Skip to content

Commit

Permalink
Update ALZ assignment files (#628)
Browse files Browse the repository at this point in the history 
Co-authored-by: Anthony Watherston <Anthony.Watherston@microsoft.com>
  • Loading branch information
@anwather
anwather and Anthony Watherston committed May 10, 2024
1 parent 0f70ff9 commit 6129009
Show file tree
Hide file tree
Showing 7 changed files with 708 additions and 114 deletions.
3 changes: 3 additions & 0 deletions Docs/integrating-with-alz.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -182,6 +182,9 @@ To deploy the ALZ policies using EPAC follow the steps below.

6. Update assignment parameters.

> [!WARNING]
> Carefully review the parameters and policies deployed as they have recently changed. Review each asssignment file carefully and ensure all parameter values are completed. Due to changes in usage of the Azure Monitor Agent - there are some Data Collection Rules that must be deployed prior to assigning the policies - the source for these DCRs are provided in the assignment file parameter comments.

Several of the assignment files also have parameters which need to be in place. Pay attention to the requirements about having a Log Analytics workspace deployed prior to assigning these policies as it is a requirement for several of the assignments. Less generic parameters are also available for modification in the assignment files.

7. Follow the normal steps to deploy the solution to the environment.
Expand Down
91 changes: 49 additions & 42 deletions Scripts/CloudAdoptionFramework/policyAssignments/ALZ-Corp-Default.jsonc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,58 +44,58 @@
// but modify to reference your connectivity subscription.
// Also update additionalRoleAssignments block to ensure your connectivity subscription Id is referenced.
// If you don't require this then remove the assignment block.
"azureFilePrivateDnsZoneId": "--DNSZonePrefix--privatelink.afs.azure.net",
"azureAutomationWebhookPrivateDnsZoneId": "--DNSZonePrefix--privatelink.azure-automation.net",
"azureAutomationDSCHybridPrivateDnsZoneId": "--DNSZonePrefix--privatelink.azure-automation.net",
"azureCosmosSQLPrivateDnsZoneId": "--DNSZonePrefix--privatelink.documents.azure.com",
"azureCosmosMongoPrivateDnsZoneId": "--DNSZonePrefix--privatelink.mongo.cosmos.azure.com",
"azureCosmosCassandraPrivateDnsZoneId": "--DNSZonePrefix--privatelink.cassandra.cosmos.azure.com",
"azureCosmosGremlinPrivateDnsZoneId": "--DNSZonePrefix--privatelink.gremlin.cosmos.azure.com",
"azureCosmosTablePrivateDnsZoneId": "--DNSZonePrefix--privatelink.table.cosmos.azure.com",
"azureDataFactoryPrivateDnsZoneId": "--DNSZonePrefix--privatelink.datafactory.azure.net",
"azureDataFactoryPortalPrivateDnsZoneId": "--DNSZonePrefix--privatelink.adf.azure.com",
"azureDatabricksPrivateDnsZoneId": "--DNSZonePrefix--privatelink.azuredatabricks.net",
"azureHDInsightPrivateDnsZoneId": "--DNSZonePrefix--privatelink.azurehdinsight.net",
"azureMigratePrivateDnsZoneId": "--DNSZonePrefix--privatelink.prod.migration.windowsazure.com",
"azureStorageBlobPrivateDnsZoneId": "--DNSZonePrefix--privatelink.blob.core.windows.net",
"azureStorageBlobSecPrivateDnsZoneId": "--DNSZonePrefix--privatelink.blob.core.windows.net",
"azureStorageQueuePrivateDnsZoneId": "--DNSZonePrefix--privatelink.queue.core.windows.net",
"azureStorageQueueSecPrivateDnsZoneId": "--DNSZonePrefix--privatelink.queue.core.windows.net",
"azureStorageFilePrivateDnsZoneId": "--DNSZonePrefix--privatelink.file.core.windows.net",
"azureStorageStaticWebPrivateDnsZoneId": "--DNSZonePrefix--privatelink.web.core.windows.net",
"azureStorageStaticWebSecPrivateDnsZoneId": "--DNSZonePrefix--privatelink.web.core.windows.net",
"azureStorageDFSPrivateDnsZoneId": "--DNSZonePrefix--privatelink.dfs.core.windows.net",
