", + "Microsoft.DataFactory/factories", + "Microsoft.DataLakeAnalytics/accounts", + "Microsoft.DataLakeStore/accounts", + "Microsoft.EventGrid/eventSubscriptions", + "Microsoft.EventGrid/topics", + "Microsoft.EventHub/namespaces", + "Microsoft.Network/expressRouteCircuits", + "Microsoft.Network/azureFirewalls", + "Microsoft.HDInsight/clusters", + "Microsoft.Devices/IotHubs", + "Microsoft.KeyVault/vaults", + "Microsoft.Network/loadBalancers", + "Microsoft.Logic/integrationAccounts", + "Microsoft.Logic/workflows", + "Microsoft.DBforMySQL/servers", + "Microsoft.Network/networkInterfaces", + "Microsoft.Network/networkSecurityGroups", + "Microsoft.DBforPostgreSQL/servers", + "Microsoft.PowerBIDedicated/capacities", + "Microsoft.Network/publicIPAddresses", + "Microsoft.RecoveryServices/vaults", + "Microsoft.Cache/redis", + "Microsoft.Relay/namespaces", + "Microsoft.Search/searchServices", + "Microsoft.ServiceBus/namespaces", + "Microsoft.SignalRService/SignalR", + "Microsoft.Sql/servers/databases", + "Microsoft.Sql/servers/elasticPools", + "Microsoft.StreamAnalytics/streamingjobs", + "Microsoft.TimeSeriesInsights/environments", + "Microsoft.Network/trafficManagerProfiles", + "Microsoft.Compute/virtualMachines", + "Microsoft.Compute/virtualMachineScaleSets", + "Microsoft.Network/virtualNetworks", + "Microsoft.Network/virtualNetworkGateways" + ], + "allowedValues": [ + "Microsoft.AnalysisServices/servers", + "Microsoft.ApiManagement/service", + "Microsoft.Network/applicationGateways", + "Microsoft.Automation/automationAccounts", + "Microsoft.ContainerInstance/containerGroups", + "Microsoft.ContainerRegistry/registries", + "Microsoft.ContainerService/managedClusters", + "Microsoft.Batch/batchAccounts", + "Microsoft.Cdn/profiles/endpoints", + "Microsoft.CognitiveServices/accounts", + "Microsoft.DocumentDB/databaseAccounts", + "Microsoft.DataFactory/factories", + "Microsoft.DataLakeAnalytics/accounts", + "Microsoft.DataLakeStore/accounts", + "Microsoft.EventGrid/eventSubscriptions", + "Microsoft.EventGrid/topics", + "Microsoft.EventHub/namespaces", + "Microsoft.Network/expressRouteCircuits", + "Microsoft.Network/azureFirewalls", + "Microsoft.HDInsight/clusters", + "Microsoft.Devices/IotHubs", + "Microsoft.KeyVault/vaults", + "Microsoft.Network/loadBalancers", + "Microsoft.Logic/integrationAccounts", + "Microsoft.Logic/workflows", + "Microsoft.DBforMySQL/servers", + "Microsoft.Network/networkInterfaces", + "Microsoft.Network/networkSecurityGroups", + "Microsoft.DBforPostgreSQL/servers", + "Microsoft.PowerBIDedicated/capacities", + "Microsoft.Network/publicIPAddresses", + "Microsoft.RecoveryServices/vaults", + "Microsoft.Cache/redis", + "Microsoft.Relay/namespaces", + "Microsoft.Search/searchServices", + "Microsoft.ServiceBus/namespaces", + "Microsoft.SignalRService/SignalR", + "Microsoft.Sql/servers/databases", + "Microsoft.Sql/servers/elasticPools", + "Microsoft.StreamAnalytics/streamingjobs", + "Microsoft.TimeSeriesInsights/environments", + "Microsoft.Network/trafficManagerProfiles", + "Microsoft.Compute/virtualMachines", + "Microsoft.Compute/virtualMachineScaleSets", + "Microsoft.Network/virtualNetworks", + "Microsoft.Network/virtualNetworkGateways" + ] + }, + "logAnalyticsWorkspaceIDForVMAgents": { + "type": "string", + "metadata": { + "displayName": "Log Analytics workspace ID for VM agent reporting", + "description": "ID (GUID) of the Log Analytics workspace where VMs agents should report" + } + }, + "listOfLocationsForNetworkWatcher": { + "type": "array", + "metadata": { + "displayName": "List of regions where Network Watcher should be enabled", + "description": "To see a complete list of regions use Get-AzLocation", + "strongType": "location" + } + }, + "MinimumTLSVersionForWindowsServers": { + "type": "string", + "metadata": { + "displayName": "Minimum TLS version for Windows web servers", + "description": "The minimum TLS protocol version that should be enabled on Windows web servers" + }, + "allowedValues": [ + "1.1", + "1.2" + ], + "defaultValue": "1.2" + }, + "PHPLatestVersionForAppServices": { + "type": "string", + "metadata": { + "displayName": "Latest PHP version", + "description": "Latest supported PHP version for App Services" + }, + "defaultValue": "7.3" + }, + "JavaLatestVersionForAppServices": { + "type": "string", + "metadata": { + "displayName": "Latest Java version", + "description": "Latest supported Java version for App Services" + }, + "defaultValue": "11" + }, + "WindowsPythonLatestVersionForAppServices": { + "type": "string", + "metadata": { + "displayName": "Latest Windows Python version", + "description": "Latest supported Python version for App Services" + }, + "defaultValue": "3.6" + }, + "LinuxPythonLatestVersionForAppServices": { + "type": "string", + "metadata": { + "displayName": "Latest Linux Python version", + "description": "Latest supported Python version for App Services" + }, + "defaultValue": "3.8" + }, + "WindowsImagesToAddToLogAgentAuditScope": { + "type": "array", + "metadata": { + "displayName": "Optional: List of Windows VM images that support Log Analytics agent to add to audit scope", + "description": "A semicolon-separated list of images; Ex: /subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage" + }, + "defaultValue": [] + }, + "LinuxImagesToAddToLogAgentAuditScope": { + "type": "array", + "metadata": { + "displayName": "Optional: List of Linux VM images that support Log Analytics agent to add to audit scope", + "description": "A semicolon-separated list of images; Ex: /subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage" + }, + "defaultValue": [] + }, + "identityDesignateMoreThanOneOwnerMonitoringEffect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: There should be more than one owner assigned to your subscription", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "diskEncryptionMonitoringEffect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Disk encryption should be applied on virtual machines", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "emailNotificationToSubscriptionOwnerHighSeverityAlertsEnabledEffect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Email notification to subscription owner for high severity alerts should be enabled", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "functionAppDisableRemoteDebuggingMonitoringEffect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Remote debugging should be turned off for Function Apps", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "ensureDotNetFrameworkLatestForFunctionAppEffect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Ensure that '.NET Framework' version is the latest, if used as a part of the Function App", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "sqlDbEncryptionMonitoringEffect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Transparent Data Encryption on SQL databases should be enabled", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "vulnerabilityAssessmentOnManagedInstanceMonitoringEffect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Vulnerability assessment should be enabled on your SQL managed instances", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "ensurePHPVersionLatestForAPIAppEffect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Ensure that 'PHP version' is the latest, if used as a part of the Api app", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "aadAuthenticationInSqlServerMonitoringEffect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: An Azure Active Directory administrator should be provisioned for SQL servers", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "diagnosticsLogsInRedisCacheMonitoringEffect": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Only secure connections to your Redis Cache should be enabled", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "vmssEndpointProtectionMonitoringEffect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Endpoint protection solution should be installed on virtual machine scale sets", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "disableUnrestrictedNetworkToStorageAccountMonitoringEffect": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Audit unrestricted network access to storage accounts", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "sqlManagedInstanceAdvancedDataSecurityEmailsMonitoringEffect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Advanced data security settings for SQL managed instance should contain an email address to receive security alerts", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "vmssOsVulnerabilitiesMonitoringEffect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Vulnerabilities in security configuration on your virtual machine scale sets should be remediated", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "secureTransferToStorageAccountMonitoringEffect": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Secure transfer to storage accounts should be enabled", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "adaptiveApplicationControlsMonitoringEffect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Adaptive Application Controls should be enabled on virtual machines", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "geoRedundantBackupShouldBeEnabledForAzureDatabaseForPostgreSQLEffect": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Geo-redundant backup should be enabled for Azure Database for PostgreSQL", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "ensureJavaVersionLatestForWebAppEffect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Ensure that 'Java version' is the latest, if used as a part of the Web app", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "identityDesignateLessThanOwnersMonitoringEffect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: A maximum of 3 owners should be designated for your subscription", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "securityContactEmailAddressForSubscriptionEffect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: A security contact email address should be provided for your subscription", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "webAppRestrictCORSAccessMonitoringEffect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: CORS should not allow every resource to access your Web Applications", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "identityRemoveExternalAccountWithWritePermissionsMonitoringEffect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: External accounts with write permissions should be removed from your subscription", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "identityRemoveExternalAccountWithReadPermissionsMonitoringEffect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: External accounts with read permissions should be removed from your subscription", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "identityRemoveDeprecatedAccountMonitoringEffect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Deprecated accounts should be removed from your subscription", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "functionAppEnforceHttpsMonitoringEffect": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Function App should only be accessible over HTTPS", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "ensurePythonVersionLatestForWebAppEffect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Ensure that 'Python version' is the latest, if used as a part of the Web app", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "ensurePythonVersionLatestForFunctionAppEffect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Ensure that 'Python version' is the latest, if used as a part of the Function app", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "ensurePHPVersionLatestForWebAppEffect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Ensure that 'PHP version' is the latest, if used as a part of the WEB app", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "ensurePythonVersionLatestForAPIAppEffect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Ensure that 'Python version' is the latest, if used as a part of the Api app", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "vulnerabilityAssessmentMonitoringEffect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Vulnerabilities should be remediated by a Vulnerability Assessment solution", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "geoRedundantBackupShouldBeEnabledForAzureDatabaseForMySQLEffect": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Geo-redundant backup should be enabled for Azure Database for MySQL", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "ensureDotNetFrameworkLatestForWebAppEffect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Ensure that '.NET Framework' version is the latest, if used as a part of the Web app", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "systemUpdatesMonitoringEffect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: System updates should be installed on your machines", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "ensureJavaVersionLatestForAPIAppEffect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Ensure that 'Java version' is the latest, if used as a part of the Api app", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "ensureHTTPVersionLatestForWebAppEffect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Ensure that 'HTTP Version' is the latest, if used to run the Web app", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "apiAppRequireLatestTlsMonitoringEffect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Latest TLS version should be used in your API App", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "identityEnableMFAForWritePermissionsMonitoringEffect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: MFA should be enabled accounts with write permissions on your subscription", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "sqlServerAdvancedDataSecurityEmailsMonitoringEffect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Advanced data security settings for SQL server should contain an email address to receive security alerts", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "ensureHTTPVersionLatestForAPIAppEffect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Ensure that 'HTTP Version' is the latest, if used to run the Api app", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "microsoftIaaSAntimalwareExtensionShouldBeDeployedOnWindowsServersEffect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Microsoft IaaSAntimalware extension should be deployed on Windows servers", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "ensureJavaVersionLatestForFunctionAppEffect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Ensure that 'Java version' is the latest, if used as a part of the Function app", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "nextGenerationFirewallMonitoringEffect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Access through Internet facing endpoint should be restricted", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "securityCenterStandardPricingTierShouldBeSelectedEffect": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Security Center standard pricing tier should be selected", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "useRbacRulesMonitoringEffect": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Audit usage of custom RBAC rules", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "webAppEnforceHttpsMonitoringEffect": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Web Application should only be accessible over HTTPS", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "sqlServerAuditingMonitoringEffect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Auditing on SQL server should be enabled", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "theLogAnalyticsAgentShouldBeInstalledOnVirtualMachinesEffect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: The Log Analytics agent should be installed on virtual machines", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "vnetEnableDDoSProtectionMonitoringEffect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: DDoS Protection Standard should be enabled", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "identityEnableMFAForOwnerPermissionsMonitoringEffect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: MFA should be enabled on accounts with owner permissions on your subscription", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "ensurePHPVersionLatestForFunctionAppEffect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Ensure that 'PHP version' is the latest, if used as a part of the Function app", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "sqlServerAdvancedDataSecurityMonitoringEffect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Advanced data security should be enabled on your SQL servers", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "sqlManagedInstanceAdvancedDataSecurityMonitoringEffect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Advanced