Built-in Policy Release 2ee49b41 (#1233)

Co-authored-by: Azure Policy Bot <azgovpolicy@microsoft.com>

Author: pilor

built-in-policies/policyDefinitions/Data Factory/SSISIR_JoinVirtualNetwork_Audit.json

@@ -5,10 +5,10 @@
     "mode": "All",
     "description": "Azure Virtual Network deployment provides enhanced security and isolation for your SQL Server Integration Services integration runtimes on Azure Data Factory, as well as subnets, access control policies, and other features to further restrict access.",
     "metadata": {
-      "version": "2.1.0",
+      "version": "2.2.0",
       "category": "Data Factory"
     },
-    "version": "2.1.0",
+    "version": "2.2.0",
     "parameters": {
       "effect": {
         "type": "string",
@@ -41,6 +41,10 @@
                 "field": "Microsoft.DataFactory/factories/integrationRuntimes/Managed.typeProperties.computeProperties.vnetProperties.vnetId",
                 "exists": "false"
               },
+              {
+                "field": "Microsoft.DataFactory/factories/integrationRuntimes/Managed.typeProperties.computeProperties.vNetProperties.subnetId",
+                "exists": "false"
+              },
               {
                 "field": "Microsoft.DataFactory/factories/integrationRuntimes/Managed.typeProperties.customerVirtualNetwork.subnetId",
                 "exists": "false"

built-in-policies/policyDefinitions/General/ResourceType_denyActionDelete.json

@@ -0,0 +1,52 @@
+{
+  "properties": {
+    "displayName": "[Preview]: Do not allow deletion of resource types",
+    "policyType": "BuiltIn",
+    "mode": "All",
+    "description": "This policy enables you to specify the resource types that your organization can protect from accidentals deletion by blocking delete calls using deny action effect.",
+    "metadata": {
+      "version": "1.0.0-preview",
+      "category": "General",
+      "preview": true
+    },
+    "version": "1.0.0-preview",
+    "parameters": {
+      "listOfResourceTypesDisallowedForDeletion": {
+        "type": "Array",
+        "metadata": {
+          "displayName": "Resource types that cannot be deleted",
+          "description": "The list of resource types that cannot be deleted.",
+          "strongType": "resourceTypes"
+        }
+      },
+      "effect": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Effect",
+          "description": "Enable or disable the execution of the policy"
+        },
+        "allowedValues": [
+          "DenyAction",
+          "Disabled"
+        ],
+        "defaultValue": "DenyAction"
+      }
+    },
+    "policyRule": {
+      "if": {
+        "field": "type",
+        "in": "[parameters('listOfResourceTypesDisallowedForDeletion')]"
+      },
+      "then": {
+        "effect": "[parameters('effect')]",
+        "details": {
+          "actionNames": [
+            "delete"
+          ]
+        }
+      }
+    }
+  },
+  "id": "/providers/Microsoft.Authorization/policyDefinitions/78460a36-508a-49a4-b2b2-2f5ec564f4bb",
+  "name": "78460a36-508a-49a4-b2b2-2f5ec564f4bb"
+}