"azureStorageDFSSecPrivateDnsZoneId": "--DNSZonePrefix--privatelink.dfs.core.windows.net",
"azureSynapseSQLPrivateDnsZoneId": "--DNSZonePrefix--privatelink.sql.azuresynapse.net",
"azureSynapseSQLODPrivateDnsZoneId": "--DNSZonePrefix--privatelink.sql.azuresynapse.net",
"azureIotPrivateDnsZoneId": "--DNSZonePrefix--privatelink.azure-devices-provisioning.net",
"azureSynapseDevPrivateDnsZoneId": "--DNSZonePrefix--privatelink.dev.azuresynapse.net",
"azureMediaServicesKeyPrivateDnsZoneId": "--DNSZonePrefix--privatelink.media.azure.net",
"azureMediaServicesLivePrivateDnsZoneId": "--DNSZonePrefix--privatelink.media.azure.net",
"azureMediaServicesStreamPrivateDnsZoneId": "--DNSZonePrefix--privatelink.media.azure.net",
"azureMonitorPrivateDnsZoneId1": "--DNSZonePrefix--privatelink.monitor.azure.com",
"azureMonitorPrivateDnsZoneId2": "--DNSZonePrefix--privatelink.oms.opinsights.azure.com",
"azureMonitorPrivateDnsZoneId3": "--DNSZonePrefix--privatelink.ods.opinsights.azure.com",
"azureMonitorPrivateDnsZoneId4": "--DNSZonePrefix--privatelink.agentsvc.azure-automation.net",
"azureMonitorPrivateDnsZoneId5": "--DNSZonePrefix--privatelink.blob.core.windows.net",
"azureSynapseSQLODPrivateDnsZoneId": "--DNSZonePrefix--privatelink.sql.azuresynapse.net",
"azureIotHubsPrivateDnsZoneId": "--DNSZonePrefix--privatelink.azure-devices.net",
"azureCognitiveSearchPrivateDnsZoneId": "--DNSZonePrefix--privatelink.search.windows.net",
"azureServiceBusNamespacePrivateDnsZoneId": "--DNSZonePrefix--privatelink.servicebus.windows.net",
"azureMigratePrivateDnsZoneId": "--DNSZonePrefix--privatelink.prod.migration.windowsazure.com",
"azureCognitiveServicesPrivateDnsZoneId": "--DNSZonePrefix--privatelink.cognitiveservices.azure.com",
"azureAcrPrivateDnsZoneId": "--DNSZonePrefix--privatelink.azurecr.io",
"azureDiskAccessPrivateDnsZoneId": "--DNSZonePrefix--privatelink.blob.core.windows.net",
"azureWebPrivateDnsZoneId": "--DNSZonePrefix--privatelink.webpubsub.azure.com",
"azureCosmosMongoPrivateDnsZoneId": "--DNSZonePrefix--privatelink.mongo.cosmos.azure.com",
"azureBatchPrivateDnsZoneId": "--DNSZonePrefix--privatelink.batch.azure.com",
"azureStorageQueuePrivateDnsZoneId": "--DNSZonePrefix--privatelink.queue.core.windows.net",
"azureMonitorPrivateDnsZoneId5": "--DNSZonePrefix--privatelink.blob.core.windows.net",
"azureAppPrivateDnsZoneId": "--DNSZonePrefix--privatelink.azconfig.io",
"azureStorageDFSPrivateDnsZoneId": "--DNSZonePrefix--privatelink.dfs.core.windows.net",
"azureDataFactoryPrivateDnsZoneId": "--DNSZonePrefix--privatelink.datafactory.azure.net",
"azureCosmosGremlinPrivateDnsZoneId": "--DNSZonePrefix--privatelink.gremlin.cosmos.azure.com",
"azureAsrPrivateDnsZoneId": "--DNSZonePrefix--privatelink.siterecovery.windowsazure.com",
"azureIotPrivateDnsZoneId": "--DNSZonePrefix--privatelink.azure-devices-provisioning.net",
"azureEventHubNamespacePrivateDnsZoneId": "--DNSZonePrefix--privatelink.servicebus.windows.net",
"azureMediaServicesKeyPrivateDnsZoneId": "--DNSZonePrefix--privatelink.media.azure.net",
"azureStorageFilePrivateDnsZoneId": "--DNSZonePrefix--privatelink.file.core.windows.net",
"azureDatabricksPrivateDnsZoneId": "--DNSZonePrefix--privatelink.azuredatabricks.net",
"azureStorageStaticWebSecPrivateDnsZoneId": "--DNSZonePrefix--privatelink.web.core.windows.net",
"azureStorageBlobSecPrivateDnsZoneId": "--DNSZonePrefix--privatelink.blob.core.windows.net",
"azureCosmosSQLPrivateDnsZoneId": "--DNSZonePrefix--privatelink.documents.azure.com",
"azureMonitorPrivateDnsZoneId2": "--DNSZonePrefix--privatelink.oms.opinsights.azure.com",
"azureKeyVaultPrivateDnsZoneId": "--DNSZonePrefix--privatelink.vaultcore.azure.net",
"azureSignalRPrivateDnsZoneId": "--DNSZonePrefix--privatelink.service.signalr.net",
"azureAppServicesPrivateDnsZoneId": "--DNSZonePrefix--privatelink.azurewebsites.net",