data security should be enabled on your SQL managed instances", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "sqlManagedInstanceAdvancedDataSecurityEmailAdminsMonitoringEffect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Email notifications to admins and subscription owners should be enabled in SQL managed instance advanced data security settings", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "endpointProtectionMonitoringEffect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Monitor missing Endpoint Protection in Azure Security Center", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "jitNetworkAccessMonitoringEffect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Just-In-Time network access control should be applied on virtual machines", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "securityContactPhoneNumberShouldBeProvidedForSubscriptionEffect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: A security contact phone number should be provided for your subscription", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "aadAuthenticationInServiceFabricMonitoringEffect": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Service Fabric clusters should only use Azure Active Directory for client authentication", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "apiAppEnforceHttpsMonitoringEffect": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: API App should only be accessible over HTTPS", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "threatDetectionTypesOnManagedInstanceMonitoringEffect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Advanced Threat Protection types should be set to 'All' in SQL managed instance Advanced Data Security settings", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "geoRedundantStorageShouldBeEnabledForStorageAccountsEffect": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Geo-redundant storage should be enabled for Storage Accounts", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "ensureDotNetFrameworkLatestForAPIAppEffect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Ensure that '.NET Framework' version is the latest, if used as a part of the API app", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "vmssSystemUpdatesMonitoringEffect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: System updates on virtual machine scale sets should be installed", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "sqlServerAdvancedDataSecurityEmailAdminsMonitoringEffect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Email notifications to admins and subscription owners should be enabled in SQL server advanced data security settings", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "webAppDisableRemoteDebuggingMonitoringEffect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Remote debugging should be turned off for Web Applications", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Long-term geo-redundant backup should be enabled for Azure SQL Databases", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "systemConfigurationsMonitoringEffect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Vulnerabilities in security configuration on your machines should be remediated", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "ensureHTTPVersionLatestForFunctionAppEffect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Ensure that 'HTTP Version' is the latest, if used to run the Function app", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "identityEnableMFAForReadPermissionsMonitoringEffect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: MFA should be enabled on accounts with read permissions on your subscription", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "threatDetectionTypesOnServerMonitoringEffect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Advanced Threat Protection types should be set to 'All' in SQL server Advanced Data Security settings", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "containerBenchmarkMonitoringEffect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Vulnerabilities in container security configurations should be remediated", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "apiAppDisableRemoteDebuggingMonitoringEffect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Remote debugging should be turned off for API Apps", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Deprecated accounts with owner permissions should be removed from your subscription", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "vulnerabilityAssessmentOnServerMonitoringEffect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Vulnerability assessment should be enabled on your SQL servers", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "theLogAnalyticsAgentShouldBeInstalledOnVirtualMachineScaleSetsEffect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: The Log Analytics agent should be installed on Virtual Machine Scale Sets", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "webAppRequireLatestTlsMonitoringEffect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Latest TLS version should be used in your Web App", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: External accounts with owner permissions should be removed from your subscription", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "functionAppRequireLatestTlsMonitoringEffect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Latest TLS version should be used in your Function App", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "kubernetesServiceVersionUpToDateMonitoringEffect": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: [Preview]: Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + }, + "sqlDbVulnerabilityAssesmentMonitoringEffect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect for policy: Vulnerabilities on your SQL databases should be remediated", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + } + } + }, + "resourceGroups": { + + }, + "targetScope": "subscription", + "status": { + "timeCreated": "2020-03-06T11:53:13+00:00", + "lastModified": "2020-03-06T11:53:13.2782125+00:00" + }, + "displayName": "DoD Impact Level 5", + "description": "Assigns policies to address specific DOD Impact Level 5 controls." + }, + "id": "/providers/Microsoft.Blueprint/blueprints/DOD_IL5_Gov", + "type": "Microsoft.Blueprint/blueprints", + "name": "DOD_IL5_Gov" +} \ No newline at end of file diff --git a/samples/001-builtins/MPAA/artifact.2b55d1eb-b82c-4c1a-89f9-de20d90e9f51.json b/samples/001-builtins/MPAA/artifact.2b55d1eb-b82c-4c1a-89f9-de20d90e9f51.json index 7ed5b0e..71168c0 100644 --- a/samples/001-builtins/MPAA/artifact.2b55d1eb-b82c-4c1a-89f9-de20d90e9f51.json +++ b/samples/001-builtins/MPAA/artifact.2b55d1eb-b82c-4c1a-89f9-de20d90e9f51.json @@ -228,7 +228,7 @@ "dependsOn": [ ], - "displayName": "Audit Motion Picture Association of America (MPAA) controls and deploy specific VM Extensions to support audit requirements" + "displayName": "Motion Picture Association of America (MPAA)" }, "kind": "policyAssignment", "id": "/providers/Microsoft.Blueprint/blueprints/MPAA/artifacts/2b55d1eb-b82c-4c1a-89f9-de20d90e9f51", diff --git a/samples/001-builtins/caf-foundation/blueprint.json b/samples/001-builtins/caf-foundation/blueprint.json index 695b548..0f40f7e 100644 --- a/samples/001-builtins/caf-foundation/blueprint.json +++ b/samples/001-builtins/caf-foundation/blueprint.json @@ -60,170 +60,290 @@ "Standard_F2s_v2" ], "allowedValues": [ - "Standard_A1_v2", - "Standard_A2m_v2", - "Standard_A2_v2", - "Standard_A4m_v2", - "Standard_A4_v2", - "Standard_A8m_v2", - "Standard_A8_v2", - "Standard_B1ls", - "Standard_B1ms", - "Standard_B1s", - "Standard_B2ms", - "Standard_B2s", - "Standard_B4ms", - "Standard_B8ms", - "Standard_D1_v2", - "Standard_D2s_v3", - "Standard_D2_v2", - "Standard_D2_v3", - "Standard_D3_v2", - "Standard_D4s_v3", - "Standard_D4_v2", - "Standard_D4_v3", - "Standard_D5_v2", - "Standard_D8s_v3", - "Standard_D8_v3", - "Standard_D11_v2", - "Standard_D12_v2", - "Standard_D13_v2", - "Standard_D14_v2", - "Standard_D15_v2", - "Standard_D16s_v3", - "Standard_D16_v3", - "Standard_D32s_v3", - "Standard_D32_v3", - "Standard_D64s_v3", - "Standard_D64_v3", - "Standard_DC2s", - "Standard_DC4s", - "Standard_DS1_v2", - "Standard_DS2_v2", - "Standard_DS3_v2", - "Standard_DS4_v2", - "Standard_DS5_v2", - "Standard_DS11-1_v2", - "Standard_DS11_v2", - "Standard_DS12-1_v2", - "Standard_DS12-2_v2", - "Standard_DS12_v2", - "Standard_DS13-2_v2", - "Standard_DS13-4_v2", - "Standard_DS13_v2", - "Standard_DS14-4_v2", - "Standard_DS14-8_v2", - "Standard_DS14_v2", - "Standard_DS15_v2", - "Standard_E2s_v3", - "Standard_E2_v3", - "Standard_E4-2s_v3", - "Standard_E4s_v3", - "Standard_E4_v3", - "Standard_E8-2s_v3", - "Standard_E8-4s_v3", - "Standard_E8s_v3", - "Standard_E8_v3", - "Standard_E16-4s_v3", - "Standard_E16-8s_v3", - "Standard_E16s_v3", - "Standard_E16_v3", - "Standard_E20s_v3", - "Standard_E20_v3", - "Standard_E32-8s_v3", - "Standard_E32-16s_v3", - "Standard_E32s_v3", - "Standard_E32_v3", - "Standard_E64-16s_v3", - "Standard_E64-32s_v3", - "Standard_E64is_v3", - "Standard_E64i_v3", - "Standard_E64s_v3", - "Standard_E64_v3", - "Standard_F1s", - "Standard_F2s", - "Standard_F2s_v2", - "Standard_F4s", - "Standard_F4s_v2", - "Standard_F8s", - "Standard_F8s_v2", - "Standard_F16s", - "Standard_F16s_v2", - "Standard_F32s_v2", - "Standard_F64s_v2", - "Standard_F72s_v2", - "Standard_GS1", - "Standard_GS2", - "Standard_GS3", - "Standard_GS4", - "Standard_GS4-4", - "Standard_GS4-8", - "Standard_GS5", - "Standard_GS5-8", - "Standard_GS5-16", - "Standard_H8", - "Standard_H8m", - "Standard_H16", - "Standard_H16m", - "Standard_H16mr", - "Standard_H16r", - "Standard_HB60rs", - "Standard_HC44rs", - "Standard_L4s", - "Standard_L8s", - "Standard_L8s_v2", - "Standard_L16s", - "Standard_L16s_v2", - "Standard_L32s", - "Standard_L32s_v2", - "Standard_L64s_v2", - "Standard_L80s_v2", - "Standard_M8-2ms", - "Standard_M8-4ms", - "Standard_M8ms", - "Standard_M16-4ms", - "Standard_M16-8ms", - "Standard_M16ms", - "Standard_M32-8ms", - "Standard_M32-16ms", - "Standard_M32ls", - "Standard_M32ms", - "Standard_M32ts", - "Standard_M64", - "Standard_M64-16ms", - "Standard_M64-32ms", - "Standard_M64ls", - "Standard_M64m", - "Standard_M64ms", - "Standard_M64s", - "Standard_M128", - "Standard_M128-32ms", - "Standard_M128-64ms", - "Standard_M128m", - "Standard_M128ms", - "Standard_M128s", - "Standard_NC6", - "Standard_NC6s_v2", - "Standard_NC6s_v3", - "Standard_NC12", - "Standard_NC12s_v2", - "Standard_NC12s_v3", - "Standard_NC24", - "Standard_NC24r", - "Standard_NC24rs_v2", - "Standard_NC24rs_v3", - "Standard_NC24s_v2", - "Standard_NC24s_v3", - "Standard_ND6s", - "Standard_ND12s", - "Standard_ND24rs", - "Standard_ND24s", - "Standard_NV6", - "Standard_NV6s_v2", - "Standard_NV12", - "Standard_NV12s_v2", - "Standard_NV24", - "Standard_NV24s_v2" + "Standard_A1_v2", + "Standard_A2_v2", + "Standard_A2m_v2", + "Standard_A4_v2", + "Standard_A4m_v2", + "Standard_A8_v2", + "Standard_A8m_v2", + "Standard_B12ms", + "Standard_B16ms", + "Standard_B1ls", + "Standard_B1ms", + "Standard_B1s", + "Standard_B20ms", + "Standard_B2ms", + "Standard_B2s", + "Standard_B4ms", + "Standard_B8ms", + "Standard_D1_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_D16_v3", + "Standard_D16_v4", + "Standard_D16a_v4", + "Standard_D16as_v4", + "Standard_D16d_v4", + "Standard_D16ds_v4", + "Standard_D16s_v3", + "Standard_D16s_v4", + "Standard_D2_v2", + "Standard_D2_v3", + "Standard_D2_v4", + "Standard_D2a_v4", + "Standard_D2as_v4", + "Standard_D2d_v4", + "Standard_D2ds_v4", + "Standard_D2s_v3", + "Standard_D2s_v4", + "Standard_D3_v2", + "Standard_D32_v3", + "Standard_D32_v4", + "Standard_D32a_v4", + "Standard_D32as_v4", + "Standard_D32d_v4", + "Standard_D32ds_v4", + "Standard_D32s_v3", + "Standard_D32s_v4", + "Standard_D4_v2", + "Standard_D4_v3", + "Standard_D4_v4", + "Standard_D48_v3", + "Standard_D48_v4", + "Standard_D48a_v4", + "Standard_D48as_v4", + "Standard_D48d_v4", + "Standard_D48ds_v4", + "Standard_D48s_v3", + "Standard_D48s_v4", + "Standard_D4a_v4", + "Standard_D4as_v4", + "Standard_D4d_v4", + "Standard_D4ds_v4", + "Standard_D4s_v3", + "Standard_D4s_v4", + "Standard_D5_v2", + "Standard_D64_v3", + "Standard_D64_v4", + "Standard_D64a_v4", + "Standard_D64as_v4", + "Standard_D64d_v4", + "Standard_D64ds_v4", + "Standard_D64s_v3", + "Standard_D64s_v4", + "Standard_D8_v3", + "Standard_D8_v4", + "Standard_D8a_v4", + "Standard_D8as_v4", + "Standard_D8d_v4", + "Standard_D8ds_v4", + "Standard_D8s_v3", + "Standard_D8s_v4", + "Standard_D96a_v4", + "Standard_D96as_v4", + "Standard_DC1s_v2", + "Standard_DC2s_v2", + "Standard_DC4s_v2", + "Standard_DC8_v2", + "Standard_DS1_v2", + "Standard_DS11_v2", + "Standard_DS11-1_v2", + "Standard_DS12_v2", + "Standard_DS12-1_v2", + "Standard_DS12-2_v2", + "Standard_DS13_v2", + "Standard_DS13-2_v2", + "Standard_DS13-4_v2", + "Standard_DS14_v2", + "Standard_DS14-4_v2", + "Standard_DS14-8_v2", + "Standard_DS15_v2", + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_E16_v3", + "Standard_E16_v4", + "Standard_E16-4as_v4", + "Standard_E16-4ds_v4", + "Standard_E16-4s_v3", + "Standard_E16-4s_v4", + "Standard_E16-8as_v4", + "Standard_E16-8ds_v4", + "Standard_E16-8s_v3", + "Standard_E16-8s_v4", + "Standard_E16a_v4", + "Standard_E16as_v4", + "Standard_E16d_v4", + "Standard_E16ds_v4", + "Standard_E16s_v3", + "Standard_E16s_v4", + "Standard_E2_v3", + "Standard_E2_v4", + "Standard_E20_v3", + "Standard_E20_v4", + "Standard_E20a_v4", + "Standard_E20as_v4", + "Standard_E20d_v4", + "Standard_E20ds_v4", + "Standard_E20s_v3", + "Standard_E20s_v4", + "Standard_E2a_v4", + "Standard_E2as_v4", + "Standard_E2d_v4", + "Standard_E2ds_v4", + "Standard_E2s_v3", + "Standard_E2s_v4", + "Standard_E32_v3", + "Standard_E32_v4", + "Standard_E32-16as_v4", + "Standard_E32-16ds_v4", + "Standard_E32-16s_v3", + "Standard_E32-16s_v4", + "Standard_E32-8as_v4", + "Standard_E32-8ds_v4", + "Standard_E32-8s_v3", + "Standard_E32-8s_v4", + "Standard_E32a_v4", + "Standard_E32as_v4", + "Standard_E32d_v4", + "Standard_E32ds_v4", + "Standard_E32s_v3", + "Standard_E32s_v4", + "Standard_E4_v3", + "Standard_E4_v4", + "Standard_E4-2as_v4", + "Standard_E4-2ds_v4", + "Standard_E4-2s_v3", + "Standard_E4-2s_v4", + "Standard_E48_v3", + "Standard_E48_v4", + "Standard_E48a_v4", + "Standard_E48as_v4", + "Standard_E48d_v4", + "Standard_E48ds_v4", + "Standard_E48s_v3", + "Standard_E48s_v4", + "Standard_E4a_v4", + "Standard_E4as_v4", + "Standard_E4d_v4", + "Standard_E4ds_v4", + "Standard_E4s_v3", + "Standard_E4s_v4", + "Standard_E64_v3", + "Standard_E64_v4", + "Standard_E64-16as_v4", + "Standard_E64-16ds_v4", + "Standard_E64-16s_v3", + "Standard_E64-16s_v4", + "Standard_E64-32as_v4", + "Standard_E64-32ds_v4", + "Standard_E64-32s_v3", + "Standard_E64-32s_v4", + "Standard_E64a_v4", + "Standard_E64as_v4", + "Standard_E64d_v4", + "Standard_E64ds_v4", + "Standard_E64i_v3", + "Standard_E64is_v3", + "Standard_E64s_v3", + "Standard_E64s_v4", + "Standard_E8_v3", + "Standard_E8_v4", + "Standard_E80ids_v4", + "Standard_E80is_v4", + "Standard_E8-2as_v4", + "Standard_E8-2ds_v4", + "Standard_E8-2s_v3", + "Standard_E8-2s_v4", + "Standard_E8-4as_v4", + "Standard_E8-4ds_v4", + "Standard_E8-4s_v3", + "Standard_E8-4s_v4", + "Standard_E8a_v4", + "Standard_E8as_v4", + "Standard_E8d_v4", + "Standard_E8ds_v4", + "Standard_E8s_v3", + "Standard_E8s_v4", + "Standard_E96-24as_v4", + "Standard_E96-48as_v4", + "Standard_E96a_v4", + "Standard_E96as_v4", + "Standard_F16s_v2", + "Standard_F2s_v2", + "Standard_F32s_v2", + "Standard_F48s_v2", + "Standard_F4s_v2", + "Standard_F64s_v2", + "Standard_F72s_v2", + "Standard_F8s_v2", + "Standard_H16", + "Standard_H16m", + "Standard_H16mr", + "Standard_H16r", + "Standard_H8", + "Standard_H8m", + "Standard_HB120rs_v2", + "Standard_HB60rs", + "Standard_HC44rs", + "Standard_L16s_v2", + "Standard_L32s_v2", + "Standard_L48s_v2", + "Standard_L64s_v2", + "Standard_L80s_v2", + "Standard_L8s_v2", + "Standard_M128", + "Standard_M128-32ms", + "Standard_M128-64ms", + "Standard_M128m", + "Standard_M128ms", + "Standard_M128s", + "Standard_M16-4ms", + "Standard_M16-8ms", + "Standard_M16ms", + "Standard_M208ms_v2", + "Standard_M208s_v2", + "Standard_M32-16ms", + "Standard_M32-8ms", + "Standard_M32ls", + "Standard_M32ms", + "Standard_M32ts", + "Standard_M416-208ms_v2", + "Standard_M416-208s_v2", + "Standard_M416ms_v2", + "Standard_M416s_v2", + "Standard_M64", + "Standard_M64-16ms", + "Standard_M64-32ms", + "Standard_M64ls", + "Standard_M64m", + "Standard_M64ms", + "Standard_M64s", + "Standard_M8-2ms", + "Standard_M8-4ms", + "Standard_M8ms", + "Standard_NC12s_v3", + "Standard_NC16as_T4_v3", + "Standard_NC24rs_v3", + "Standard_NC24s_v3", + "Standard_NC4as_T4_v3", + "Standard_NC64as_T4_v3", + "Standard_NC6s_v3", + "Standard_NC8as_T4_v3", + "Standard_ND40rs_v2", + "Standard_ND40s_v3", + "Standard_NV12s_v3", + "Standard_NV16as_v4", + "Standard_NV24s_v3", + "Standard_NV32as_v4", + "Standard_NV48s_v3", + "Standard_NV4as_v4", + "Standard_NV8as_v4" ] }, "Organization_Name": { diff --git a/samples/001-builtins/caf-foundation_gov/artifact.artifact-policy-costcenter-tag-from-rg--append.json b/samples/001-builtins/caf-foundation_gov/artifact.artifact-policy-costcenter-tag-from-rg--append.json new file mode 100644 index 0000000..b203afa --- /dev/null +++ b/samples/001-builtins/caf-foundation_gov/artifact.artifact-policy-costcenter-tag-from-rg--append.json @@ -0,0 +1,18 @@ +{ + "properties": { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9ea02ca2-71db-412d-8b00-7c7ca9fcd32d", + "parameters": { + "tagName": { + "value": "CostCenter" + } + }, + "dependsOn": [ + + ], + "displayName": "Append CostCenter TAG & its value from the Resource Group" + }, + "kind": "policyAssignment", + "id": "/providers/Microsoft.Blueprint/blueprints/CAF-Foundation_Gov/artifacts/artifact-policy-costcenter-tag-from-rg--append", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "artifact-policy-costcenter-tag-from-rg--append" +} diff --git a/samples/001-builtins/caf-foundation_gov/artifact.artifact-policy-costcenter-tag-to-rg.json b/samples/001-builtins/caf-foundation_gov/artifact.artifact-policy-costcenter-tag-to-rg.json new file mode 100644 index 0000000..034daf3 --- /dev/null +++ b/samples/001-builtins/caf-foundation_gov/artifact.artifact-policy-costcenter-tag-to-rg.json @@ -0,0 +1,21 @@ +{ + "properties": { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/49c88fc8-6fd1-46fd-a676-f12d1d3a4c71", + "parameters": { + "tagName": { + "value": "CostCenter" + }, + "tagValue": { + "value": "[parameters('Policy_CostCenter_Tag')]" + } + }, + "dependsOn": [ + + ], + "displayName": "Append CostCenter TAG to Resource Groups" + }, + "kind": "policyAssignment", + "id": "/providers/Microsoft.Blueprint/blueprints/CAF-Foundation_Gov/artifacts/artifact-policy-costcenter-tag-to-rg", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "artifact-policy-costcenter-tag-to-rg" +} diff --git a/samples/001-builtins/caf-foundation_gov/artifact.artifact-policy-enable-monitoring-securitycenter.json b/samples/001-builtins/caf-foundation_gov/artifact.artifact-policy-enable-monitoring-securitycenter.json new file mode 100644 index 0000000..f68e074 --- /dev/null +++ b/samples/001-builtins/caf-foundation_gov/artifact.artifact-policy-enable-monitoring-securitycenter.json @@ -0,0 +1,306 @@ +{ + "properties": { + "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8", + "parameters": { + "vmssSystemUpdatesMonitoringEffect": { + "value": "AuditIfNotExists" + }, + "vmssEndpointProtectionMonitoringEffect": { + "value": "AuditIfNotExists" + }, + "vmssOsVulnerabilitiesMonitoringEffect": { + "value": "AuditIfNotExists" + }, + "systemUpdatesMonitoringEffect": { + "value": "AuditIfNotExists" + }, + "systemConfigurationsMonitoringEffect": { + "value": "AuditIfNotExists" + }, + "endpointProtectionMonitoringEffect": { + "value": "AuditIfNotExists" + }, + "diskEncryptionMonitoringEffect": { + "value": "AuditIfNotExists" + }, + "networkSecurityGroupsMonitoringEffect": { + "value": "AuditIfNotExists" + }, + "webApplicationFirewallMonitoringEffect": { + "value": "AuditIfNotExists" + }, + "nextGenerationFirewallMonitoringEffect": { + "value": "AuditIfNotExists" + }, + "vulnerabilityAssesmentMonitoringEffect": { + "value": "AuditIfNotExists" + }, + "storageEncryptionMonitoringEffect": { + "value": "Audit" + }, + "jitNetworkAccessMonitoringEffect": { + "value": "AuditIfNotExists" + }, + "adaptiveApplicationControlsMonitoringEffect": { + "value": "AuditIfNotExists" + }, + "sqlAuditingMonitoringEffect": { + "value": "AuditIfNotExists" + }, + "sqlEncryptionMonitoringEffect": { + "value": "AuditIfNotExists" + }, + "sqlDbEncryptionMonitoringEffect": { + "value": "AuditIfNotExists" + }, + "sqlServerAuditingMonitoringEffect": { + "value": "AuditIfNotExists" + }, + "diagnosticsLogsInAppServiceMonitoringEffect": { + "value": "Disabled" + }, + "diagnosticsLogsInSelectiveAppServicesMonitoringEffect": { + "value": "AuditIfNotExists" + }, + "encryptionOfAutomationAccountMonitoringEffect": { + "value": "Audit" + }, + "diagnosticsLogsInBatchAccountMonitoringEffect": { + "value": "AuditIfNotExists" + }, + "diagnosticsLogsInBatchAccountRetentionDays": { + "value": "365" + }, + "metricAlertsInBatchAccountMonitoringEffect": { + "value": "AuditIfNotExists" + }, + "classicComputeVMsMonitoringEffect": { + "value": "Audit" + }, + "classicStorageAccountsMonitoringEffect": { + "value": "Audit" + }, + "diagnosticsLogsInDataLakeAnalyticsMonitoringEffect": { + "value": "AuditIfNotExists" + }, + "diagnosticsLogsInDataLakeAnalyticsRetentionDays": { + "value": "365" + }, + "diagnosticsLogsInDataLakeStoreMonitoringEffect": { + "value": "AuditIfNotExists" + }, + "diagnosticsLogsInDataLakeStoreRetentionDays": { + "value": "365" + }, + "diagnosticsLogsInEventHubMonitoringEffect": { + "value": "AuditIfNotExists" + }, + "diagnosticsLogsInEventHubRetentionDays": { + "value": "365" + }, + "diagnosticsLogsInKeyVaultMonitoringEffect": { + "value": "AuditIfNotExists" + }, + "diagnosticsLogsInKeyVaultRetentionDays": { + "value": "365" + }, + "diagnosticsLogsInLogicAppsMonitoringEffect": { + "value": "AuditIfNotExists" + }, + "diagnosticsLogsInLogicAppsRetentionDays": { + "value": "365" + }, + "diagnosticsLogsInRedisCacheMonitoringEffect": { + "value": "Audit" + }, + "diagnosticsLogsInSearchServiceMonitoringEffect": { + "value": "AuditIfNotExists" + }, + "diagnosticsLogsInSearchServiceRetentionDays": { + "value": "365" + }, + "aadAuthenticationInServiceFabricMonitoringEffect": { + "value": "Audit" + }, + "clusterProtectionLevelInServiceFabricMonitoringEffect": { + "value": "Audit" + }, + "diagnosticsLogsInServiceBusMonitoringEffect": { + "value": "AuditIfNotExists" + }, + "diagnosticsLogsInServiceBusRetentionDays": { + "value": "365" + }, + "namespaceAuthorizationRulesInServiceBusMonitoringEffect": { + "value": "Disabled" + }, + "aadAuthenticationInSqlServerMonitoringEffect": { + "value": "AuditIfNotExists" + }, + "secureTransferToStorageAccountMonitoringEffect": { + "value": "Audit" + }, + "diagnosticsLogsInStreamAnalyticsMonitoringEffect": { + "value": "AuditIfNotExists" + }, + "diagnosticsLogsInStreamAnalyticsRetentionDays": { + "value": "365" + }, + "useRbacRulesMonitoringEffect": { + "value": "Audit" + }, + "disableUnrestrictedNetworkToStorageAccountMonitoringEffect": { + "value": "Audit" + }, + "diagnosticsLogsInServiceFabricMonitoringEffect": { + "value": "AuditIfNotExists" + }, + "accessRulesInEventHubNamespaceMonitoringEffect": { + "value": "Disabled" + }, + "accessRulesInEventHubMonitoringEffect": { + "value": "Disabled" + }, + "sqlDbVulnerabilityAssesmentMonitoringEffect": { + "value": "AuditIfNotExists" + }, + "sqlDbDataClassificationMonitoringEffect": { + "value": "AuditIfNotExists" + }, + "identityDesignateLessThanOwnersMonitoringEffect": { + "value": "AuditIfNotExists" + }, + "identityDesignateMoreThanOneOwnerMonitoringEffect": { + "value": "AuditIfNotExists" + }, + "identityEnableMFAForOwnerPermissionsMonitoringEffect": { + "value": "AuditIfNotExists" + }, + "identityEnableMFAForWritePermissionsMonitoringEffect": { + "value": "AuditIfNotExists" + }, + "identityEnableMFAForReadPermissionsMonitoringEffect": { + "value": "AuditIfNotExists" + }, + "identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect": { + "value": "AuditIfNotExists" + }, + "identityRemoveDeprecatedAccountMonitoringEffect": { + "value": "AuditIfNotExists" + }, + "identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect": { + "value": "AuditIfNotExists" + }, + "identityRemoveExternalAccountWithWritePermissionsMonitoringEffect": { + "value": "AuditIfNotExists" + }, + "identityRemoveExternalAccountWithReadPermissionsMonitoringEffect": { + "value": "AuditIfNotExists" + }, + "apiAppConfigureIPRestrictionsMonitoringEffect": { + "value": "Disabled" + }, + "functionAppConfigureIPRestrictionsMonitoringEffect": { + "value": "Disabled" + }, + "webAppConfigureIPRestrictionsMonitoringEffect": { + "value": "Disabled" + }, + "apiAppDisableRemoteDebuggingMonitoringEffect": { + "value": "AuditIfNotExists" + }, + "functionAppDisableRemoteDebuggingMonitoringEffect": { + "value": "AuditIfNotExists" + }, + "webAppDisableRemoteDebuggingMonitoringEffect": { + "value": "AuditIfNotExists" + }, + "apiAppDisableWebSocketsMonitoringEffect": { + "value": "Disabled" + }, + "functionAppDisableWebSocketsMonitoringEffect": { + "value": "Disabled" + }, + "webAppDisableWebSocketsMonitoringEffect": { + "value": "Disabled" + }, + "apiAppEnforceHttpsMonitoringEffect": { + "value": "AuditIfNotExists" + }, + "functionAppEnforceHttpsMonitoringEffect": { + "value": "AuditIfNotExists" + }, + "webAppEnforceHttpsMonitoringEffect": { + "value": "AuditIfNotExists" + }, + "apiAppRestrictCORSAccessMonitoringEffect": { + "value": "AuditIfNotExists" + }, + "functionAppRestrictCORSAccessMonitoringEffect": { + "value": "AuditIfNotExists" + }, + "webAppRestrictCORSAccessMonitoringEffect": { + "value": "AuditIfNotExists" + }, + "apiAppUsedCustomDomainsMonitoringEffect": { + "value": "Disabled" + }, + "functionAppUsedCustomDomainsMonitoringEffect": { + "value": "Disabled" + }, + "webAppUsedCustomDomainsMonitoringEffect": { + "value": "Disabled" + }, + "apiAppUsedLatestDotNetMonitoringEffect": { + "value": "Disabled" + }, + "webAppUsedLatestDotNetMonitoringEffect": { + "value": "Disabled" + }, + "apiAppUsedLatestJavaMonitoringEffect": { + "value": "Disabled" + }, + "webAppUsedLatestJavaMonitoringEffect": { + "value": "Disabled" + }, + "webAppUsedLatestNodeJsMonitoringEffect": { + "value": "Disabled" + }, + "apiAppUsedLatestPHPMonitoringEffect": { + "value": "Disabled" + }, + "webAppUsedLatestPHPMonitoringEffect": { + "value": "Disabled" + }, + "apiAppUsedLatestPythonMonitoringEffect": { + "value": "Disabled" + }, + "webAppUsedLatestPythonMonitoringEffect": { + "value": "Disabled" + }, + "vnetEnableDDoSProtectionMonitoringEffect": { + "value": "AuditIfNotExists" + }, + "kubernetesServiceRbacEnabledMonitoringEffect": { + "value": "Audit" + }, + "restrictAccessToManagementPortsMonitoringEffect": { + "value": "AuditIfNotExists" + }, + "restrictAccessToAppServicesMonitoringEffect": { + "value": "AuditIfNotExists" + }, + "disableIPForwardingMonitoringEffect": { + "value": "AuditIfNotExists" + } + }, + "dependsOn": [ + + ], + "displayName": "Enable Monitoring in Azure Security Center" + }, + "kind": "policyAssignment", + "id": "/providers/Microsoft.Blueprint/blueprints/CAF-Foundation_Gov/artifacts/artifact-policy-enable-monitoring-securitycenter", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "artifact-policy-enable-monitoring-securitycenter" +} diff --git a/samples/001-builtins/caf-foundation_gov/artifact.artifact-policy-location-resource--allow.json b/samples/001-builtins/caf-foundation_gov/artifact.artifact-policy-location-resource--allow.json new file mode 100644 index 0000000..0f93aa7 --- /dev/null +++ b/samples/001-builtins/caf-foundation_gov/artifact.artifact-policy-location-resource--allow.json @@ -0,0 +1,18 @@ +{ + "properties": { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c", + "parameters": { + "listOfAllowedLocations": { + "value": "[parameters('Policy_Allowed-Locations')]" + } + }, + "dependsOn": [ + + ], + "displayName": "Allowed locations" + }, + "kind": "policyAssignment", + "id": "/providers/Microsoft.Blueprint/blueprints/CAF-Foundation_Gov/artifacts/artifact-policy-location-resource--allow", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "artifact-policy-location-resource--allow" +} diff --git a/samples/001-builtins/caf-foundation_gov/artifact.artifact-policy-locations-resourcegroup--allow.json b/samples/001-builtins/caf-foundation_gov/artifact.artifact-policy-locations-resourcegroup--allow.json new file mode 100644 index 0000000..d0e97de --- /dev/null +++ b/samples/001-builtins/caf-foundation_gov/artifact.artifact-policy-locations-resourcegroup--allow.json @@ -0,0 +1,18 @@ +{ + "properties": { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988", + "parameters": { + "listOfAllowedLocations": { + "value": "[parameters('Policy_Allowed-Locations')]" + } + }, + "dependsOn": [ + + ], + "displayName": "Allowed locations for resource groups" + }, + "kind": "policyAssignment", + "id": "/providers/Microsoft.Blueprint/blueprints/CAF-Foundation_Gov/artifacts/artifact-policy-locations-resourcegroup--allow", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "artifact-policy-locations-resourcegroup--allow" +} diff --git a/samples/001-builtins/caf-foundation_gov/artifact.artifact-policy-networkwatcher--deploy.json b/samples/001-builtins/caf-foundation_gov/artifact.artifact-policy-networkwatcher--deploy.json new file mode 100644 index 0000000..b307bc7 --- /dev/null +++ b/samples/001-builtins/caf-foundation_gov/artifact.artifact-policy-networkwatcher--deploy.json @@ -0,0 +1,16 @@ +{ + "properties": { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a9b99dd8-06c5-4317-8629-9d86a3c6e7d9", + "parameters": { + + }, + "dependsOn": [ + + ], + "displayName": "Deploy network watcher when virtual networks are created" + }, + "kind": "policyAssignment", + "id": "/providers/Microsoft.Blueprint/blueprints/CAF-Foundation_Gov/artifacts/artifact-policy-networkwatcher--deploy", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "artifact-policy-networkwatcher--deploy" +} diff --git a/samples/001-builtins/caf-foundation_gov/artifact.artifact-policy-resource-types--deny.json b/samples/001-builtins/caf-foundation_gov/artifact.artifact-policy-resource-types--deny.json new file mode 100644 index 0000000..7fae8d2 --- /dev/null +++ b/samples/001-builtins/caf-foundation_gov/artifact.artifact-policy-resource-types--deny.json @@ -0,0 +1,18 @@ +{ + "properties": { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749", + "parameters": { + "listOfResourceTypesNotAllowed": { + "value": "[parameters('Policy_Resource-Types-DENY')]" + } + }, + "dependsOn": [ + + ], + "displayName": "Resource Types that you do not want to allow in your environment" + }, + "kind": "policyAssignment", + "id": "/providers/Microsoft.Blueprint/blueprints/CAF-Foundation_Gov/artifacts/artifact-policy-resource-types--deny", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "artifact-policy-resource-types--deny" +} diff --git a/samples/001-builtins/caf-foundation_gov/artifact.artifact-policy-storageaccount--xfer.json b/samples/001-builtins/caf-foundation_gov/artifact.artifact-policy-storageaccount--xfer.json new file mode 100644 index 0000000..d9beff8 --- /dev/null +++ b/samples/001-builtins/caf-foundation_gov/artifact.artifact-policy-storageaccount--xfer.json @@ -0,0 +1,16 @@ +{ + "properties": { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9", + "parameters": { + + }, + "dependsOn": [ + + ], + "displayName": "Secure transfer to storage accounts should be enabled" + }, + "kind": "policyAssignment", + "id": "/providers/Microsoft.Blueprint/blueprints/CAF-Foundation_Gov/artifacts/artifact-policy-storageaccount--xfer", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "artifact-policy-storageaccount--xfer" +} diff --git a/samples/001-builtins/caf-foundation_gov/artifact.artifact-policy-storageaccount-skus--allow.json b/samples/001-builtins/caf-foundation_gov/artifact.artifact-policy-storageaccount-skus--allow.json new file mode 100644 index 0000000..7a2a94a --- /dev/null +++ b/samples/001-builtins/caf-foundation_gov/artifact.artifact-policy-storageaccount-skus--allow.json @@ -0,0 +1,18 @@ +{ + "properties": { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7433c107-6db4-4ad1-b57a-a76dce0154a1", + "parameters": { + "listOfAllowedSKUs": { + "value": "[parameters('Policy_Allowed-StorageAccount-SKUs')]" + } + }, + "dependsOn": [ + + ], + "displayName": "Allowed storage account SKUs" + }, + "kind": "policyAssignment", + "id": "/providers/Microsoft.Blueprint/blueprints/CAF-Foundation_Gov/artifacts/artifact-policy-storageaccount-skus--allow", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "artifact-policy-storageaccount-skus--allow" +} diff --git a/samples/001-builtins/caf-foundation_gov/artifact.artifact-policy-vm-skus--allow.json b/samples/001-builtins/caf-foundation_gov/artifact.artifact-policy-vm-skus--allow.json new file mode 100644 index 0000000..6e25bd4 --- /dev/null +++ b/samples/001-builtins/caf-foundation_gov/artifact.artifact-policy-vm-skus--allow.json @@ -0,0 +1,18 @@ +{ + "properties": { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cccc23c7-8427-4f53-ad12-b6a63eb452b3", + "parameters": { + "listOfAllowedSKUs": { + "value": "[parameters('Policy_Allowed-VM-SKUs')]" + } + }, + "dependsOn": [ + + ], + "displayName": "Allowed virtual machine SKUs" + }, + "kind": "policyAssignment", + "id": "/providers/Microsoft.Blueprint/blueprints/CAF-Foundation_Gov/artifacts/artifact-policy-vm-skus--allow", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "artifact-policy-vm-skus--allow" +} diff --git a/samples/001-builtins/caf-foundation_gov/artifact.artifact-template-keyvaults--deploy.json