built-in-policies/policyDefinitions/Kubernetes/AKS_AAD_AdminGroup_Deploy.json

@@ -1,13 +1,13 @@
 {
   "properties": {
     "policyType": "BuiltIn",
-    "displayName": "Configure AAD integrated Azure Kubernetes Service Clusters with required Admin Group Access",
-    "description": "Ensure to improve cluster security by centrally govern Administrator access to Azure Active Directory integrated AKS clusters.",
+    "displayName": "Configure Microsoft Entra ID integrated Azure Kubernetes Service Clusters with required Admin Group Access",
+    "description": "Ensure to improve cluster security by centrally govern Administrator access to Microsoft Entra ID integrated AKS clusters.",
     "metadata": {
-      "version": "2.0.1",
+      "version": "2.0.3",
       "category": "Kubernetes"
     },
-    "version": "2.0.1",
+    "version": "2.0.3",
     "mode": "Indexed",
     "parameters": {
       "effect": {
@@ -160,12 +160,12 @@
                               "networkProfile": "[if(contains(parameters('aksClusterContent').properties, 'networkProfile'), parameters('aksClusterContent').properties.networkProfile, json('null'))]",
                               "aadProfile": {
                                 "adminGroupObjectIds": "[parameters('adminGroupObjectIDs')]",
-                                "managed": "[if(contains(parameters('aksClusterContent').properties.aadProfile, 'managed'), parameters('aksClusterContent').properties.aadProfile.managed, json('null'))]",
-                                "enableAzureRBAC": "[if(contains(parameters('aksClusterContent').properties.aadProfile, 'enableAzureRBAC'), parameters('aksClusterContent').properties.aadProfile.enableAzureRBAC, json('null'))]",
-                                "tenantID": "[if(contains(parameters('aksClusterContent').properties.aadProfile, 'tenantID'), parameters('aksClusterContent').properties.aadProfile.tenantID, json('null'))]",
-                                "clientAppID": "[if(contains(parameters('aksClusterContent').properties.aadProfile, 'clientAppID'), parameters('aksClusterContent').properties.aadProfile.clientAppID, json('null'))]",
-                                "serverAppID": "[if(contains(parameters('aksClusterContent').properties.aadProfile, 'serverAppID'), parameters('aksClusterContent').properties.aadProfile.serverAppID, json('null'))]",
-                                "serverAppSecret": "[if(contains(parameters('aksClusterContent').properties.aadProfile, 'serverAppSecret'), parameters('aksClusterContent').properties.aadProfile.serverAppSecret, json('null'))]"
+                                "managed": "[if(and(contains(parameters('aksClusterContent').properties, 'aadProfile'), contains(parameters('aksClusterContent').properties.aadProfile, 'managed')), parameters('aksClusterContent').properties.aadProfile.managed, json('null'))]",
+                                "enableAzureRBAC": "[if(and(contains(parameters('aksClusterContent').properties, 'aadProfile'), contains(parameters('aksClusterContent').properties.aadProfile, 'enableAzureRBAC')), parameters('aksClusterContent').properties.aadProfile.enableAzureRBAC, json('null'))]",
+                                "tenantID": "[if(and(contains(parameters('aksClusterContent').properties, 'aadProfile'), contains(parameters('aksClusterContent').properties.aadProfile, 'tenantID')), parameters('aksClusterContent').properties.aadProfile.tenantID, json('null'))]",
+                                "clientAppID": "[if(and(contains(parameters('aksClusterContent').properties, 'aadProfile'), contains(parameters('aksClusterContent').properties.aadProfile, 'clientAppID')), parameters('aksClusterContent').properties.aadProfile.clientAppID, json('null'))]",
+                                "serverAppID": "[if(and(contains(parameters('aksClusterContent').properties, 'aadProfile'), contains(parameters('aksClusterContent').properties.aadProfile, 'serverAppID')), parameters('aksClusterContent').properties.aadProfile.serverAppID, json('null'))]",
+                                "serverAppSecret": "[if(and(contains(parameters('aksClusterContent').properties, 'aadProfile'), contains(parameters('aksClusterContent').properties.aadProfile, 'serverAppSecret')), parameters('aksClusterContent').properties.aadProfile.serverAppSecret, json('null'))]"
                               },
                               "autoScalerProfile": "[if(contains(parameters('aksClusterContent').properties, 'autoScalerProfile'), parameters('aksClusterContent').properties.autoScalerProfile, json('null'))]",
                               "autoUpgradeProfile": "[if(contains(parameters('aksClusterContent').properties, 'autoUpgradeProfile'), parameters('aksClusterContent').properties.autoUpgradeProfile, json('null'))]",