"azureEventGridTopicsPrivateDnsZoneId": "--DNSZonePrefix--privatelink.eventgrid.azure.net",
"azureDiskAccessPrivateDnsZoneId": "--DNSZonePrefix--privatelink.blob.core.windows.net",
"azureCognitiveServicesPrivateDnsZoneId": "--DNSZonePrefix--privatelink.cognitiveservices.azure.com",
"azureIotHubsPrivateDnsZoneId": "--DNSZonePrefix--privatelink.azure-devices.net",
"azureMachineLearningWorkspacePrivateDnsZoneId": "--DNSZonePrefix--privatelink.api.azureml.ms",
"azureEventGridDomainsPrivateDnsZoneId": "--DNSZonePrefix--privatelink.eventgrid.azure.net",
"azureMediaServicesStreamPrivateDnsZoneId": "--DNSZonePrefix--privatelink.media.azure.net",
"azureMonitorPrivateDnsZoneId1": "--DNSZonePrefix--privatelink.monitor.azure.com",
"azureSynapseSQLPrivateDnsZoneId": "--DNSZonePrefix--privatelink.sql.azuresynapse.net",
"azureFilePrivateDnsZoneId": "--DNSZonePrefix--privatelink.afs.azure.net",
"azureHDInsightPrivateDnsZoneId": "--DNSZonePrefix--privatelink.azurehdinsight.net",
"azureCosmosCassandraPrivateDnsZoneId": "--DNSZonePrefix--privatelink.cassandra.cosmos.azure.com",
"azureMonitorPrivateDnsZoneId3": "--DNSZonePrefix--privatelink.ods.opinsights.azure.com",
"azureMediaServicesLivePrivateDnsZoneId": "--DNSZonePrefix--privatelink.media.azure.net",
"azureCosmosTablePrivateDnsZoneId": "--DNSZonePrefix--privatelink.table.cosmos.azure.com",
"azureAutomationDSCHybridPrivateDnsZoneId": "--DNSZonePrefix--privatelink.azure-automation.net",
"azureStorageStaticWebPrivateDnsZoneId": "--DNSZonePrefix--privatelink.web.core.windows.net",
"azureSignalRPrivateDnsZoneId": "--DNSZonePrefix--privatelink.service.signalr.net",
"azureMonitorPrivateDnsZoneId4": "--DNSZonePrefix--privatelink.agentsvc.azure-automation.net",
"azureAppServicesPrivateDnsZoneId": "--DNSZonePrefix--privatelink.azurewebsites.net",
"azureStorageQueueSecPrivateDnsZoneId": "--DNSZonePrefix--privatelink.queue.core.windows.net",
"azureRedisCachePrivateDnsZoneId": "--DNSZonePrefix--privatelink.redis.cache.windows.net",
"azureAcrPrivateDnsZoneId": "--DNSZonePrefix--privatelink.azurecr.io",
"azureEventHubNamespacePrivateDnsZoneId": "--DNSZonePrefix--privatelink.servicebus.windows.net",
"azureMachineLearningWorkspacePrivateDnsZoneId": "--DNSZonePrefix--privatelink.api.azureml.ms",
"azureServiceBusNamespacePrivateDnsZoneId": "--DNSZonePrefix--privatelink.servicebus.windows.net",
"azureCognitiveSearchPrivateDnsZoneId": "--DNSZonePrefix--privatelink.search.windows.net"
"azureStorageBlobPrivateDnsZoneId": "--DNSZonePrefix--privatelink.blob.core.windows.net",
"azureAutomationWebhookPrivateDnsZoneId": "--DNSZonePrefix--privatelink.azure-automation.net",
"azureDataFactoryPortalPrivateDnsZoneId": "--DNSZonePrefix--privatelink.adf.azure.com"
},
"nonComplianceMessages": [
{
Expand Down Expand Up @@ -143,6 +143,7 @@
"microsoft.network/expressroutegateways",
"microsoft.network/expressrouteports",
"microsoft.network/virtualwans",
"microsoft.network/virtualhubs",
"microsoft.network/vpngateways",
"microsoft.network/p2svpngateways",
"microsoft.network/vpnsites",
Expand All @@ -166,7 +167,12 @@
"policyName": "Audit-PrivateLinkDnsZones"
},
"parameters": {
// Replace the ---location--- with the location of the Private Link Private DNS Zone resource
"privateLinkDnsZones": [
"privatelink.ae.backup.windowsazure.com",
"privatelink.---location---.azmk8s.io",
"privatelink.---location---.batch.azure.com",
"privatelink.---location---.kusto.windows.net",
"privatelink.adf.azure.com",
"privatelink.afs.azure.net",
"privatelink.agentsvc.azure-automation.net",
Expand All @@ -178,6 +184,7 @@
"privatelink.azurecr.io",
"privatelink.azure-devices.net",
"privatelink.azure-devices-provisioning.net",
"privatelink.azuredatabricks.net",
"privatelink.azurehdinsight.net",
"privatelink.azurehealthcareapis.com",
"privatelink.azurestaticapps.net",
Expand Down

0 comments on commit 6129009

Please sign in to comment.