b/samples/001-builtins/caf-foundation_gov/artifact.artifact-template-keyvaults--deploy.json new file mode 100644 index 0000000..c4bd085 --- /dev/null +++ b/samples/001-builtins/caf-foundation_gov/artifact.artifact-template-keyvaults--deploy.json @@ -0,0 +1,129 @@ +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Organization_Name": { + "type": "string" + }, + "KV-AccessPolicy": { + "type": "string" + } + }, + "variables": { + "deployment-prefix": "[concat(parameters('Organization_Name'), '-sharedsvcs')]", + "key-vault-name": "[concat(variables('deployment-prefix'), '-kv')]" + }, + "resources": [ + { + "type": "Microsoft.KeyVault/vaults", + "name": "[variables('key-vault-name')]", + "apiVersion": "2016-10-01", + "location": "[resourceGroup().location]", + "tags": { + "displayName": "KeyVault" + }, + "properties": { + "createMode": "default", + "enabledForDeployment": true, + "enabledForDiskEncryption": true, + "enabledForTemplateDeployment": true, + "tenantId": "[subscription().tenantId]", + "sku": { + "name": "premium", + "family": "A" + }, + "networkAcls": { + "defaultAction": "Allow", + "bypass": "AzureServices", + "virtualNetworkRules": [ + + ], + "ipRules": [ + + ] + }, + "accessPolicies": [ + { + "objectId": "[parameters('KV-AccessPolicy')]", + "tenantId": "[subscription().tenantId]", + "permissions": { + "keys": [ + "get", + "list", + "update", + "create", + "import", + "delete", + "recover", + "backup", + "restore" + ], + "secrets": [ + "get", + "list", + "set", + "delete", + "recover", + "backup", + "restore" + ], + "certificates": [ + "get", + "list", + "update", + "create", + "import", + "delete", + "recover", + "deleteissuers", + "recover", + "managecontacts", + "manageissuers", + "getissuers", + "listissuers", + "setissuers" + ] + } + } + ] + } + }, + { + "type": "Microsoft.KeyVault/vaults/providers/locks", + "apiVersion": "2016-09-01", + "name": "[concat(variables('key-vault-name'), '/Microsoft.Authorization/keyVaultDoNotDelete')]", + "dependsOn": [ + "[concat('Microsoft.KeyVault/vaults/', variables('key-vault-name'))]" + ], + "comments": "Resource lock on key vault", + "properties": { + "level": "CannotDelete" + } + } + ], + "outputs": { + + } + }, + "parameters": { + "Organization_Name": { + "value": "[parameters('Organization_Name')]" + }, + "KV-AccessPolicy": { + "value": "[parameters('KV-AccessPolicy')]" + } + }, + "dependsOn": [ + + ], + "resourceGroup": "SharedServices-RG", + "displayName": "Deploy Key Vault", + "description": "Deploy Key Vault for Secrets, Certs & Keys" + }, + "kind": "template", + "id": "/providers/Microsoft.Blueprint/blueprints/CAF-Foundation_Gov/artifacts/artifact-template-keyvaults--deploy", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "artifact-template-keyvaults--deploy" +} diff --git a/samples/001-builtins/caf-foundation_gov/artifact.artifact-template-loganalytics--deploy.json b/samples/001-builtins/caf-foundation_gov/artifact.artifact-template-loganalytics--deploy.json new file mode 100644 index 0000000..e9ed101 --- /dev/null +++ b/samples/001-builtins/caf-foundation_gov/artifact.artifact-template-loganalytics--deploy.json @@ -0,0 +1,157 @@ +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Organization_Name": { + "type": "string" + }, + "data-retention": { + "type": "int", + "defaultValue": 365, + "minValue": 0, + "maxValue": 365, + "metadata": { + "displayName": "Log retention in days", + "description": "Number of days data will be retained for" + } + }, + "location": { + "type": "string", + "metadata": { + "displayName": "Location", + "description": "Region used when establishing the workspace" + }, + "allowedValues": [ + "Australia Central", + "Australia East", + "Australia Southeast", + "Brazil South", + "Canada Central", + "Central India", + "Central US", + "East Asia", + "East US", + "East US 2", + "France Central", + "Japan East", + "Korea Central", + "North Central US", + "North Europe", + "South Africa North", + "South Central US", + "Southeast Asia", + "UK South", + "UK West", + "USGov Arizona", + "USGov Virginia", + "West Europe", + "West US", + "West US 2" + ] + } + }, + "variables": { + "deployment-prefix": "[concat(parameters('Organization_Name'), '-sharedsvcs')]", + "uniqueString": "[uniqueString(subscription().id, concat(variables('deployment-prefix'), '-log'))]", + "diagnostic-storageAccount-prefix": "[concat(replace(variables('deployment-prefix'), '-', ''), 'diag')]", + "diagnostic-storageAccount-name": "[toLower(substring(replace(concat(variables('diagnostic-storageAccount-prefix'), variables('uniqueString'), variables('uniqueString')), '-', ''), 0, 23) )]", + "oms-workspace-name": "[concat(variables('deployment-prefix'), '-log')]" + }, + "resources": [ + { + "comments": "----DIAGNOSTICS STORAGE ACCOUNT-----", + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('diagnostic-storageAccount-name')]", + "apiVersion": "2018-07-01", + "location": "[resourceGroup().location]", + "kind": "StorageV2", + "sku": { + "name": "Standard_LRS" + }, + "tags": { + "displayName": "Storage Account" + }, + "properties": { + "encryption": { + "keySource": "Microsoft.Storage", + "services": { + "blob": { + "enabled": true + }, + "file": { + "enabled": true + } + } + }, + "supportsHttpsTrafficOnly": true + } + }, + { + "type": "Microsoft.Storage/storageAccounts/providers/locks", + "apiVersion": "2016-09-01", + "name": "[concat(variables('diagnostic-storageAccount-name'), '/Microsoft.Authorization/storageDoNotDelete')]", + "dependsOn": [ + "[concat('Microsoft.Storage/storageAccounts/', variables('diagnostic-storageAccount-name'))]" + ], + "comments": "Resource lock on diagnostic storage account", + "properties": { + "level": "CannotDelete" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces", + "name": "[variables('oms-workspace-name')]", + "apiVersion": "2017-03-15-preview", + "location": "[parameters('location')]", + "tags": { + "displayName": "Log Analytics" + }, + "properties": { + "sku": { + "Name": "pergb2018" + }, + "retention": "[parameters('data-retention')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/locks", + "apiVersion": "2016-09-01", + "name": "[concat(variables('oms-workspace-name'), '/Microsoft.Authorization/logAnalyticsDoNotDelete')]", + "dependsOn": [ + "[variables('oms-workspace-name')]" + ], + "comments": "Resource lock on Log Analytics", + "properties": { + "level": "CannotDelete" + } + } + ], + "outputs": { + + } + }, + "parameters": { + "Organization_Name": { + "value": "[parameters('Organization_Name')]" + }, + "data-retention": { + "value": "[parameters('LogAnalytics_DataRetention')]" + }, + "location": { + "value": "[parameters('LogAnalytics_Location')]" + } + }, + "dependsOn": [ + + ], + "resourceGroup": "SharedServices-RG", + "displayName": "Deploy Log Analytics", + "description": "Deploy Log Analytics for Diagnostics" + }, + "kind": "template", + "id": "/providers/Microsoft.Blueprint/blueprints/CAF-Foundation_Gov/artifacts/artifact-template-loganalytics--deploy", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "artifact-template-loganalytics--deploy" +} diff --git a/samples/001-builtins/caf-foundation_gov/artifact.artifact-template-securitycenter--standard.json b/samples/001-builtins/caf-foundation_gov/artifact.artifact-template-securitycenter--standard.json new file mode 100644 index 0000000..01a654f --- /dev/null +++ b/samples/001-builtins/caf-foundation_gov/artifact.artifact-template-securitycenter--standard.json @@ -0,0 +1,39 @@ +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.1", + "parameters": { + + }, + "variables": { + + }, + "resources": [ + { + "type": "Microsoft.Security/pricings", + "apiVersion": "2017-08-01-preview", + "name": "default", + "properties": { + "pricingTier": "Standard" + } + } + ], + "outputs": { + + } + }, + "parameters": { + + }, + "dependsOn": [ + + ], + "displayName": "Azure Security Center template", + "description": "Set Security Center Standard" + }, + "kind": "template", + "id": "/providers/Microsoft.Blueprint/blueprints/CAF-Foundation_Gov/artifacts/artifact-template-securitycenter--standard", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "artifact-template-securitycenter--standard" +} diff --git a/samples/001-builtins/caf-foundation_gov/blueprint.json b/samples/001-builtins/caf-foundation_gov/blueprint.json new file mode 100644 index 0000000..797fb51 --- /dev/null +++ b/samples/001-builtins/caf-foundation_gov/blueprint.json @@ -0,0 +1,415 @@ +{ + "properties": { + "parameters": { + "Policy_CostCenter_Tag": { + "type": "string", + "metadata": { + "displayName": "Append CostCenter TAG & its value from the Resource Group", + "description": "AzureRegion" + }, + "allowedValues": [ + + ] + }, + "Policy_Allowed-Locations": { + "type": "array", + "metadata": { + "displayName": "Which Azure Regions will you allow resources to be built in?", + "description": "Policy_Allowed-Locations", + "strongType": "location" + }, + "defaultValue": [ + + ] + }, + "Policy_Resource-Types-DENY": { + "type": "array", + "metadata": { + "displayName": "Select the Azure Resource Types that you will DENY", + "description": "Policy_Resource-Types-DENY", + "strongType": "resourceTypes" + } + }, + "Policy_Allowed-StorageAccount-SKUs": { + "type": "array", + "metadata": { + "displayName": "Storage Account SKUs you want to ALLOW", + "description": "Policy_Allowed-StorageAccount-SKUs", + "strongType": "storageSKUs" + }, + "defaultValue": [ + "Standard_LRS" + ], + "allowedValues": [ + "Premium_LRS", + "Standard_GRS", + "Standard_LRS", + "Standard_RAGRS", + "Standard_ZRS" + ] + }, + "Policy_Allowed-VM-SKUs": { + "type": "array", + "metadata": { + "displayName": "Virtual Machine SKUs you want to ALLOW", + "description": "Policy_Allowed-VM-SKUs" + }, + "defaultValue": [ + "Standard_B2ms", + "Standard_DS1_v2", + "Standard_F2s_v2" + ], + "allowedValues": [ + "Standard_A1_v2", + "Standard_A2_v2", + "Standard_A2m_v2", + "Standard_A4_v2", + "Standard_A4m_v2", + "Standard_A8_v2", + "Standard_A8m_v2", + "Standard_B12ms", + "Standard_B16ms", + "Standard_B1ls", + "Standard_B1ms", + "Standard_B1s", + "Standard_B20ms", + "Standard_B2ms", + "Standard_B2s", + "Standard_B4ms", + "Standard_B8ms", + "Standard_D1_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_D16_v3", + "Standard_D16_v4", + "Standard_D16d_v4", + "Standard_D16ds_v4", + "Standard_D16s_v3", + "Standard_D16s_v4", + "Standard_D2_v2", + "Standard_D2_v3", + "Standard_D2_v4", + "Standard_D2d_v4", + "Standard_D2ds_v4", + "Standard_D2s_v3", + "Standard_D2s_v4", + "Standard_D3_v2", + "Standard_D32_v3", + "Standard_D32_v4", + "Standard_D32d_v4", + "Standard_D32ds_v4", + "Standard_D32s_v3", + "Standard_D32s_v4", + "Standard_D4_v2", + "Standard_D4_v3", + "Standard_D4_v4", + "Standard_D48_v3", + "Standard_D48_v4", + "Standard_D48d_v4", + "Standard_D48ds_v4", + "Standard_D48s_v3", + "Standard_D48s_v4", + "Standard_D4d_v4", + "Standard_D4ds_v4", + "Standard_D4s_v3", + "Standard_D4s_v4", + "Standard_D5_v2", + "Standard_D64_v3", + "Standard_D64_v4", + "Standard_D64d_v4", + "Standard_D64ds_v4", + "Standard_D64s_v3", + "Standard_D64s_v4", + "Standard_D8_v3", + "Standard_D8_v4", + "Standard_D8d_v4", + "Standard_D8ds_v4", + "Standard_D8s_v3", + "Standard_D8s_v4", + "Standard_DS1_v2", + "Standard_DS11_v2", + "Standard_DS11-1_v2", + "Standard_DS12_v2", + "Standard_DS12-1_v2", + "Standard_DS12-2_v2", + "Standard_DS13_v2", + "Standard_DS13-2_v2", + "Standard_DS13-4_v2", + "Standard_DS14_v2", + "Standard_DS14-4_v2", + "Standard_DS14-8_v2", + "Standard_DS15_v2", + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_E16_v3", + "Standard_E16_v4", + "Standard_E16-4ds_v4", + "Standard_E16-4s_v3", + "Standard_E16-4s_v4", + "Standard_E16-8ds_v4", + "Standard_E16-8s_v3", + "Standard_E16-8s_v4", + "Standard_E16d_v4", + "Standard_E16ds_v4", + "Standard_E16s_v3", + "Standard_E16s_v4", + "Standard_E2_v3", + "Standard_E2_v4", + "Standard_E20_v3", + "Standard_E20_v4", + "Standard_E20d_v4", + "Standard_E20ds_v4", + "Standard_E20s_v3", + "Standard_E20s_v4", + "Standard_E2d_v4", + "Standard_E2ds_v4", + "Standard_E2s_v3", + "Standard_E2s_v4", + "Standard_E32_v3", + "Standard_E32_v4", + "Standard_E32-16ds_v4", + "Standard_E32-16s_v3", + "Standard_E32-16s_v4", + "Standard_E32-8ds_v4", + "Standard_E32-8s_v3", + "Standard_E32-8s_v4", + "Standard_E32d_v4", + "Standard_E32ds_v4", + "Standard_E32s_v3", + "Standard_E32s_v4", + "Standard_E4_v3", + "Standard_E4_v4", + "Standard_E4-2ds_v4", + "Standard_E4-2s_v3", + "Standard_E4-2s_v4", + "Standard_E48_v3", + "Standard_E48_v4", + "Standard_E48d_v4", + "Standard_E48ds_v4", + "Standard_E48s_v3", + "Standard_E48s_v4", + "Standard_E4d_v4", + "Standard_E4ds_v4", + "Standard_E4s_v3", + "Standard_E4s_v4", + "Standard_E64_v3", + "Standard_E64_v4", + "Standard_E64-16ds_v4", + "Standard_E64-16s_v3", + "Standard_E64-16s_v4", + "Standard_E64-32ds_v4", + "Standard_E64-32s_v3", + "Standard_E64-32s_v4", + "Standard_E64d_v4", + "Standard_E64ds_v4", + "Standard_E64i_v3", + "Standard_E64is_v3", + "Standard_E64s_v3", + "Standard_E64s_v4", + "Standard_E8_v3", + "Standard_E8_v4", + "Standard_E80ids_v4", + "Standard_E80is_v4", + "Standard_E8-2ds_v4", + "Standard_E8-2s_v3", + "Standard_E8-2s_v4", + "Standard_E8-4ds_v4", + "Standard_E8-4s_v3", + "Standard_E8-4s_v4", + "Standard_E8d_v4", + "Standard_E8ds_v4", + "Standard_E8s_v3", + "Standard_E8s_v4", + "Standard_F16s_v2", + "Standard_F2s_v2", + "Standard_F32s_v2", + "Standard_F48s_v2", + "Standard_F4s_v2", + "Standard_F64s_v2", + "Standard_F72s_v2", + "Standard_F8s_v2", + "Standard_H16", + "Standard_H16m", + "Standard_H16mr", + "Standard_H16r", + "Standard_H8", + "Standard_H8m", + "Standard_L16s_v2", + "Standard_L32s_v2", + "Standard_L48s_v2", + "Standard_L64s_v2", + "Standard_L80s_v2", + "Standard_L8s_v2", + "Standard_M128", + "Standard_M128-32ms", + "Standard_M128-64ms", + "Standard_M128m", + "Standard_M128ms", + "Standard_M128s", + "Standard_M16-4ms", + "Standard_M16-8ms", + "Standard_M16ms", + "Standard_M208ms_v2", + "Standard_M208s_v2", + "Standard_M32-16ms", + "Standard_M32-8ms", + "Standard_M32ls", + "Standard_M32ms", + "Standard_M32ts", + "Standard_M416-208ms_v2", + "Standard_M416-208s_v2", + "Standard_M416ms_v2", + "Standard_M416s_v2", + "Standard_M64", + "Standard_M64-16ms", + "Standard_M64-32ms", + "Standard_M64ls", + "Standard_M64m", + "Standard_M64ms", + "Standard_M64s", + "Standard_M8-2ms", + "Standard_M8-4ms", + "Standard_M8ms", + "Standard_NC12s_v3", + "Standard_NC24rs_v3", + "Standard_NC24s_v3", + "Standard_NC6s_v3", + "Standard_NV12s_v3", + "Standard_NV24s_v3", + "Standard_NV48s_v3" + ] + }, + "Organization_Name": { + "type": "string", + "metadata": { + "displayName": "Enter your organization name (e.g. Contoso), must be unique", + "description": "Organization_Name" + }, + "defaultValue": "" + }, + "KV-AccessPolicy": { + "type": "string", + "metadata": { + "displayName": "Azure AD Group or User 'ObjectID' to grant permissions in Key Vault.