built-in-policies/policyDefinitions/Kubernetes/AKS_AAD_Integration_Audit.json

@@ -1,13 +1,13 @@
 {
   "properties": {
     "policyType": "BuiltIn",
-    "displayName": "Azure Kubernetes Service Clusters should enable Azure Active Directory integration",
-    "description": "AKS-managed Azure Active Directory integration can manage the access to the clusters by configuring Kubernetes role-based access control (Kubernetes RBAC) based on a user's identity or directory group membership. Learn more at: https://aka.ms/aks-managed-aad.",
+    "displayName": "Azure Kubernetes Service Clusters should enable Microsoft Entra ID integration",
+    "description": "AKS-managed Microsoft Entra ID integration can manage the access to the clusters by configuring Kubernetes role-based access control (Kubernetes RBAC) based on a user's identity or directory group membership. Learn more at: https://aka.ms/aks-managed-aad.",
     "metadata": {
-      "version": "1.0.1",
+      "version": "1.0.2",
       "category": "Kubernetes"
     },
-    "version": "1.0.1",
+    "version": "1.0.2",
     "mode": "Indexed",
     "parameters": {
       "effect": {

built-in-policies/policyDefinitions/Kubernetes/AKS_DisableRunCommand_Deploy.json

@@ -5,10 +5,10 @@
     "description": "Disabling command invoke can enhance the security by rejecting invoke-command access to the cluster",
     "mode": "Indexed",
     "metadata": {
-      "version": "1.0.1",
+      "version": "1.0.2",
       "category": "Kubernetes"
     },
-    "version": "1.0.1",
+    "version": "1.0.2",
     "parameters": {
       "effect": {
         "type": "String",
@@ -124,11 +124,7 @@
                               "autoScalerProfile": "[if(contains(parameters('aksClusterContent').properties, 'autoScalerProfile'), parameters('aksClusterContent').properties.autoScalerProfile, json('null'))]",
                               "autoUpgradeProfile": "[if(contains(parameters('aksClusterContent').properties, 'autoUpgradeProfile'), parameters('aksClusterContent').properties.autoUpgradeProfile, json('null'))]",
                               "apiServerAccessProfile": {
-                                "authorizedIPRanges": "[if(contains(parameters('aksClusterContent').properties.apiServerAccessProfile, 'authorizedIPRanges'), parameters('aksClusterContent').properties.apiServerAccessProfile.authorizedIPRanges, json('null'))]",
-                                "disableRunCommand": true,
-                                "enablePrivateCluster": "[if(contains(parameters('aksClusterContent').properties.apiServerAccessProfile, 'enablePrivateCluster'), parameters('aksClusterContent').properties.apiServerAccessProfile.enablePrivateCluster, json('null'))]",
-                                "enablePrivateClusterPublicFQDN": "[if(contains(parameters('aksClusterContent').properties.apiServerAccessProfile, 'enablePrivateClusterPublicFQDN'), parameters('aksClusterContent').properties.apiServerAccessProfile.enablePrivateClusterPublicFQDN, json('null'))]",
-                                "privateDNSZone": "[if(contains(parameters('aksClusterContent').properties.apiServerAccessProfile, 'privateDNSZone'), parameters('aksClusterContent').properties.apiServerAccessProfile.privateDNSZone, json('null'))]"
+                                "disableRunCommand": true
                               },
                               "diskEncryptionSetID": "[if(contains(parameters('aksClusterContent').properties, 'diskEncryptionSetID'), parameters('aksClusterContent').properties.diskEncryptionSetID, json('null'))]",
                               "disableLocalAccounts": "[if(contains(parameters('aksClusterContent').properties, 'disableLocalAccounts'), parameters('aksClusterContent').properties.disableLocalAccounts, json('null'))]",

