diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-Tags-Mandatory.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-Tags-Mandatory.json index dd83bce93..041c46a87 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-Tags-Mandatory.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-Tags-Mandatory.json @@ -5,11 +5,11 @@ "scope": null, "properties": { "policyType": "Custom", - "mode": "All", + "mode": "Indexed", "displayName": "Audit for mandatory tags on resources", "description": "Audits resources to ensure they have required tags based on tag array. Does not apply to resource groups.", "metadata": { - "version": "1.0.0", + "version": "1.0.1", "category": "Tags", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Subnet-Without-Penp.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Subnet-Without-Penp.json index 087f306e1..bf3430faa 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Subnet-Without-Penp.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Subnet-Without-Penp.json @@ -9,7 +9,7 @@ "displayName": "Subnets without Private Endpoint Network Policies enabled should be denied", "description": "This policy denies the creation of a subnet without Private Endpoint Netwotk Policies enabled. This policy is intended for 'workload' subnets, not 'central infrastructure' (aka, 'hub') subnets.", "metadata": { - "version": "1.1.0", + "version": "1.2.0", "category": "Network", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -45,6 +45,20 @@ "AzureBastionSubnet", "RouteServerSubnet" ] + }, + "penpValue": { + "type": "String", + "allowedValues": [ + "Disabled", + "NetworkSecurityGroupEnabled", + "RouteTableEnabled", + "Enabled" + ], + "defaultValue": "Enabled", + "metadata": { + "displayName": "Private Endpoint Network Policies Value", + "description": "The privateEndpointNetworkPolicies value required for evaluated subnets" + } } }, "policyRule": { @@ -63,7 +77,7 @@ "allOf": [ { "field": "Microsoft.Network/virtualNetworks/subnets[*].privateEndpointNetworkPolicies", - "notEquals": "Enabled" + "notEquals": "[parameters('penpValue')]" }, { "field": "Microsoft.Network/virtualNetworks/subnets[*].name", @@ -88,7 +102,7 @@ }, { "field": "Microsoft.Network/virtualNetworks/subnets/privateEndpointNetworkPolicies", - "notEquals": "Enabled" + "notEquals": "[parameters('penpValue')]" } ] } diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Private-DNS-Generic.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Private-DNS-Generic.json index 580c205cc..f735599fb 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Private-DNS-Generic.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Private-DNS-Generic.json @@ -9,7 +9,7 @@ "displayName": "Deploy-Private-DNS-Generic", "description": "Configure private DNS zone group to override the DNS resolution for PaaS services private endpoint. See https://aka.ms/pepdnszones for information on values to provide to parameters in this policy.", "metadata": { - "version": "2.0.0", + "version": "2.1.0", "category": "Networking", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -84,22 +84,44 @@ "equals": "Microsoft.Network/privateEndpoints" }, { - "count": { - "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]", - "where": { - "allOf": [ - { - "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId", - "contains": "[parameters('resourceType')]" - }, - { - "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]", - "equals": "[parameters('groupId')]" + "anyOf": [ + { + "count": { + "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId", + "contains": "[parameters('resourceType')]" + }, + { + "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]", + "equals": "[parameters('groupId')]" + } + ] } - ] + }, + "greaterOrEquals": 1 + }, + { + "count": { + "field": "Microsoft.Network/privateEndpoints/manualPrivateLinkServiceConnections[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Network/privateEndpoints/manualPrivateLinkServiceConnections[*].privateLinkServiceId", + "contains": "[parameters('resourceType')]" + }, + { + "field": "Microsoft.Network/privateEndpoints/manualPrivateLinkServiceConnections[*].groupIds[*]", + "equals": "[parameters('groupId')]" + } + ] + } + }, + "greaterOrEquals": 1 } - }, - "greaterOrEquals": 1 + ] } ] },