(abc123de-f456-ghi7-89jk-l0mno123pqr4)", + "description": "KV-AccessPolicy" + } + }, + "LogAnalytics_DataRetention": { + "type": "int", + "metadata": { + "displayName": "Number of days data will be retained in Log Analytics", + "description": "LogAnalytics_DataRetention" + }, + "defaultValue": 365, + "allowedValues": [ + 30, + 60, + 90, + 120, + 180, + 365 + ] + }, + "LogAnalytics_Location": { + "type": "string", + "metadata": { + "displayName": "Azure Region used when establishing the Log Analytics workspace", + "description": "LogAnalytics_Location" + }, + "allowedValues": [ + "Australia Central", + "Australia East", + "Australia Southeast", + "Brazil South", + "Canada Central", + "Central India", + "Central US", + "East Asia", + "East US", + "East US 2", + "France Central", + "Japan East", + "Korea Central", + "North Central US", + "North Europe", + "South Africa North", + "South Central US", + "Southeast Asia", + "UK South", + "UK West", + "USGov Arizona", + "USGov Virginia", + "West Europe", + "West US", + "West US 2" + ] + }, + "AzureRegion": { + "type": "string", + "metadata": { + "displayName": "Select the Azure Region to deploy the Resources", + "description": "AzureRegion", + "strongType": "location" + }, + "defaultValue": "eastus" + } + }, + "resourceGroups": { + "SharedServices-RG": { + "name": "[concat(parameters('Organization_Name'),'-SharedSvcs-rg')]", + "location": "[parameters('AzureRegion')]", + "metadata": { + "displayName": "Resource Group for Shared Services" + }, + "dependsOn": [ + + ] + }, + "Network-RG": { + "name": "[concat(parameters('Organization_Name'),'-VNet-rg')]", + "location": "[parameters('AzureRegion')]", + "metadata": { + "displayName": "Resource Group for Networks" + }, + "dependsOn": [ + + ] + }, + "Identity-RG": { + "name": "[concat(parameters('Organization_Name'),'-Identity-rg')]", + "location": "[parameters('AzureRegion')]", + "metadata": { + "displayName": "Resource Group for Identity Services" + }, + "dependsOn": [ + + ] + }, + "Application-RG": { + "name": "[concat(parameters('Organization_Name'),'-Application-rg')]", + "location": "[parameters('AzureRegion')]", + "metadata": { + "displayName": "Resource Group for First Application" + }, + "dependsOn": [ + + ] + } + }, + "targetScope": "subscription", + "status": { + "timeCreated": "2019-08-07T23:25:37+00:00", + "lastModified": "2019-08-07T23:31:27.4720923+00:00" + }, + "displayName": "CAF Foundation", + "description": "Microsoft Cloud Adoption Framework for Azure – Configure Foundational best practices" + }, + "id": "/providers/Microsoft.Blueprint/blueprints/CAF-Foundation_Gov", + "type": "Microsoft.Blueprint/blueprints", + "name": "CAF-Foundation_Gov" +} diff --git a/samples/001-builtins/cis_v1_1_0/artifact.4d752df6-ddaf-46ae-96fd-7cca6016988e.json b/samples/001-builtins/cis_v1_1_0/artifact.4d752df6-ddaf-46ae-96fd-7cca6016988e.json index 0f35bf4..9ac3734 100644 --- a/samples/001-builtins/cis_v1_1_0/artifact.4d752df6-ddaf-46ae-96fd-7cca6016988e.json +++ b/samples/001-builtins/cis_v1_1_0/artifact.4d752df6-ddaf-46ae-96fd-7cca6016988e.json @@ -12,7 +12,7 @@ "dependsOn": [ ], - "displayName": "Audit CIS Microsoft Azure Foundations Benchmark 1.1.0 recommendations and deploy specific supporting VM Extensions" + "displayName": "CIS Microsoft Azure Foundations Benchmark 1.1.0" }, "kind": "policyAssignment", "id": "/providers/Microsoft.Blueprint/blueprints/CIS_V_1_1_0/artifacts/4d752df6-ddaf-46ae-96fd-7cca6016988e", diff --git a/samples/001-builtins/cis_v1_1_0_Gov/artifact.6bdd6a3d-9fb0-445b-8a7f-effb6646a06a.json b/samples/001-builtins/cis_v1_1_0_Gov/artifact.6bdd6a3d-9fb0-445b-8a7f-effb6646a06a.json new file mode 100644 index 0000000..8887d68 --- /dev/null +++ b/samples/001-builtins/cis_v1_1_0_Gov/artifact.6bdd6a3d-9fb0-445b-8a7f-effb6646a06a.json @@ -0,0 +1,21 @@ +{ + "properties": { + "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/1a5bb27d-173f-493e-9568-eb56638dde4d", + "parameters": { + "listOfRegionsWhereNetworkWatcherShouldBeEnabled": { + "value": "[parameters('listOfRegionsWhereNetworkWatcherShouldBeEnabled')]" + }, + "listOfApprovedVMExtensions": { + "value": "[parameters('listOfApprovedVMExtensions')]" + } + }, + "dependsOn": [ + + ], + "displayName": "CIS Microsoft Azure Foundations Benchmark 1.1.0" + }, + "kind": "policyAssignment", + "id": "/providers/Microsoft.Blueprint/blueprints/cis_v1_1_0_Gov/artifacts/6bdd6a3d-9fb0-445b-8a7f-effb6646a06a", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "6bdd6a3d-9fb0-445b-8a7f-effb6646a06a" +} diff --git a/samples/001-builtins/cis_v1_1_0_Gov/blueprint.json b/samples/001-builtins/cis_v1_1_0_Gov/blueprint.json new file mode 100644 index 0000000..b1313ae --- /dev/null +++ b/samples/001-builtins/cis_v1_1_0_Gov/blueprint.json @@ -0,0 +1,58 @@ +{ + "properties": { + "parameters": { + "listOfRegionsWhereNetworkWatcherShouldBeEnabled": { + "type": "array", + "metadata": { + "displayName": "List of regions where Network Watcher should be enabled", + "description": "To see a complete list of regions use Get-AzLocation", + "strongType": "location" + }, + "defaultValue": [ + "usdodcentral" + ], + "allowedValues": [ + + ] + }, + "listOfApprovedVMExtensions": { + "type": "array", + "metadata": { + "displayName": "List of virtual machine extensions that are approved for use", + "description": "To see a complete list of virtual machine extensions, use Get-AzVMExtensionImage" + }, + "defaultValue": [ + "AzureDiskEncryption", + "AzureDiskEncryptionForLinux", + "DependencyAgentWindows", + "DependencyAgentLinux", + "IaaSAntimalware", + "IaaSDiagnostics", + "LinuxDiagnostic", + "MicrosoftMonitoringAgent", + "NetworkWatcherAgentLinux", + "NetworkWatcherAgentWindows", + "OmsAgentForLinux", + "VMSnapshot", + "VMSnapshotLinux" + ], + "allowedValues": [ + + ] + } + }, + "resourceGroups": { + + }, + "targetScope": "subscription", + "status": { + "timeCreated": "2019-10-07T11:30:11+00:00", + "lastModified": "2019-10-07T11:30:11.100213+00:00" + }, + "displayName": "CIS Microsoft Azure Foundations Benchmark v1.1.0", + "description": "Assigns policies to address specific recommendations from the CIS Microsoft Azure Foundations Benchmark v1.1.0." + }, + "id": "/providers/Microsoft.Blueprint/blueprints/cis_v1_1_0_Gov", + "type": "Microsoft.Blueprint/blueprints", + "name": "cis_v1_1_0_Gov" +} diff --git a/samples/001-builtins/fedRAMPH/artifact.1bd318a6-ddab-4f51-b0eb-0ff2b3d0aa93.json b/samples/001-builtins/fedRAMPH/artifact.1bd318a6-ddab-4f51-b0eb-0ff2b3d0aa93.json index 6c5dc7f..f407b17 100644 --- a/samples/001-builtins/fedRAMPH/artifact.1bd318a6-ddab-4f51-b0eb-0ff2b3d0aa93.json +++ b/samples/001-builtins/fedRAMPH/artifact.1bd318a6-ddab-4f51-b0eb-0ff2b3d0aa93.json @@ -84,7 +84,7 @@ "dependsOn": [ ], - "displayName": "Audit FedRAMP High controls and deploy specific VM Extensions to support audit requirements" + "displayName": "FedRAMP High" }, "kind": "policyAssignment", "id": "/providers/Microsoft.Blueprint/blueprints/FedRAMPH/artifacts/1bd318a6-ddab-4f51-b0eb-0ff2b3d0aa93", diff --git a/samples/001-builtins/fedRAMPH_Gov/artifact.1bd318a6-ddab-4f51-b0eb-0ff2b3d0aa93.json b/samples/001-builtins/fedRAMPH_Gov/artifact.1bd318a6-ddab-4f51-b0eb-0ff2b3d0aa93.json index da4867b..a07e43b 100644 --- a/samples/001-builtins/fedRAMPH_Gov/artifact.1bd318a6-ddab-4f51-b0eb-0ff2b3d0aa93.json +++ b/samples/001-builtins/fedRAMPH_Gov/artifact.1bd318a6-ddab-4f51-b0eb-0ff2b3d0aa93.json @@ -75,7 +75,7 @@ "dependsOn": [ ], - "displayName": "Audit FedRAMP High controls and deploy specific VM Extensions to support audit requirements" + "displayName": "FedRAMP High" }, "kind": "policyAssignment", "id": "/providers/Microsoft.Blueprint/blueprints/FedRAMPH_Gov/artifacts/1bd318a6-ddab-4f51-b0eb-0ff2b3d0aa93", diff --git a/samples/001-builtins/fedRAMP_M/artifact.63b8d309-77f5-4913-a245-6f726f0b8b40.json b/samples/001-builtins/fedRAMP_M/artifact.63b8d309-77f5-4913-a245-6f726f0b8b40.json index 299c083..040c34f 100644 --- a/samples/001-builtins/fedRAMP_M/artifact.63b8d309-77f5-4913-a245-6f726f0b8b40.json +++ b/samples/001-builtins/fedRAMP_M/artifact.63b8d309-77f5-4913-a245-6f726f0b8b40.json @@ -18,7 +18,7 @@ "dependsOn": [ ], - "displayName": "Audit FedRAMP Moderate controls and deploy specific VM Extensions to support audit requirements" + "displayName": "FedRAMP Moderate" }, "kind": "policyAssignment", "id": "/providers/Microsoft.Blueprint/blueprints/FedRAMP_M/artifacts/63b8d309-77f5-4913-a245-6f726f0b8b40", diff --git a/samples/001-builtins/fedRAMP_M_Gov/artifact.4734ea99-47fc-41c5-a45f-a97d57562d2b.json b/samples/001-builtins/fedRAMP_M_Gov/artifact.4734ea99-47fc-41c5-a45f-a97d57562d2b.json index 6fcf9cf..e439edd 100644 --- a/samples/001-builtins/fedRAMP_M_Gov/artifact.4734ea99-47fc-41c5-a45f-a97d57562d2b.json +++ b/samples/001-builtins/fedRAMP_M_Gov/artifact.4734ea99-47fc-41c5-a45f-a97d57562d2b.json @@ -18,7 +18,7 @@ "dependsOn": [ ], - "displayName": "Audit FedRAMP Moderate controls and deploy specific VM Extensions to support audit requirements" + "displayName": "FedRAMP Moderate" }, "kind": "policyAssignment", "id": "/providers/Microsoft.Blueprint/blueprints/FedRAMP_M_Gov/artifacts/4734ea99-47fc-41c5-a45f-a97d57562d2b", diff --git a/samples/001-builtins/hipaa/artifact.8d253677-61e1-45c5-8b38-61689917c571.json b/samples/001-builtins/hipaa/artifact.8d253677-61e1-45c5-8b38-61689917c571.json index 8058030..ec893f8 100644 --- a/samples/001-builtins/hipaa/artifact.8d253677-61e1-45c5-8b38-61689917c571.json +++ b/samples/001-builtins/hipaa/artifact.8d253677-61e1-45c5-8b38-61689917c571.json @@ -11,6 +11,33 @@ "DeployDiagnosticSettingsforNetworkSecurityGroupsrgName": { "value": "[parameters('DeployDiagnosticSettingsforNetworkSecurityGroupsrgName')]" }, + "CertificateThumbprints": { + "value": "[parameters('CertificateThumbprints')]" + }, + "membersToExclude": { + "value": "[parameters('membersToExclude')]" + }, + "workspaceId": { + "value": "[parameters('workspaceId')]" + }, + "listOfResourceTypes": { + "value": "[parameters('listOfResourceTypes')]" + }, + "membersToInclude": { + "value": "[parameters('membersToInclude')]" + }, + "listOfLocations": { + "value": "[parameters('listOfLocations')]" + }, + "members": { + "value": "[parameters('members')]" + }, + "operationName": { + "value": "[parameters('operationName')]" + }, + "virtualNetworkId": { + "value": "[parameters('virtualNetworkId')]" + }, "diagnosticsLogsInBatchAccountMonitoringEffect": { "value": "[parameters('diagnosticsLogsInBatchAccountMonitoringEffect')]" }, @@ -176,14 +203,86 @@ "WindowsFirewallPublicAllowUnicastResponse": { "value": "[parameters('WindowsFirewallPublicAllowUnicastResponse')]" }, - "CertificateThumbprints": { - "value": "[parameters('CertificateThumbprints')]" + "requiredRetentionDays": { + "value": "[parameters('requiredRetentionDays')]" + }, + "diagnosticsLogsInRedisCacheMonitoringEffect": { + "value": "[parameters('diagnosticsLogsInRedisCacheMonitoringEffect')]" + }, + "secureTransferToStorageAccountMonitoringEffect": { + "value": "[parameters('secureTransferToStorageAccountMonitoringEffect')]" + }, + "usersOrGroupsThatMayAccessThisComputerFromTheNetwork": { + "value": "[parameters('usersOrGroupsThatMayAccessThisComputerFromTheNetwork')]" + }, + "usersOrGroupsThatMayLogOnLocally": { + "value": "[parameters('usersOrGroupsThatMayLogOnLocally')]" + }, + "usersOrGroupsThatMayLogOnThroughRemoteDesktopServices": { + "value": "[parameters('usersOrGroupsThatMayLogOnThroughRemoteDesktopServices')]" + }, + "usersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork": { + "value": "[parameters('usersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork')]" + }, + "usersOrGroupsThatMayManageAuditingAndSecurityLog": { + "value": "[parameters('usersOrGroupsThatMayManageAuditingAndSecurityLog')]" + }, + "usersOrGroupsThatMayBackUpFilesAndDirectories": { + "value": "[parameters('usersOrGroupsThatMayBackUpFilesAndDirectories')]" + }, + "usersOrGroupsThatMayChangeTheSystemTime": { + "value": "[parameters('usersOrGroupsThatMayChangeTheSystemTime')]" + }, + "usersOrGroupsThatMayChangeTheTimeZone": { + "value": "[parameters('usersOrGroupsThatMayChangeTheTimeZone')]" + }, + "usersOrGroupsThatMayCreateATokenObject": { + "value": "[parameters('usersOrGroupsThatMayCreateATokenObject')]" + }, + "usersAndGroupsThatAreDeniedLoggingOnAsABatchJob": { + "value": "[parameters('usersAndGroupsThatAreDeniedLoggingOnAsABatchJob')]" + }, + "usersAndGroupsThatAreDeniedLoggingOnAsAService": { + "value": "[parameters('usersAndGroupsThatAreDeniedLoggingOnAsAService')]" + }, + "usersAndGroupsThatAreDeniedLocalLogon": { + "value": "[parameters('usersAndGroupsThatAreDeniedLocalLogon')]" + }, + "usersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices": { + "value": "[parameters('usersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices')]" + }, + "userAndGroupsThatMayForceShutdownFromARemoteSystem": { + "value": "[parameters('userAndGroupsThatMayForceShutdownFromARemoteSystem')]" + }, + "usersAndGroupsThatMayRestoreFilesAndDirectories": { + "value": "[parameters('usersAndGroupsThatMayRestoreFilesAndDirectories')]" + }, + "usersAndGroupsThatMayShutDownTheSystem": { + "value": "[parameters('usersAndGroupsThatMayShutDownTheSystem')]" + }, + "usersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects": { + "value": "[parameters('usersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects')]" + }, + "virtualMachinesShouldBeConnectedToAnApprovedVirtualNetworkEffect": { + "value": "[parameters('virtualMachinesShouldBeConnectedToAnApprovedVirtualNetworkEffect')]" + }, + "uacAdminApprovalModeForTheBuiltinAdministratorAccount": { + "value": "[parameters('uacAdminApprovalModeForTheBuiltinAdministratorAccount')]" + }, + "uacBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode": { + "value": "[parameters('uacBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode')]" + }, + "uacDetectApplicationInstallationsAndPromptForElevation": { + "value": "[parameters('uacDetectApplicationInstallationsAndPromptForElevation')]" + }, + "uacRunAllAdministratorsInAdminApprovalMode": { + "value": "[parameters('uacRunAllAdministratorsInAdminApprovalMode')]" } }, "dependsOn": [ - + ], - "displayName": "Audit HITRUST/HIPAA controls and deploy specific VM Extensions to support audit requirements" + "displayName": "HITRUST/HIPAA" }, "kind": "policyAssignment", "id": "/providers/Microsoft.Blueprint/blueprints/HIPAA/artifacts/8d253677-61e1-45c5-8b38-61689917c571", diff --git a/samples/001-builtins/hipaa/blueprint.json b/samples/001-builtins/hipaa/blueprint.json index 38e4e46..aafdff6 100644 --- a/samples/001-builtins/hipaa/blueprint.json +++ b/samples/001-builtins/hipaa/blueprint.json @@ -8,7 +8,7 @@ "description": "A semicolon-separated list of the names of the applications that should be installed. e.g. 'Microsoft SQL Server 2014 (64-bit); Microsoft Visual Studio Code' or 'Microsoft SQL Server 2014*' (to match any application starting with 'Microsoft SQL Server 2014')" }, "allowedValues": [ - + ] }, "DeployDiagnosticSettingsforNetworkSecurityGroupsstoragePrefix": { @@ -18,7 +18,7 @@ "description": "This prefix will be combined with the network security group location to form the created storage account name." }, "allowedValues": [ - + ] }, "DeployDiagnosticSettingsforNetworkSecurityGroupsrgName": { @@ -29,7 +29,207 @@ "strongType": "ExistingResourceGroups" }, "allowedValues": [ - + + ] + }, + "CertificateThumbprints": { + "type": "string", + "metadata": { + "displayName": "Certificate thumbprints", + "description": "A semicolon-separated list of certificate thumbprints that should exist under the Trusted Root certificate store (Cert:\\LocalMachine\\Root). e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3" + }, + "allowedValues": [ + + ] + }, + "membersToExclude": { + "type": "string", + "metadata": { + "displayName": "List of users excluded from Windows VM Administrators group", + "description": "A semicolon-separated list of members that should be excluded in the Administrators local group. Ex: Administrator; myUser1; myUser2" + }, + "defaultValue": "", + "allowedValues": [ + + ] + }, + "workspaceId": { + "type": "string", + "metadata": { + "displayName": "List of workspace IDs where Log Analytics agents should connect", + "description": "A semicolon-separated list of the workspace IDs that the Log Analytics agent should be connected to" + }, + "defaultValue": "", + "allowedValues": [ + + ] + }, + "listOfResourceTypes": { + "type": "array", + "metadata": { + "displayName": "List of resource types that should have diagnostic logs enabled", + "description": "Audit diagnostic setting for selected resource types" + }, + "defaultValue": [ + "Microsoft.AnalysisServices/servers", + "Microsoft.ApiManagement/service", + "Microsoft.Network/applicationGateways", + "Microsoft.Automation/automationAccounts", + "Microsoft.ContainerInstance/containerGroups", + "Microsoft.ContainerRegistry/registries", + "Microsoft.ContainerService/managedClusters", + "Microsoft.Batch/batchAccounts", + "Microsoft.Cdn/profiles/endpoints", + "Microsoft.CognitiveServices/accounts", + "Microsoft.DocumentDB/databaseAccounts", + "Microsoft.DataFactory/factories", + "Microsoft.DataLakeAnalytics/accounts", + "Microsoft.DataLakeStore/accounts", + "Microsoft.EventGrid/eventSubscriptions", + "Microsoft.EventGrid/topics", + "Microsoft.EventHub/namespaces", + "Microsoft.Network/expressRouteCircuits", + "Microsoft.Network/azureFirewalls", + "Microsoft.HDInsight/clusters", + "Microsoft.Devices/IotHubs", + "Microsoft.KeyVault/vaults", + "Microsoft.Network/loadBalancers", + "Microsoft.Logic/integrationAccounts", + "Microsoft.Logic/workflows", + "Microsoft.DBforMySQL/servers", + "Microsoft.Network/networkInterfaces", + "Microsoft.Network/networkSecurityGroups", + "Microsoft.DBforPostgreSQL/servers", + "Microsoft.PowerBIDedicated/capacities", + "Microsoft.Network/publicIPAddresses", + "Microsoft.RecoveryServices/vaults", + "Microsoft.Cache/redis", + "Microsoft.Relay/namespaces", + "Microsoft.Search/searchServices", + "Microsoft.ServiceBus/namespaces", + "Microsoft.SignalRService/SignalR", + "Microsoft.Sql/servers/databases", + "Microsoft.Sql/servers/elasticPools", + "Microsoft.StreamAnalytics/streamingjobs", + "Microsoft.TimeSeriesInsights/environments", + "Microsoft.Network/trafficManagerProfiles", + "Microsoft.Compute/virtualMachines", + "Microsoft.Compute/virtualMachineScaleSets", + "Microsoft.Network/virtualNetworks", + "Microsoft.Network/virtualNetworkGateways" + ], + "allowedValues": [ + "Microsoft.AnalysisServices/servers", + "Microsoft.ApiManagement/service", + "Microsoft.Network/applicationGateways", + "Microsoft.Automation/automationAccounts", + "Microsoft.ContainerInstance/containerGroups", + "Microsoft.ContainerRegistry/registries", + "Microsoft.ContainerService/managedClusters", + "Microsoft.Batch/batchAccounts", + "Microsoft.Cdn/profiles/endpoints", + "Microsoft.CognitiveServices/accounts", + "Microsoft.DocumentDB/databaseAccounts", + "Microsoft.DataFactory/factories", + "Microsoft.DataLakeAnalytics/accounts", + "Microsoft.DataLakeStore/accounts", + "Microsoft.EventGrid/eventSubscriptions", + "Microsoft.EventGrid/topics", + "Microsoft.EventHub/namespaces", + "Microsoft.Network/expressRouteCircuits", + "Microsoft.Network/azureFirewalls", + "Microsoft.HDInsight/clusters", + "Microsoft.Devices/IotHubs", + "Microsoft.KeyVault/vaults", + "Microsoft.Network/loadBalancers", + "Microsoft.Logic/integrationAccounts", + "Microsoft.Logic/workflows", + "Microsoft.DBforMySQL/servers", + "Microsoft.Network/networkInterfaces", + "Microsoft.Network/networkSecurityGroups", + "Microsoft.DBforPostgreSQL/servers", + "Microsoft.PowerBIDedicated/capacities", + "Microsoft.Network/publicIPAddresses", + "Microsoft.RecoveryServices/vaults", + "Microsoft.Cache/redis", + "Microsoft.Relay/namespaces", + "Microsoft.Search/searchServices", + "Microsoft.ServiceBus/namespaces", + "Microsoft.SignalRService/SignalR", + "Microsoft.Sql/servers/databases", + "Microsoft.Sql/servers/elasticPools", + "Microsoft.StreamAnalytics/streamingjobs", + "Microsoft.TimeSeriesInsights/environments", + "Microsoft.Network/trafficManagerProfiles", + "Microsoft.Compute/virtualMachines", + "Microsoft.Compute/virtualMachineScaleSets", + "Microsoft.Network/virtualNetworks", + "Microsoft.Network/virtualNetworkGateways" + ] + }, + "membersToInclude": { + "type": "string", + "metadata": { + "displayName": "List of users that must be included in Windows VM Administrators group", + "description": "A semicolon-separated list of members that should be included in the Administrators local group. Ex: Administrator; myUser1; myUser2" + }, + "defaultValue": "", + "allowedValues": [ + + ] + }, + "listOfLocations": { + "type": "array", + "metadata": { + "displayName": "List of regions where Network Watcher should be enabled", + "description": "To see a complete list of regions use Get-AzLocation", + "strongType": "location" + }, + "defaultValue": [], + "allowedValues": [ + + ] + }, + "members": { + "type": "string", + "metadata": { + "displayName": "List of users that Windows VM Administrators group must *only* include", + "description": "A semicolon-separated list of all the expected members of the Administrators local group. Ex: Administrator; myUser1; myUser2" + }, + "defaultValue": "", + "allowedValues": [ + + ] + }, + "operationName": { + "type": "string", + "metadata": { + "displayName": "Operation Name", + "description": "Administrative Operation name for which activity log alert should be configured" + }, + "defaultValue": "Microsoft.Sql/servers/firewallRules/write", + "allowedValues": [ + "Microsoft.Sql/servers/firewallRules/write", + "Microsoft.Sql/servers/firewallRules/delete", + "Microsoft.Network/networkSecurityGroups/write", + "Microsoft.Network/networkSecurityGroups/delete", + "Microsoft.ClassicNetwork/networkSecurityGroups/write", + "Microsoft.ClassicNetwork/networkSecurityGroups/delete", + "Microsoft.Network/networkSecurityGroups/securityRules/write", + "Microsoft.Network/networkSecurityGroups/securityRules/delete", + "Microsoft.ClassicNetwork/networkSecurityGroups/securityRules/write", + "Microsoft.ClassicNetwork/networkSecurityGroups/securityRules/delete" + ] + }, + "virtualNetworkId": { + "type": "string", + "metadata": { + "displayName": "Virtual network where VMs should be connected", + "description": "Resource Id of the virtual network. Example: /subscriptions/YourSubscriptionId/resourceGroups/YourResourceGroupName/providers/Microsoft.Network/virtualNetworks/Name" + }, + "defaultValue": "", + "allowedValues": [ + ] }, "diagnosticsLogsInBatchAccountMonitoringEffect": { @@ -40,8 +240,8 @@ }, "defaultValue": "AuditIfNotExists", "allowedValues": [ - "AuditIfNotExists", - "Disabled" + "AuditIfNotExists", + "Disabled" ] }, "diagnosticsLogsInBatchAccountRetentionDays": { @@ -52,7 +252,7 @@ }, "defaultValue": "365", "allowedValues": [ - + ] }, "ensureManagedInstanceTDEIsEncryptedWithYourOwnKeyMonitoringEffect": { @@ -63,8 +263,8 @@ }, "defaultValue": "AuditIfNotExists", "allowedValues": [ - "AuditIfNotExists", - "Disabled" + "AuditIfNotExists", + "Disabled" ] }, "diskEncryptionMonitoringEffect": { @@ -75,8 +275,8 @@ }, "defaultValue": "AuditIfNotExists", "allowedValues": [ - "AuditIfNotExists", - "Disabled" + "AuditIfNotExists", + "Disabled" ] }, "diagnosticsLogsInSearchServiceMonitoringEffect": { @@ -87,8 +287,8 @@ }, "defaultValue": "AuditIfNotExists", "allowedValues": [ - "AuditIfNotExists", - "Disabled" + "AuditIfNotExists", + "Disabled" ] }, "diagnosticsLogsInSearchServiceRetentionDays": { @@ -99,7 +299,7 @@ }, "defaultValue": "365", "allowedValues": [ - + ] }, "vulnerabilityAssessmentOnManagedInstanceMonitoringEffect": { @@ -110,8 +310,8 @@ }, "defaultValue": "AuditIfNotExists", "allowedValues": [ - "AuditIfNotExists", - "Disabled" + "AuditIfNotExists", + "Disabled" ] }, "vulnerabilityAssesmentMonitoringEffect": { @@ -122,8 +322,8 @@ }, "defaultValue": "AuditIfNotExists", "allowedValues": [ - "AuditIfNotExists", - "Disabled" + "AuditIfNotExists", + "Disabled" ] }, "EnableInsecureGuestLogons": { @@ -134,7 +334,7 @@ }, "defaultValue": "0", "allowedValues": [ - + ] }, "AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain": { @@ -145,7 +345,7 @@ }, "defaultValue": "1", "allowedValues": [ - + ] }, "TurnOffMulticastNameResolution": { @@ -156,7 +356,7 @@ }, "defaultValue": "1", "allowedValues": [ - + ] }, "nextGenerationFirewallMonitoringEffect": { @@ -167,8 +367,8 @@ }, "defaultValue": "AuditIfNotExists", "allowedValues": [ - "AuditIfNotExists", - "Disabled" + "AuditIfNotExists", + "Disabled" ] }, "ensureServerTDEIsEncryptedWithYourOwnKeyMonitoringEffect": { @@ -179,8 +379,8 @@ }, "defaultValue": "AuditIfNotExists", "allowedValues": [ - "AuditIfNotExists", - "Disabled" + "AuditIfNotExists", + "Disabled" ] }, "apiAppDisableRemoteDebuggingMonitoringEffect": { @@ -191,8 +391,8 @@ }, "defaultValue": "AuditIfNotExists", "allowedValues": [ - "AuditIfNotExists", - "Disabled" + "AuditIfNotExists", + "Disabled" ] }, "classicComputeVMsMonitoringEffect": { @@ -203,9 +403,9 @@ }, "defaultValue": "Audit", "allowedValues": [ - "Audit", - "Deny", - "Disabled" + "Audit", + "Deny", + "Disabled" ] }, "disableUnrestrictedNetworkToStorageAccountMonitoringEffect": { @@ -216,8 +416,8 @@ }, "defaultValue": "Audit", "allowedValues": [ - "Audit", - "Disabled" + "Audit", + "Disabled" ] }, "adaptiveApplicationControlsMonitoringEffect": { @@ -228,8 +428,8 @@ }, "defaultValue": "AuditIfNotExists", "allowedValues": [ - "AuditIfNotExists", - "Disabled" + "AuditIfNotExists", + "Disabled" ] }, "NetworkAccessRemotelyAccessibleRegistryPaths": { @@ -240,7 +440,7 @@ }, "defaultValue": "System\\CurrentControlSet\\Control\\ProductOptions|#|System\\CurrentControlSet\\Control\\Server Applications|#|Software\\Microsoft\\Windows NT\\CurrentVersion", "allowedValues": [ - + ] }, "NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths": { @@ -251,7 +451,7 @@ }, "defaultValue": "System\\CurrentControlSet\\Control\\Print\\Printers|#|System\\CurrentControlSet\\Services\\Eventlog|#|Software\\Microsoft\\OLAP Server|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows|#|System\\CurrentControlSet\\Control\\ContentIndex|#|System\\CurrentControlSet\\Control\\Terminal Server|#|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|#|System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|#|System\\CurrentControlSet\\Services\\SysmonLog", "allowedValues": [ - + ] }, "NetworkAccessSharesThatCanBeAccessedAnonymously": { @@ -262,7 +462,7 @@ }, "defaultValue": "0", "allowedValues": [ - + ] }, "webAppDisableRemoteDebuggingMonitoringEffect": { @@ -273,8 +473,8 @@ }, "defaultValue": "AuditIfNotExists", "allowedValues": [ - "AuditIfNotExists", - "Disabled" + "AuditIfNotExists", + "Disabled" ] }, "apiAppEnforceHttpsMonitoringEffectV2": { @@ -285,8 +485,8 @@ }, "defaultValue": "Audit", "allowedValues": [ - "Audit", - "Disabled" + "Audit", + "Disabled" ] }, "identityEnableMFAForWritePermissionsMonitoringEffect": { @@ -297,8 +497,8 @@ }, "defaultValue": "AuditIfNotExists", "allowedValues": [ - "AuditIfNotExists", - "Disabled" + "AuditIfNotExists", + "Disabled" ] }, "jitNetworkAccessMonitoringEffect": { @@ -309,8 +509,8 @@ }, "defaultValue": "AuditIfNotExists", "allowedValues": [ - "AuditIfNotExists", - "Disabled" + "AuditIfNotExists", + "Disabled" ] }, "identityEnableMFAForOwnerPermissionsMonitoringEffect": { @@ -321,8 +521,8 @@ }, "defaultValue": "AuditIfNotExists", "allowedValues": [ - "AuditIfNotExists", - "Disabled" + "AuditIfNotExists", + "Disabled" ] }, "kubernetesServiceRbacEnabledMonitoringEffect": { @@ -333,8 +533,8 @@ }, "defaultValue": "Audit", "allowedValues": [ - "Audit", - "Disabled" + "Audit", + "Disabled" ] }, "restrictAccessToManagementPortsMonitoringEffect": { @@ -345,8 +545,8 @@ }, "defaultValue": "AuditIfNotExists", "allowedValues": [ - "AuditIfNotExists", - "Disabled" + "AuditIfNotExists", + "Disabled" ] }, "vmssOsVulnerabilitiesMonitoringEffect": { @@ -357,8 +557,8 @@ }, "defaultValue": "AuditIfNotExists", "allowedValues": [ - "AuditIfNotExists", - "Disabled" + "AuditIfNotExists", + "Disabled" ] }, "diagnosticsLogsInEventHubMonitoringEffect": { @@ -369,8 +569,8 @@ }, "defaultValue": "AuditIfNotExists", "allowedValues": [ - "AuditIfNotExists", - "Disabled" + "AuditIfNotExists", + "Disabled" ] }, "diagnosticsLogsInEventHubRetentionDays": { @@ -381,7 +581,7 @@ }, "defaultValue": "365", "allowedValues": [ - + ] }, "vmssSystemUpdatesMonitoringEffect": { @@ -392,8 +592,8 @@ }, "defaultValue": "AuditIfNotExists", "allowedValues": [ - "AuditIfNotExists", - "Disabled" + "AuditIfNotExists", + "Disabled" ] }, "diagnosticsLogsInServiceFabricMonitoringEffect": { @@ -404,8 +604,8 @@ }, "defaultValue": "AuditIfNotExists", "allowedValues": [ - "AuditIfNotExists", - "Disabled" + "AuditIfNotExists", + "Disabled" ] }, "systemUpdatesMonitoringEffect": { @@ -416,8 +616,8 @@ }, "defaultValue": "AuditIfNotExists", "allowedValues": [ - "AuditIfNotExists", - "Disabled" + "AuditIfNotExists", + "Disabled" ] }, "DeployAzureBaselineSecurityOptionsAccountsAccountsGuestAccountStatus": { @@ -428,7 +628,7 @@ }, "defaultValue": "0", "allowedValues": [ - + ] }, "RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders": { @@ -439,7 +639,7 @@ }, "defaultValue": "0", "allowedValues": [ - + ] }, "AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits": { @@ -450,7 +650,7 @@ }, "defaultValue": "0", "allowedValues": [ - + ] }, "DeployAzureBaselineSystemAuditPoliciesDetailedTrackingAuditProcessTermination": { @@ -461,10 +661,10 @@ }, "defaultValue": "No Auditing", "allowedValues": [ - "No Auditing", - "Success", - "Failure", - "Success and Failure" + "No Auditing", + "Success", + "Failure", + "Success and Failure" ] }, "WindowsFirewallDomainUseProfileSettings": { @@ -475,7 +675,7 @@ }, "defaultValue": "1", "allowedValues": [ - + ] }, "WindowsFirewallDomainBehaviorForOutboundConnections": { @@ -486,7 +686,7 @@ }, "defaultValue": "0", "allowedValues": [ - + ] }, "WindowsFirewallDomainApplyLocalConnectionSecurityRules": { @@ -497,7 +697,7 @@ }, "defaultValue": "1", "allowedValues": [ - + ] }, "WindowsFirewallDomainApplyLocalFirewallRules": { @@ -508,7 +708,7 @@ }, "defaultValue": "1", "allowedValues": [ - + ] }, "WindowsFirewallDomainDisplayNotifications": { @@ -519,7 +719,7 @@ }, "defaultValue": "1", "allowedValues": [ - + ] }, "WindowsFirewallPrivateUseProfileSettings": { @@ -530,7 +730,7 @@ }, "defaultValue": "1", "allowedValues": [ - + ] }, "WindowsFirewallPrivateBehaviorForOutboundConnections": { @@ -541,7 +741,7 @@ }, "defaultValue": "0", "allowedValues": [ - + ] }, "WindowsFirewallPrivateApplyLocalConnectionSecurityRules": { @@ -552,7 +752,7 @@ }, "defaultValue": "1", "allowedValues": [ - + ] }, "WindowsFirewallPrivateApplyLocalFirewallRules": { @@ -563,7 +763,7 @@ }, "defaultValue": "1", "allowedValues": [ - + ] }, "WindowsFirewallPrivateDisplayNotifications": { @@ -574,7 +774,7 @@ }, "defaultValue": "1", "allowedValues": [ - + ] }, "WindowsFirewallPublicUseProfileSettings": { @@ -585,7 +785,7 @@ }, "defaultValue": "1", "allowedValues": [ - + ] }, "WindowsFirewallPublicBehaviorForOutboundConnections": { @@ -596,7 +796,7 @@ }, "defaultValue": "0", "allowedValues": [ - + ] }, "WindowsFirewallPublicApplyLocalConnectionSecurityRules": { @@ -607,7 +807,7 @@ }, "defaultValue": "1", "allowedValues": [ - + ] }, "WindowsFirewallPublicApplyLocalFirewallRules": { @@ -618,7 +818,7 @@ }, "defaultValue": "1", "allowedValues": [ - + ] }, "WindowsFirewallPublicDisplayNotifications": { @@ -629,7 +829,7 @@ }, "defaultValue": "1", "allowedValues": [ - + ] }, "WindowsFirewallDomainAllowUnicastResponse": { @@ -640,7 +840,7 @@ }, "defaultValue": "0", "allowedValues": [ - + ] }, "WindowsFirewallPrivateAllowUnicastResponse": { @@ -651,7 +851,7 @@ }, "defaultValue": "0", "allowedValues": [ - + ] }, "WindowsFirewallPublicAllowUnicastResponse": { @@ -662,22 +862,293 @@ }, "defaultValue": "1", "allowedValues": [ - + ] }, - "CertificateThumbprints": { + "requiredRetentionDays": { "type": "string", "metadata": { - "displayName": "Certificate thumbprints", - "description": "A semicolon-separated list of certificate thumbprints that should exist under the Trusted Root certificate store (Cert:\\LocalMachine\\Root). e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3" + "displayName": "Required retention (in days) of logs in Data Lake Store accounts", + "description": "The required diagnostic logs retention period in days" + }, + "defaultValue": "365", + "allowedValues": [ + + ] + }, + "diagnosticsLogsInRedisCacheMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Effect for policy: [Only secure connections to your Redis Cache should be enabled]", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + }, + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "secureTransferToStorageAccountMonitoringEffect": { + "type": "string", + "metadata": { + "displayName": "Effect for policy: [Secure transfer to storage accounts should be enabled]", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + }, + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "usersOrGroupsThatMayAccessThisComputerFromTheNetwork": { + "type": "string", + "metadata": { + "displayName": "Users or groups that may access this computer from the network", + "description": "Specifies which remote users on the network are permitted to connect to the computer. This does not include Remote Desktop Connection." + }, + "defaultValue": "Administrators, Authenticated Users", + "allowedValues": [ + + ] + }, + "usersOrGroupsThatMayLogOnLocally": { + "type": "string", + "metadata": { + "displayName": "Users or groups that may log on locally", + "description": "Specifies which users or groups can interactively log on to the computer. Users who attempt to log on via Remote Desktop Connection or IIS also require this user right." + }, + "defaultValue": "Administrators", + "allowedValues": [ + + ] + }, + "usersOrGroupsThatMayLogOnThroughRemoteDesktopServices": { + "type": "string", + "metadata": { + "displayName": "Users or groups that may log on through Remote Desktop Services", + "description": "Specifies which users or groups are permitted to log on as a Terminal Services client, Remote Desktop, or for Remote Assistance." + }, + "defaultValue": "Administrators, Remote Desktop Users", + "allowedValues": [ + + ] + }, + "usersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork": { + "type": "string", + "metadata": { + "displayName": "Users and groups that are denied access from the network", + "description": "Specifies which users or groups are explicitly prohibited from connecting across the network." + }, + "defaultValue": "Guests", + "allowedValues": [ + + ] + }, + "usersOrGroupsThatMayManageAuditingAndSecurityLog": { + "type": "string", + "metadata": { + "displayName": "Users or groups that may manage auditing and security log", + "description": "Specifies users and groups permitted to change the auditing options for files and directories and clear the Security log." + }, + "defaultValue": "Administrators", + "allowedValues": [ + + ] + }, + "usersOrGroupsThatMayBackUpFilesAndDirectories": { + "type": "string", + "metadata": { + "displayName": "Users or groups that may back up files and directories", + "description": "Specifies users and groups allowed to circumvent file and directory permissions to back up the system." + }, + "defaultValue": "Administrators, Backup Operators", + "allowedValues": [ + + ] + }, + "usersOrGroupsThatMayChangeTheSystemTime": { + "type": "string", + "metadata": { + "displayName": "Users or groups that may change the system time", + "description": "Specifies which users and groups are permitted to change the time and date on the internal clock of the computer." + }, + "defaultValue": "Administrators, LOCAL SERVICE", + "allowedValues": [ + + ] + }, + "usersOrGroupsThatMayChangeTheTimeZone": { + "type": "string", + "metadata": { + "displayName": "Users or groups that may change the time zone", + "description": "Specifies which users and groups are permitted to change the time zone of the computer." + }, + "defaultValue": "Administrators, LOCAL SERVICE", + "allowedValues": [ + + ] + }, + "usersOrGroupsThatMayCreateATokenObject": { + "type": "string", + "metadata": { + "displayName": "Users or groups that may create a token