built-in-policies/policyDefinitions/Kubernetes/AKS_ImageCleaner_Deploy.json

@@ -5,10 +5,10 @@
     "description": "Deploy Image Cleaner on Azure Kubernetes clusters. For more info, visit https://aka.ms/aks/image-cleaner",
     "mode": "Indexed",
     "metadata": {
-      "version": "1.0.0",
+      "version": "1.0.2",
       "category": "Kubernetes"
     },
-    "version": "1.0.0",
+    "version": "1.0.2",
     "parameters": {
       "effect": {
         "type": "String",
@@ -126,15 +126,13 @@
                             "properties": {
                               "kubernetesVersion": "[parameters('aksClusterContent').properties.kubernetesVersion]",
                               "dnsPrefix": "[parameters('aksClusterContent').properties.dnsPrefix]",
-                              "agentPoolProfiles": "[if(contains(parameters('aksClusterContent').properties, 'agentPoolProfiles'), parameters('aksClusterContent').properties.agentPoolProfiles, json('null'))]",
                               "linuxProfile": "[if(contains(parameters('aksClusterContent').properties, 'linuxProfile'), parameters('aksClusterContent').properties.linuxProfile, json('null'))]",
                               "windowsProfile": "[if(contains(parameters('aksClusterContent').properties, 'windowsProfile'), parameters('aksClusterContent').properties.windowsProfile, json('null'))]",
                               "servicePrincipalProfile": "[if(contains(parameters('aksClusterContent').properties, 'servicePrincipalProfile'), parameters('aksClusterContent').properties.servicePrincipalProfile, json('null'))]",
                               "nodeResourceGroup": "[parameters('aksClusterContent').properties.nodeResourceGroup]",
                               "enableRBAC": "[if(contains(parameters('aksClusterContent').properties, 'enableRBAC'), parameters('aksClusterContent').properties.enableRBAC, json('null'))]",
                               "enablePodSecurityPolicy": "[if(contains(parameters('aksClusterContent').properties, 'enablePodSecurityPolicy'), parameters('aksClusterContent').properties.enablePodSecurityPolicy, json('null'))]",
                               "networkProfile": "[if(contains(parameters('aksClusterContent').properties, 'networkProfile'), parameters('aksClusterContent').properties.networkProfile, json('null'))]",
-                              "addonProfiles": "[if(contains(parameters('aksClusterContent').properties, 'addonProfiles'), parameters('aksClusterContent').properties.addonProfiles, json('null'))]",
                               "oidcIssuerProfile": "[if(contains(parameters('aksClusterContent').properties, 'oidcIssuerProfile'), parameters('aksClusterContent').properties.oidcIssuerProfile, json('null'))]",
                               "aadProfile": "[if(contains(parameters('aksClusterContent').properties, 'aadProfile'), parameters('aksClusterContent').properties.aadProfile, json('null'))]",
                               "autoScalerProfile": "[if(contains(parameters('aksClusterContent').properties, 'autoScalerProfile'), parameters('aksClusterContent').properties.autoScalerProfile, json('null'))]",
@@ -147,13 +145,10 @@
                               "podIdentityProfile": "[if(contains(parameters('aksClusterContent').properties, 'podIdentityProfile'), parameters('aksClusterContent').properties.podIdentityProfile, json('null'))]",
                               "privateLinkResources": "[if(contains(parameters('aksClusterContent').properties, 'privateLinkResources'), parameters('aksClusterContent').properties.privateLinkResources, json('null'))]",
                               "securityProfile": {
-                                "azureKeyVaultKms": "[if(contains(parameters('aksClusterContent').properties.securityProfile, 'azureKeyVaultKms'), parameters('aksClusterContent').properties.securityProfile.azureKeyVaultKms, json('null'))]",
                                 "imageCleaner": {
                                   "enabled": true,
-                                  "intervalHours": "[if(and(contains(parameters('aksClusterContent').properties.securityProfile, 'imageCleaner'), contains(parameters('aksClusterContent').properties.securityProfile.imageCleaner, 'intervalHours')), parameters('aksClusterContent').properties.securityProfile.imageCleaner.intervalHours, parameters('defaultIntervalHours'))]"
-                                },
-                                "workloadIdentity": "[if(contains(parameters('aksClusterContent').properties.securityProfile, 'workloadIdentity'), parameters('aksClusterContent').properties.securityProfile.workloadIdentity, json('null'))]",
-                                "defender": "[if(contains(parameters('aksClusterContent').properties.securityProfile, 'defender'), parameters('aksClusterContent').properties.securityProfile.defender, json('null'))]"
+                                  "intervalHours": "[if(and(contains(parameters('aksClusterContent').properties, 'securityProfile'), contains(parameters('aksClusterContent').properties.securityProfile, 'imageCleaner'), contains(parameters('aksClusterContent').properties.securityProfile.imageCleaner, 'intervalHours')), parameters('aksClusterContent').properties.securityProfile.imageCleaner.intervalHours, parameters('defaultIntervalHours'))]"
+                                }
                               },
                               "identityProfile": "[if(contains(parameters('aksClusterContent').properties, 'identityProfile'), parameters('aksClusterContent').properties.identityProfile, json('null'))]"
                             }