object", + "description": "Specifies which users and groups are permitted to create an access token, which may provide elevated rights to access sensitive data." + }, + "defaultValue": "No One", + "allowedValues": [ + + ] + }, + "usersAndGroupsThatAreDeniedLoggingOnAsABatchJob": { + "type": "string", + "metadata": { + "displayName": "Users and groups that are denied logging on as a batch job", + "description": "Specifies which users and groups are explicitly not permitted to log on to the computer as a batch job (i.e. scheduled task)." + }, + "defaultValue": "Guests", + "allowedValues": [ + + ] + }, + "usersAndGroupsThatAreDeniedLoggingOnAsAService": { + "type": "string", + "metadata": { + "displayName": "Users and groups that are denied logging on as a service", + "description": "Specifies which service accounts are explicitly not permitted to register a process as a service." + }, + "defaultValue": "Guests", + "allowedValues": [ + + ] + }, + "usersAndGroupsThatAreDeniedLocalLogon": { + "type": "string", + "metadata": { + "displayName": "Users and groups that are denied local logon", + "description": "Specifies which users and groups are explicitly not permitted to log on to the computer." + }, + "defaultValue": "Guests", + "allowedValues": [ + + ] + }, + "usersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices": { + "type": "string", + "metadata": { + "displayName": "Users and groups that are denied log on through Remote Desktop Services", + "description": "Specifies which users and groups are explicitly not permitted to log on to the computer via Terminal Services/Remote Desktop Client." + }, + "defaultValue": "Guests", + "allowedValues": [ + + ] + }, + "userAndGroupsThatMayForceShutdownFromARemoteSystem": { + "type": "string", + "metadata": { + "displayName": "User and groups that may force shutdown from a remote system", + "description": "Specifies which users and groups are permitted to shut down the computer from a remote location on the network." }, + "defaultValue": "Administrators", + "allowedValues": [ + + ] + }, + "usersAndGroupsThatMayRestoreFilesAndDirectories": { + "type": "string", + "metadata": { + "displayName": "Users and groups that may restore files and directories", + "description": "Specifies which users and groups are permitted to bypass file, directory, registry, and other persistent object permissions when restoring backed up files and directories." + }, + "defaultValue": "Administrators, Backup Operators", + "allowedValues": [ + + ] + }, + "usersAndGroupsThatMayShutDownTheSystem": { + "type": "string", + "metadata": { + "displayName": "Users and groups that may shut down the system", + "description": "Specifies which users and groups who are logged on locally to the computers in your environment are permitted to shut down the operating system with the Shut Down command." + }, + "defaultValue": "Administrators", + "allowedValues": [ + + ] + }, + "usersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects": { + "type": "string", + "metadata": { + "displayName": "Users or groups that may take ownership of files or other objects", + "description": "Specifies which users and groups are permitted to take ownership of files, folders, registry keys, processes, or threads. This user right bypasses any permissions that are in place to protect objects to give ownership to the specified user." + }, + "defaultValue": "Administrators", + "allowedValues": [ + + ] + }, + "virtualMachinesShouldBeConnectedToAnApprovedVirtualNetworkEffect": { + "type": "string", + "metadata": { + "displayName": "Effect for policy: [Virtual machines should be connected to an approved virtual network]", + "description": "Azure Policy effect for this policy; for more information about effects, visit https://aka.ms/policyeffects" + }, + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "uacAdminApprovalModeForTheBuiltinAdministratorAccount": { + "type": "string", + "metadata": { + "displayName": "UAC: Admin Approval Mode for the Built-in Administrator account", + "description": "Specifies the behavior of Admin Approval Mode for the built-in Administrator account." + }, + "defaultValue": "1", + "allowedValues": [ + + ] + }, + "uacBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode": { + "type": "string", + "metadata": { + "displayName": "UAC: Behavior of the elevation prompt for administrators in Admin Approval Mode", + "description": "Specifies the behavior of the elevation prompt for administrators." + }, + "defaultValue": "2", + "allowedValues": [ + + ] + }, + "uacDetectApplicationInstallationsAndPromptForElevation": { + "type": "string", + "metadata": { + "displayName": "UAC: Detect application installations and prompt for elevation", + "description": "Specifies the behavior of application installation detection for the computer." + }, + "defaultValue": "1", + "allowedValues": [ + + ] + }, + "uacRunAllAdministratorsInAdminApprovalMode": { + "type": "string", + "metadata": { + "displayName": "UAC: Run all administrators in Admin Approval Mode", + "description": "Specifies the behavior of all User Account Control (UAC) policy settings for the computer." + }, + "defaultValue": "1", "allowedValues": [ - + ] } }, "resourceGroups": { - + }, "targetScope": "subscription", "status": { diff --git a/samples/001-builtins/irs1075_rev_11_2016/artifact.369bc69f-4002-4cf2-9a84-ae0ac409faf2.json b/samples/001-builtins/irs1075_rev_11_2016/artifact.369bc69f-4002-4cf2-9a84-ae0ac409faf2.json index 1e93f4c..baea9a7 100644 --- a/samples/001-builtins/irs1075_rev_11_2016/artifact.369bc69f-4002-4cf2-9a84-ae0ac409faf2.json +++ b/samples/001-builtins/irs1075_rev_11_2016/artifact.369bc69f-4002-4cf2-9a84-ae0ac409faf2.json @@ -18,7 +18,7 @@ "dependsOn": [ ], - "displayName": "Audit IRS1075 September 2016 controls and deploy specific VM Extensions to support audit requirements" + "displayName": "IRS1075 September 2016" }, "kind": "policyAssignment", "id": "/providers/Microsoft.Blueprint/blueprints/IRS1075_Rev_11_2016/artifacts/369bc69f-4002-4cf2-9a84-ae0ac409faf2", diff --git a/samples/001-builtins/irs1075_rev_11_2016_gov/artifact.66c1cf59-dc16-4acf-8bf4-6e6ea347853d.json b/samples/001-builtins/irs1075_rev_11_2016_gov/artifact.66c1cf59-dc16-4acf-8bf4-6e6ea347853d.json index f07a46c..e38ab39 100644 --- a/samples/001-builtins/irs1075_rev_11_2016_gov/artifact.66c1cf59-dc16-4acf-8bf4-6e6ea347853d.json +++ b/samples/001-builtins/irs1075_rev_11_2016_gov/artifact.66c1cf59-dc16-4acf-8bf4-6e6ea347853d.json @@ -18,7 +18,7 @@ "dependsOn": [ ], - "displayName": "Audit IRS1075 September 2016 controls and deploy specific VM Extensions to support audit requirements" + "displayName": "IRS1075 September 2016" }, "kind": "policyAssignment", "id": "/providers/Microsoft.Blueprint/blueprints/IRS1075_Rev_11_2016_Gov/artifacts/66c1cf59-dc16-4acf-8bf4-6e6ea347853d", diff --git a/samples/001-builtins/iso_27001/artifact.d94ecab2-96d3-4c6a-8d3f-fd3b4177341b.json b/samples/001-builtins/iso_27001/artifact.d94ecab2-96d3-4c6a-8d3f-fd3b4177341b.json index 2b34a5f..538b674 100644 --- a/samples/001-builtins/iso_27001/artifact.d94ecab2-96d3-4c6a-8d3f-fd3b4177341b.json +++ b/samples/001-builtins/iso_27001/artifact.d94ecab2-96d3-4c6a-8d3f-fd3b4177341b.json @@ -9,7 +9,7 @@ "dependsOn": [ ], - "displayName": "Blueprint initiative for ISO 27001" + "displayName": "ISO 27001:2013" }, "kind": "policyAssignment", "id": "/providers/Microsoft.Blueprint/blueprints/ISO_27001/artifacts/d94ecab2-96d3-4c6a-8d3f-fd3b4177341b", diff --git a/samples/001-builtins/iso_27001/blueprint.json b/samples/001-builtins/iso_27001/blueprint.json index 2262881..f1670ab 100644 --- a/samples/001-builtins/iso_27001/blueprint.json +++ b/samples/001-builtins/iso_27001/blueprint.json @@ -222,8 +222,6 @@ "Premium_LRS", "Standard_GRS", "Standard_RAGRS", - "Standard_ZRS", - "Premium_LRS", "Standard_LRS" ] }, diff --git a/samples/001-builtins/iso_27001_shared_services/artifact.d94ecab2-96d3-4c6a-8d3f-fd3b4177341b.json b/samples/001-builtins/iso_27001_shared_services/artifact.d94ecab2-96d3-4c6a-8d3f-fd3b4177341b.json index 723c8e0..35de8a6 100644 --- a/samples/001-builtins/iso_27001_shared_services/artifact.d94ecab2-96d3-4c6a-8d3f-fd3b4177341b.json +++ b/samples/001-builtins/iso_27001_shared_services/artifact.d94ecab2-96d3-4c6a-8d3f-fd3b4177341b.json @@ -9,7 +9,7 @@ "dependsOn": [ ], - "displayName": "Blueprint initiative for ISO 27001" + "displayName": "ISO 27001:2013" }, "kind": "policyAssignment", "id": "/providers/Microsoft.Blueprint/blueprints/ISO_27001_Shared_Services/artifacts/d94ecab2-96d3-4c6a-8d3f-fd3b4177341b", diff --git a/samples/001-builtins/iso_27001_shared_services/blueprint.json b/samples/001-builtins/iso_27001_shared_services/blueprint.json index 667bd57..07670c0 100644 --- a/samples/001-builtins/iso_27001_shared_services/blueprint.json +++ b/samples/001-builtins/iso_27001_shared_services/blueprint.json @@ -13,10 +13,8 @@ ], "allowedValues": [ "Standard_ZRS", - "Premium_LRS", "Standard_GRS", "Standard_RAGRS", - "Standard_ZRS", "Premium_LRS", "Standard_LRS" ] diff --git a/samples/001-builtins/nist-sp-800-171-r2/artifact.7c7cea7a-becd-41b9-8f8a-4414927c73e9.json b/samples/001-builtins/nist-sp-800-171-r2/artifact.7c7cea7a-becd-41b9-8f8a-4414927c73e9.json new file mode 100644 index 0000000..8bb2973 --- /dev/null +++ b/samples/001-builtins/nist-sp-800-171-r2/artifact.7c7cea7a-becd-41b9-8f8a-4414927c73e9.json @@ -0,0 +1,51 @@ +{ + "properties": { + "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/03055927-78bd-4236-86c0-f36125a10dc9", + "parameters": { + "membersToExcludeInLocalAdministratorsGroup": { + "value": "[parameters('membersToExcludeInLocalAdministratorsGroup')]" + }, + "membersToIncludeInLocalAdministratorsGroup": { + "value": "[parameters('membersToIncludeInLocalAdministratorsGroup')]" + }, + "listOfLocationsForNetworkWatcher": { + "value": "[parameters('listOfLocationsForNetworkWatcher')]" + }, + "logAnalyticsWorkspaceIDForVMAgents": { + "value": "[parameters('logAnalyticsWorkspaceIDForVMAgents')]" + }, + "pHPLatestVersionForAppServices": { + "value": "[parameters('pHPLatestVersionForAppServices')]" + }, + "windowsImagesToAddToLogAgentAuditScope": { + "value": "[parameters('windowsImagesToAddToLogAgentAuditScope')]" + }, + "linuxImagesToAddToLogAgentAuditScope": { + "value": "[parameters('linuxImagesToAddToLogAgentAuditScope')]" + }, + "javaLatestVersionForAppServices": { + "value": "[parameters('javaLatestVersionForAppServices')]" + }, + "windowsPythonLatestVersionForAppServices": { + "value": "[parameters('windowsPythonLatestVersionForAppServices')]" + }, + "linuxPythonLatestVersionForAppServices": { + "value": "[parameters('linuxPythonLatestVersionForAppServices')]" + }, + "listOfResourceTypesForDiagnosticLogs": { + "value": "[parameters('listOfResourceTypesForDiagnosticLogs')]" + }, + "minimumTLSVersionForWindowsServers": { + "value": "[parameters('minimumTLSVersionForWindowsServers')]" + } + }, + "dependsOn": [ + + ], + "displayName": "NIST SP 800-171 R2" + }, + "kind": "policyAssignment", + "id": "/providers/Microsoft.Blueprint/blueprints/NIST-SP-800-171-R2/artifacts/7c7cea7a-becd-41b9-8f8a-4414927c73e9", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "7c7cea7a-becd-41b9-8f8a-4414927c73e9" +} diff --git a/samples/001-builtins/nist-sp-800-171-r2/blueprint.json b/samples/001-builtins/nist-sp-800-171-r2/blueprint.json new file mode 100644 index 0000000..9477b7b --- /dev/null +++ b/samples/001-builtins/nist-sp-800-171-r2/blueprint.json @@ -0,0 +1,244 @@ +{ + "properties": { + "parameters": { + "membersToExcludeInLocalAdministratorsGroup": { + "type": "string", + "metadata": { + "displayName": "List of users excluded from Windows VM Administrators group", + "description": "A semicolon-separated list of users that should be excluded in the Administrators local group; Ex: Administrator; myUser1; myUser2" + }, + "allowedValues": [ + + ] + }, + "membersToIncludeInLocalAdministratorsGroup": { + "type": "string", + "metadata": { + "displayName": "List of users that must be included in Windows VM Administrators group", + "description": "A semicolon-separated list of users that should be included in the Administrators local group; Ex: Administrator; myUser1; myUser2" + }, + "allowedValues": [ + + ] + }, + "listOfLocationsForNetworkWatcher": { + "type": "array", + "metadata": { + "displayName": "List of regions where Network Watcher should be enabled", + "description": "Audit if Network Watcher is not enabled for region(s).", + "strongType": "location" + }, + "allowedValues": [ + + ] + }, + "logAnalyticsWorkspaceIDForVMAgents": { + "type": "string", + "metadata": { + "displayName": "Log Analytics workspace ID for VM agent reporting", + "description": "ID (GUID) of the Log Analytics workspace where VMs agents should report." + }, + "allowedValues": [ + + ] + }, + "pHPLatestVersionForAppServices": { + "type": "string", + "metadata": { + "displayName": "Latest PHP version", + "description": "Latest supported PHP version for App Services" + }, + "defaultValue": "7.3", + "allowedValues": [ + + ] + }, + "windowsImagesToAddToLogAgentAuditScope": { + "type": "array", + "metadata": { + "displayName": "Optional: List of Windows VM images that support Log Analytics agent to add to audit scope", + "description": "A semicolon-separated list of images; Ex: /subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage" + }, + "defaultValue": [ + + ], + "allowedValues": [ + + ] + }, + "linuxImagesToAddToLogAgentAuditScope": { + "type": "array", + "metadata": { + "displayName": "Optional: List of Linux VM images that support Log Analytics agent to add to audit scope", + "description": "A semicolon-separated list of images; Ex: /subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage" + }, + "defaultValue": [ + + ], + "allowedValues": [ + + ] + }, + "javaLatestVersionForAppServices": { + "type": "string", + "metadata": { + "displayName": "Latest Java version", + "description": "Latest supported Java version for App Services" + }, + "defaultValue": "11", + "allowedValues": [ + + ] + }, + "windowsPythonLatestVersionForAppServices": { + "type": "string", + "metadata": { + "displayName": "Latest Windows Python version", + "description": "Latest supported Python version for App Services" + }, + "defaultValue": "3.6", + "allowedValues": [ + + ] + }, + "linuxPythonLatestVersionForAppServices": { + "type": "string", + "metadata": { + "displayName": "Latest Linux Python version", + "description": "Latest supported Python version for App Services" + }, + "defaultValue": "3.8", + "allowedValues": [ + + ] + }, + "listOfResourceTypesForDiagnosticLogs": { + "type": "array", + "metadata": { + "displayName": "List of resource types that should have diagnostic logs enabled", + "description": "Audit diagnostic setting for selected resource types" + }, + "defaultValue": [ + "Microsoft.AnalysisServices/servers", + "Microsoft.ApiManagement/service", + "Microsoft.Network/applicationGateways", + "Microsoft.Automation/automationAccounts", + "Microsoft.ContainerInstance/containerGroups", + "Microsoft.ContainerRegistry/registries", + "Microsoft.ContainerService/managedClusters", + "Microsoft.Batch/batchAccounts", + "Microsoft.Cdn/profiles/endpoints", + "Microsoft.CognitiveServices/accounts", + "Microsoft.DocumentDB/databaseAccounts", + "Microsoft.DataFactory/factories", + "Microsoft.DataLakeAnalytics/accounts", + "Microsoft.DataLakeStore/accounts", + "Microsoft.EventGrid/eventSubscriptions", + "Microsoft.EventGrid/topics", + "Microsoft.EventHub/namespaces", + "Microsoft.Network/expressRouteCircuits", + "Microsoft.Network/azureFirewalls", + "Microsoft.HDInsight/clusters", + "Microsoft.Devices/IotHubs", + "Microsoft.KeyVault/vaults", + "Microsoft.Network/loadBalancers", + "Microsoft.Logic/integrationAccounts", + "Microsoft.Logic/workflows", + "Microsoft.DBforMySQL/servers", + "Microsoft.Network/networkInterfaces", + "Microsoft.Network/networkSecurityGroups", + "Microsoft.DBforPostgreSQL/servers", + "Microsoft.PowerBIDedicated/capacities", + "Microsoft.Network/publicIPAddresses", + "Microsoft.RecoveryServices/vaults", + "Microsoft.Cache/redis", + "Microsoft.Relay/namespaces", + "Microsoft.Search/searchServices", + "Microsoft.ServiceBus/namespaces", + "Microsoft.SignalRService/SignalR", + "Microsoft.Sql/servers/databases", + "Microsoft.Sql/servers/elasticPools", + "Microsoft.StreamAnalytics/streamingjobs", + "Microsoft.TimeSeriesInsights/environments", + "Microsoft.Network/trafficManagerProfiles", + "Microsoft.Compute/virtualMachines", + "Microsoft.Compute/virtualMachineScaleSets", + "Microsoft.Network/virtualNetworks", + "Microsoft.Network/virtualNetworkGateways" + ], + "allowedValues": [ + "Microsoft.AnalysisServices/servers", + "Microsoft.ApiManagement/service", + "Microsoft.Network/applicationGateways", + "Microsoft.Automation/automationAccounts", + "Microsoft.ContainerInstance/containerGroups", + "Microsoft.ContainerRegistry/registries", + "Microsoft.ContainerService/managedClusters", + "Microsoft.Batch/batchAccounts", + "Microsoft.Cdn/profiles/endpoints", + "Microsoft.CognitiveServices/accounts", + "Microsoft.DocumentDB/databaseAccounts", + "Microsoft.DataFactory/factories", + "Microsoft.DataLakeAnalytics/accounts", + "Microsoft.DataLakeStore/accounts", + "Microsoft.EventGrid/eventSubscriptions", + "Microsoft.EventGrid/topics", + "Microsoft.EventHub/namespaces", + "Microsoft.Network/expressRouteCircuits", + "Microsoft.Network/azureFirewalls", + "Microsoft.HDInsight/clusters", + "Microsoft.Devices/IotHubs", + "Microsoft.KeyVault/vaults", + "Microsoft.Network/loadBalancers", + "Microsoft.Logic/integrationAccounts", + "Microsoft.Logic/workflows", + "Microsoft.DBforMySQL/servers", + "Microsoft.Network/networkInterfaces", + "Microsoft.Network/networkSecurityGroups", + "Microsoft.DBforPostgreSQL/servers", + "Microsoft.PowerBIDedicated/capacities", + "Microsoft.Network/publicIPAddresses", + "Microsoft.RecoveryServices/vaults", + "Microsoft.Cache/redis", + "Microsoft.Relay/namespaces", + "Microsoft.Search/searchServices", + "Microsoft.ServiceBus/namespaces", + "Microsoft.SignalRService/SignalR", + "Microsoft.Sql/servers/databases", + "Microsoft.Sql/servers/elasticPools", + "Microsoft.StreamAnalytics/streamingjobs", + "Microsoft.TimeSeriesInsights/environments", + "Microsoft.Network/trafficManagerProfiles", + "Microsoft.Compute/virtualMachines", + "Microsoft.Compute/virtualMachineScaleSets", + "Microsoft.Network/virtualNetworks", + "Microsoft.Network/virtualNetworkGateways" + ] + }, + "minimumTLSVersionForWindowsServers": { + "type": "string", + "metadata": { + "displayName": "Minimum TLS version for Windows web servers", + "description": "The minimum TLS protocol version that should be enabled on Windows web servers." + }, + "defaultValue": "1.2", + "allowedValues": [ + "1.2" + ] + } + }, + "resourceGroups": { + + }, + "targetScope": "subscription", + "status": { + "timeCreated": "2020-06-15T11:39:06+00:00", + "lastModified": "2020-06-15T11:39:06.9102566+00:00" + }, + "displayName": "NIST SP 800-171 R2", + "description": "Assigns policies to address specific NIST SP 800-171 R2 requirements." + }, + "id": "/providers/Microsoft.Blueprint/blueprints/NIST-SP-800-171-R2", + "type": "Microsoft.Blueprint/blueprints", + "name": "NIST-SP-800-171-R2" +} diff --git a/samples/001-builtins/nist-sp-800-171-r2_Gov/artifact.7c7cea7a-becd-41b9-8f8a-4414927c73e9.json b/samples/001-builtins/nist-sp-800-171-r2_Gov/artifact.7c7cea7a-becd-41b9-8f8a-4414927c73e9.json new file mode 100644 index 0000000..524cd8a --- /dev/null +++ b/samples/001-builtins/nist-sp-800-171-r2_Gov/artifact.7c7cea7a-becd-41b9-8f8a-4414927c73e9.json @@ -0,0 +1,51 @@ +{ + "properties": { + "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/03055927-78bd-4236-86c0-f36125a10dc9", + "parameters": { + "membersToExcludeInLocalAdministratorsGroup": { + "value": "[parameters('membersToExcludeInLocalAdministratorsGroup')]" + }, + "membersToIncludeInLocalAdministratorsGroup": { + "value": "[parameters('membersToIncludeInLocalAdministratorsGroup')]" + }, + "listOfLocationsForNetworkWatcher": { + "value": "[parameters('listOfLocationsForNetworkWatcher')]" + }, + "logAnalyticsWorkspaceIDForVMAgents": { + "value": "[parameters('logAnalyticsWorkspaceIDForVMAgents')]" + }, + "pHPLatestVersionForAppServices": { + "value": "[parameters('pHPLatestVersionForAppServices')]" + }, + "windowsImagesToAddToLogAgentAuditScope": { + "value": "[parameters('windowsImagesToAddToLogAgentAuditScope')]" + }, + "linuxImagesToAddToLogAgentAuditScope": { + "value": "[parameters('linuxImagesToAddToLogAgentAuditScope')]" + }, + "javaLatestVersionForAppServices": { + "value": "[parameters('javaLatestVersionForAppServices')]" + }, + "windowsPythonLatestVersionForAppServices": { + "value": "[parameters('windowsPythonLatestVersionForAppServices')]" + }, + "linuxPythonLatestVersionForAppServices": { + "value": "[parameters('linuxPythonLatestVersionForAppServices')]" + }, + "listOfResourceTypesForDiagnosticLogs": { + "value": "[parameters('listOfResourceTypesForDiagnosticLogs')]" + }, + "minimumTLSVersionForWindowsServers": { + "value": "[parameters('minimumTLSVersionForWindowsServers')]" + } + }, + "dependsOn": [ + + ], + "displayName": "NIST SP 800-171 R2" + }, + "kind": "policyAssignment", + "id": "/providers/Microsoft.Blueprint/blueprints/NIST-SP-800-171-R2_Gov/artifacts/7c7cea7a-becd-41b9-8f8a-4414927c73e9", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "7c7cea7a-becd-41b9-8f8a-4414927c73e9" +} diff --git a/samples/001-builtins/nist-sp-800-171-r2_Gov/blueprint.json b/samples/001-builtins/nist-sp-800-171-r2_Gov/blueprint.json new file mode 100644 index 0000000..005882f --- /dev/null +++ b/samples/001-builtins/nist-sp-800-171-r2_Gov/blueprint.json @@ -0,0 +1,244 @@ +{ + "properties": { + "parameters": { + "membersToExcludeInLocalAdministratorsGroup": { + "type": "string", + "metadata": { + "displayName": "List of users excluded from Windows VM Administrators group", + "description": "A semicolon-separated list of users that should be excluded in the Administrators local group; Ex: Administrator; myUser1; myUser2" + }, + "allowedValues": [ + + ] + }, + "membersToIncludeInLocalAdministratorsGroup": { + "type": "string", + "metadata": { + "displayName": "List of users that must be included in Windows VM Administrators group", + "description": "A semicolon-separated list of users that should be included in the Administrators local group; Ex: Administrator; myUser1; myUser2" + }, + "allowedValues": [ + + ] + }, + "listOfLocationsForNetworkWatcher": { + "type": "array", + "metadata": { + "displayName": "List of regions where Network Watcher should be enabled", + "description": "Audit if Network Watcher is not enabled for region(s).", + "strongType": "location" + }, + "allowedValues": [ + + ] + }, + "logAnalyticsWorkspaceIDForVMAgents": { + "type": "string", + "metadata": { + "displayName": "Log Analytics workspace ID for VM agent reporting", + "description": "ID (GUID) of the Log Analytics workspace where VMs agents should report." + }, + "allowedValues": [ + + ] + }, + "pHPLatestVersionForAppServices": { + "type": "string", + "metadata": { + "displayName": "Latest PHP version", + "description": "Latest supported PHP version for App Services" + }, + "defaultValue": "7.3", + "allowedValues": [ + + ] + }, + "windowsImagesToAddToLogAgentAuditScope": { + "type": "array", + "metadata": { + "displayName": "Optional: List of Windows VM images that support Log Analytics agent to add to audit scope", + "description": "A semicolon-separated list of images; Ex: /subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage" + }, + "defaultValue": [ + + ], + "allowedValues": [ + + ] + }, + "linuxImagesToAddToLogAgentAuditScope": { + "type": "array", + "metadata": { + "displayName": "Optional: List of Linux VM images that support Log Analytics agent to add to audit scope", + "description": "A semicolon-separated list of images; Ex: /subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage" + }, + "defaultValue": [ + + ], + "allowedValues": [ + + ] + }, + "javaLatestVersionForAppServices": { + "type": "string", + "metadata": { + "displayName": "Latest Java version", + "description": "Latest supported Java version for App Services" + }, + "defaultValue": "11", + "allowedValues": [ + + ] + }, + "windowsPythonLatestVersionForAppServices": { + "type": "string", + "metadata": { + "displayName": "Latest Windows Python version", + "description": "Latest supported Python version for App Services" + }, + "defaultValue": "3.6", + "allowedValues": [ + + ] + }, + "linuxPythonLatestVersionForAppServices": { + "type": "string", + "metadata": { + "displayName": "Latest Linux Python version", + "description": "Latest supported Python version for App Services" + }, + "defaultValue": "3.8", + "allowedValues": [ + + ] + }, + "listOfResourceTypesForDiagnosticLogs": { + "type": "array", + "metadata": { + "displayName": "List of resource types that should have diagnostic logs enabled", + "description": "Audit diagnostic setting for selected resource types" + }, + "defaultValue": [ + "Microsoft.AnalysisServices/servers", + "Microsoft.ApiManagement/service", + "Microsoft.Network/applicationGateways", + "Microsoft.Automation/automationAccounts", + "Microsoft.ContainerInstance/containerGroups", + "Microsoft.ContainerRegistry/registries", + "Microsoft.ContainerService/managedClusters", + "Microsoft.Batch/batchAccounts", + "Microsoft.Cdn/profiles/endpoints", + "Microsoft.CognitiveServices/accounts", + "Microsoft.DocumentDB/databaseAccounts", + "Microsoft.DataFactory/factories", + "Microsoft.DataLakeAnalytics/accounts", + "Microsoft.DataLakeStore/accounts", + "Microsoft.EventGrid/eventSubscriptions", + "Microsoft.EventGrid/topics", + "Microsoft.EventHub/namespaces", + "Microsoft.Network/expressRouteCircuits", + "Microsoft.Network/azureFirewalls", + "Microsoft.HDInsight/clusters", + "Microsoft.Devices/IotHubs", + "Microsoft.KeyVault/vaults", + "Microsoft.Network/loadBalancers", + "Microsoft.Logic/integrationAccounts", + "Microsoft.Logic/workflows", + "Microsoft.DBforMySQL/servers", + "Microsoft.Network/networkInterfaces", + "Microsoft.Network/networkSecurityGroups", + "Microsoft.DBforPostgreSQL/servers", + "Microsoft.PowerBIDedicated/capacities", + "Microsoft.Network/publicIPAddresses", + "Microsoft.RecoveryServices/vaults", + "Microsoft.Cache/redis", + "Microsoft.Relay/namespaces", + "Microsoft.Search/searchServices", + "Microsoft.ServiceBus/namespaces", + "Microsoft.SignalRService/SignalR", + "Microsoft.Sql/servers/databases", + "Microsoft.Sql/servers/elasticPools", + "Microsoft.StreamAnalytics/streamingjobs", + "Microsoft.TimeSeriesInsights/environments", + "Microsoft.Network/trafficManagerProfiles", + "Microsoft.Compute/virtualMachines", + "Microsoft.Compute/virtualMachineScaleSets", + "Microsoft.Network/virtualNetworks", + "Microsoft.Network/virtualNetworkGateways" + ], + "allowedValues": [ + "Microsoft.AnalysisServices/servers", + "Microsoft.ApiManagement/service", + "Microsoft.Network/applicationGateways", + "Microsoft.Automation/automationAccounts", + "Microsoft.ContainerInstance/containerGroups", + "Microsoft.ContainerRegistry/registries", + "Microsoft.ContainerService/managedClusters", + "Microsoft.Batch/batchAccounts", + "Microsoft.Cdn/profiles/endpoints", + "Microsoft.CognitiveServices/accounts", + "Microsoft.DocumentDB/databaseAccounts", + "Microsoft.DataFactory/factories", + "Microsoft.DataLakeAnalytics/accounts", + "Microsoft.DataLakeStore/accounts", + "Microsoft.EventGrid/eventSubscriptions", + "Microsoft.EventGrid/topics", + "Microsoft.EventHub/namespaces", + "Microsoft.Network/expressRouteCircuits", + "Microsoft.Network/azureFirewalls", + "Microsoft.HDInsight/clusters", + "Microsoft.Devices/IotHubs", + "Microsoft.KeyVault/vaults", + "Microsoft.Network/loadBalancers", + "Microsoft.Logic/integrationAccounts", + "Microsoft.Logic/workflows", + "Microsoft.DBforMySQL/servers", + "Microsoft.Network/networkInterfaces", + "Microsoft.Network/networkSecurityGroups", + "Microsoft.DBforPostgreSQL/servers", + "Microsoft.PowerBIDedicated/capacities", + "Microsoft.Network/publicIPAddresses", + "Microsoft.RecoveryServices/vaults", + "Microsoft.Cache/redis", + "Microsoft.Relay/namespaces", + "Microsoft.Search/searchServices", + "Microsoft.ServiceBus/namespaces", + "Microsoft.SignalRService/SignalR", + "Microsoft.Sql/servers/databases", + "Microsoft.Sql/servers/elasticPools", + "Microsoft.StreamAnalytics/streamingjobs", + "Microsoft.TimeSeriesInsights/environments", + "Microsoft.Network/trafficManagerProfiles", + "Microsoft.Compute/virtualMachines", + "Microsoft.Compute/virtualMachineScaleSets", + "Microsoft.Network/virtualNetworks", + "Microsoft.Network/virtualNetworkGateways" + ] + }, + "minimumTLSVersionForWindowsServers": { + "type": "string", + "metadata": { + "displayName": "Minimum TLS version for Windows web servers", + "description": "The minimum TLS protocol version that should be enabled on Windows web servers." + }, + "defaultValue": "1.2", + "allowedValues": [ + "1.2" + ] + } + }, + "resourceGroups": { + + }, + "targetScope": "subscription", + "status": { + "timeCreated": "2020-06-15T11:39:06+00:00", + "lastModified": "2020-06-15T11:39:06.9102566+00:00" + }, + "displayName": "NIST SP 800-171 R2", + "description": "Assigns policies to address specific NIST SP 800-171 R2 requirements." + }, + "id": "/providers/Microsoft.Blueprint/blueprints/NIST-SP-800-171-R2_Gov", + "type": "Microsoft.Blueprint/blueprints", + "name": "NIST-SP-800-171-R2_Gov" +} diff --git a/samples/001-builtins/nist-sp-800-53-r4-azgov/artifact.18e5b847-d4b8-44f6-846a-6698f1af9631.json b/samples/001-builtins/nist-sp-800-53-r4-azgov/artifact.18e5b847-d4b8-44f6-846a-6698f1af9631.json index 605ca0d..ece7b05 100644 --- a/samples/001-builtins/nist-sp-800-53-r4-azgov/artifact.18e5b847-d4b8-44f6-846a-6698f1af9631.json +++ b/samples/001-builtins/nist-sp-800-53-r4-azgov/artifact.18e5b847-d4b8-44f6-846a-6698f1af9631.json @@ -16,7 +16,7 @@ } }, "dependsOn": [], - "displayName": "[Preview]: Audit NIST SP 800-53 R4 controls and deploy specific VM Extensions to support audit requirements" + "displayName": "NIST SP 800-53 R4" }, "kind": "policyAssignment", "id": "/providers/Microsoft.Blueprint/blueprints/NIST-SP-800-53-R4-AzGov/artifacts/18e5b847-d4b8-44f6-846a-6698f1af9631", diff --git a/samples/001-builtins/nist-sp-800-53-r4/artifact.18e5b847-d4b8-44f6-846a-6698f1af9631.json b/samples/001-builtins/nist-sp-800-53-r4/artifact.18e5b847-d4b8-44f6-846a-6698f1af9631.json index cfa4550..a0f6fa2 100644 --- a/samples/001-builtins/nist-sp-800-53-r4/artifact.18e5b847-d4b8-44f6-846a-6698f1af9631.json +++ b/samples/001-builtins/nist-sp-800-53-r4/artifact.18e5b847-d4b8-44f6-846a-6698f1af9631.json @@ -18,7 +18,7 @@ "dependsOn": [ ], - "displayName": "[Preview]: Audit NIST SP 800-53 R4 controls and deploy specific VM Extensions to support audit requirements" + "displayName": "NIST SP 800-53 R4" }, "kind": "policyAssignment", "id": "/providers/Microsoft.Blueprint/blueprints/NIST-SP-800-53-R4/artifacts/18e5b847-d4b8-44f6-846a-6698f1af9631", diff --git a/samples/001-builtins/pci_dss_3_2_1/artifact.a1d69d60-3bc3-46eb-a05e-1abc7f7ef4ba.json b/samples/001-builtins/pci_dss_3_2_1/artifact.a1d69d60-3bc3-46eb-a05e-1abc7f7ef4ba.json index 36c1e93..1b58ef5 100644 --- a/samples/001-builtins/pci_dss_3_2_1/artifact.a1d69d60-3bc3-46eb-a05e-1abc7f7ef4ba.json +++ b/samples/001-builtins/pci_dss_3_2_1/artifact.a1d69d60-3bc3-46eb-a05e-1abc7f7ef4ba.json @@ -9,7 +9,7 @@ "dependsOn": [ ], - "displayName": "[Preview]: Audit PCI v3.2.1:2018 controls and deploy specific VM Extensions to support audit requirements" + "displayName": "PCI v3.2.1:2018" }, "kind": "policyAssignment", "id": "/providers/Microsoft.Blueprint/blueprints/PCI_DSS_3_2_1/artifacts/a1d69d60-3bc3-46eb-a05e-1abc7f7ef4ba", diff --git a/samples/001-builtins/swift-csp-cscf-v2020/artifact.0d9c470c-a152-4bb6-bb87-45007f6e67a0.json b/samples/001-builtins/swift-csp-cscf-v2020/artifact.0d9c470c-a152-4bb6-bb87-45007f6e67a0.json index 8ce0c75..df81ba4 100644 --- a/samples/001-builtins/swift-csp-cscf-v2020/artifact.0d9c470c-a152-4bb6-bb87-45007f6e67a0.json +++ b/samples/001-builtins/swift-csp-cscf-v2020/artifact.0d9c470c-a152-4bb6-bb87-45007f6e67a0.json @@ -18,7 +18,7 @@ "dependsOn": [ ], - "displayName": "[Preview]: Audit SWIFT CSP-CSCF v2020 controls and deploy specific VM Extensions to support audit requirements" + "displayName": "SWIFT CSP-CSCF v2020" }, "kind": "policyAssignment", "id": "/providers/Microsoft.Blueprint/blueprints/SWIFT-CSP-CSCF-v2020/artifacts/artifact.0d9c470c-a152-4bb6-bb87-45007f6e67a0", diff --git a/samples/001-builtins/uknhs/artifact.97bc436a-1135-41b4-86ff-33e4c0dbe12b.json b/samples/001-builtins/uknhs/artifact.97bc436a-1135-41b4-86ff-33e4c0dbe12b.json index 8cae29e..4aaff64 100644 --- a/samples/001-builtins/uknhs/artifact.97bc436a-1135-41b4-86ff-33e4c0dbe12b.json +++ b/samples/001-builtins/uknhs/artifact.97bc436a-1135-41b4-86ff-33e4c0dbe12b.json @@ -9,7 +9,7 @@ "dependsOn": [ ], - "displayName": "[Preview]: Audit UK OFFICIAL and UK NHS controls and deploy specific VM Extensions to support audit requirements" + "displayName": "UK OFFICIAL and UK NHS" }, "kind": "policyAssignment", "id": "/providers/Microsoft.Blueprint/blueprints/UKNHS/artifacts/97bc436a-1135-41b4-86ff-33e4c0dbe12b", diff --git a/samples/001-builtins/ukofficial_governance/artifact.97bc436a-1135-41b4-86ff-33e4c0dbe12b.json b/samples/001-builtins/ukofficial_governance/artifact.97bc436a-1135-41b4-86ff-33e4c0dbe12b.json index 34bd56c..d810e35 100644 --- a/samples/001-builtins/ukofficial_governance/artifact.97bc436a-1135-41b4-86ff-33e4c0dbe12b.json +++ b/samples/001-builtins/ukofficial_governance/artifact.97bc436a-1135-41b4-86ff-33e4c0dbe12b.json @@ -9,7 +9,7 @@ "dependsOn": [ ], - "displayName": "[Preview]: Audit UK OFFICIAL and UK NHS controls and deploy specific VM Extensions to support audit requirements" + "displayName": "UK OFFICIAL and UK NHS" }, "kind": "policyAssignment", "id": "/providers/Microsoft.Blueprint/blueprints/UKOFFICIAL_Governance/artifacts/97bc436a-1135-41b4-86ff-33e4c0dbe12b",