built-in-policies/policyDefinitions/Kubernetes/AKS_ImageIntegrity_Deploy.json

@@ -5,10 +5,10 @@
     "description": "Deploy both Image Integrity and Policy Add-Ons Azure Kubernetes clusters. For more info, visit https://aka.ms/aks/image-integrity",
     "mode": "Indexed",
     "metadata": {
-      "version": "1.0.1-preview",
+      "version": "1.0.3-preview",
       "category": "Kubernetes"
     },
-    "version": "1.0.1-preview",
+    "version": "1.0.3-preview",
     "parameters": {
       "effect": {
         "type": "String",
@@ -111,7 +111,6 @@
                             "properties": {
                               "kubernetesVersion": "[parameters('aksClusterContent').properties.kubernetesVersion]",
                               "dnsPrefix": "[parameters('aksClusterContent').properties.dnsPrefix]",
-                              "agentPoolProfiles": "[if(contains(parameters('aksClusterContent').properties, 'agentPoolProfiles'), parameters('aksClusterContent').properties.agentPoolProfiles, json('null'))]",
                               "linuxProfile": "[if(contains(parameters('aksClusterContent').properties, 'linuxProfile'), parameters('aksClusterContent').properties.linuxProfile, json('null'))]",
                               "windowsProfile": "[if(contains(parameters('aksClusterContent').properties, 'windowsProfile'), parameters('aksClusterContent').properties.windowsProfile, json('null'))]",
                               "servicePrincipalProfile": "[if(contains(parameters('aksClusterContent').properties, 'servicePrincipalProfile'), parameters('aksClusterContent').properties.servicePrincipalProfile, json('null'))]",
@@ -140,12 +139,7 @@
                               "securityProfile": {
                                 "imageIntegrity": {
                                   "enabled": true
-                                },
-                                "azureKeyVaultKms": "[if(contains(parameters('aksClusterContent').properties.securityProfile, 'azureKeyVaultKms'), parameters('aksClusterContent').properties.securityProfile.azureKeyVaultKms, json('null'))]",
-                                "imageCleaner": "[if(contains(parameters('aksClusterContent').properties.securityProfile, 'imageCleaner'), parameters('aksClusterContent').properties.securityProfile.imageCleaner, json('null'))]",
-                                "nodeRestriction": "[if(contains(parameters('aksClusterContent').properties.securityProfile, 'nodeRestriction'), parameters('aksClusterContent').properties.securityProfile.nodeRestriction, json('null'))]",
-                                "workloadIdentity": "[if(contains(parameters('aksClusterContent').properties.securityProfile, 'workloadIdentity'), parameters('aksClusterContent').properties.securityProfile.workloadIdentity, json('null'))]",
-                                "defender": "[if(contains(parameters('aksClusterContent').properties.securityProfile, 'defender'), parameters('aksClusterContent').properties.securityProfile.defender, json('null'))]"
+                                }
                               },
                               "identityProfile": "[if(contains(parameters('aksClusterContent').properties, 'identityProfile'), parameters('aksClusterContent').properties.identityProfile, json('null'))]"
                             }

built-in-policies/policyDefinitions/Tags/DenyTag.json

@@ -5,10 +5,10 @@
     "mode": "Indexed",
     "description": "Denies the creation of a resource that contains the given tag. Does not apply to resource groups.",
     "metadata": {
-      "version": "1.0.1",
+      "version": "2.0.0",
       "category": "Tags"
     },
-    "version": "1.0.1",
+    "version": "2.0.0",
     "parameters": {
       "tagName": {
         "type": "String",