From 15a1e353a02c753510973e129c53827bc59aca2a Mon Sep 17 00:00:00 2001 From: Heinrich Gantenbein <6719941+techlake@users.noreply.github.com> Date: Thu, 17 Aug 2023 16:49:30 -0500 Subject: [PATCH] Minor improvements (#317) --- Docs/integrating-with-alz.md | 3 -- .../Sync-ALZPolicies.ps1 | 13 +++++--- .../CAF-Connectivity-Default.json | 2 +- .../CAF-CorpMG-Default.jsonc | 4 +-- .../CAF-IdentityMG-Default.json | 8 ++--- .../policyAssignments/CAF-LandingZonesMG.json | 32 +++++++++---------- .../policyAssignments/CAF-RootMG-Default.json | 26 +++++++-------- 7 files changed, 45 insertions(+), 43 deletions(-) diff --git a/Docs/integrating-with-alz.md b/Docs/integrating-with-alz.md index 79d9ce8b..3a1651f7 100644 --- a/Docs/integrating-with-alz.md +++ b/Docs/integrating-with-alz.md @@ -17,9 +17,6 @@ There are two scenarios for integrating EPAC with ALZ. ## Scenario 1 - Existing Deployment -!!! warning - This feature is currently unsupported while an update to the extraction process is made. ETA is April 2023. This warning will be removed when the feature is available again. - With an existing Azure Landing Zone deployment you can use EPAC's extract scripts to extract the existing policies and assignments. 1. Install the EnterprisePolicyAsCode module from the PowerShell gallery and import it. diff --git a/Scripts/CloudAdoptionFramework/Sync-ALZPolicies.ps1 b/Scripts/CloudAdoptionFramework/Sync-ALZPolicies.ps1 index 3f68fd92..05cfab2f 100644 --- a/Scripts/CloudAdoptionFramework/Sync-ALZPolicies.ps1 +++ b/Scripts/CloudAdoptionFramework/Sync-ALZPolicies.ps1 @@ -8,7 +8,12 @@ Param( if ($DefinitionsRootFolder -eq "") { if ($null -eq $env:PAC_DEFINITIONS_FOLDER) { - $DefinitionsRootFolder = "$PSScriptRoot/../../Definitions" + if ($ModuleRoot) { + $DefinitionsRootFolder = "./Definitions" + } + else { + $DefinitionsRootFolder = "$PSScriptRoot/../../Definitions" + } } else { $DefinitionsRootFolder = $env:PAC_DEFINITIONS_FOLDER @@ -22,7 +27,7 @@ New-Item -Path "$DefinitionsRootFolder\policySetDefinitions\ALZ" -ItemType Direc New-Item -Path "$DefinitionsRootFolder\policyAssignments" -ItemType Directory -Force -ErrorAction SilentlyContinue New-Item -Path "$DefinitionsRootFolder\policyAssignments\ALZ" -ItemType Directory -Force -ErrorAction SilentlyContinue -. .\Scripts\Helpers\ConvertTo-HashTable.ps1 +. "$PSScriptRoot/../Helpers/ConvertTo-HashTable.ps1" $defaultPolicyURIs = @( 'https://raw.githubusercontent.com/Azure/Enterprise-Scale/main/eslzArm/managementGroupTemplates/policyDefinitions/policies.json' @@ -98,8 +103,8 @@ foreach ($policySetFile in Get-ChildItem "$DefinitionsRootFolder\policySetDefini } if ($ModuleRoot) { - Copy-Item -Path $ModuleRoot\policyAssignments\*.* -Destination "$DefinitionsRootFolder\policyAssignments\ALZ\" -Force + Copy-Item -Path "$ModuleRoot/policyAssignments/*.*" -Destination "$DefinitionsRootFolder\policyAssignments\ALZ\" -Force } else { - Copy-Item -Path .\Scripts\CloudAdoptionFramework\policyAssignments\*.* -Destination "$DefinitionsRootFolder\policyAssignments\ALZ\" -Force + Copy-Item -Path "$PSScriptRoot/policyAssignments/*.*" -Destination "$DefinitionsRootFolder\policyAssignments\ALZ\" -Force } diff --git a/Scripts/CloudAdoptionFramework/policyAssignments/CAF-Connectivity-Default.json b/Scripts/CloudAdoptionFramework/policyAssignments/CAF-Connectivity-Default.json index 35a7c220..334d6a71 100644 --- a/Scripts/CloudAdoptionFramework/policyAssignments/CAF-Connectivity-Default.json +++ b/Scripts/CloudAdoptionFramework/policyAssignments/CAF-Connectivity-Default.json @@ -16,7 +16,7 @@ }, "definitionEntry": { "policyId": "/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d", - "friendlyNameToDocumentIfGuid": "Enable DDOS" + "displayName": "Enable DDOS" }, "parameters": { "effect": "Modify", diff --git a/Scripts/CloudAdoptionFramework/policyAssignments/CAF-CorpMG-Default.jsonc b/Scripts/CloudAdoptionFramework/policyAssignments/CAF-CorpMG-Default.jsonc index 2fac412b..90199414 100644 --- a/Scripts/CloudAdoptionFramework/policyAssignments/CAF-CorpMG-Default.jsonc +++ b/Scripts/CloudAdoptionFramework/policyAssignments/CAF-CorpMG-Default.jsonc @@ -19,7 +19,7 @@ }, "definitionEntry": { "policySetName": "Deny-PublicPaaSEndpoints", - "friendlyNameToDocumentIfGuid": "Deny Public PaaS Endpoints" + "displayName": "Deny Public PaaS Endpoints" }, "nonComplianceMessages": [ { @@ -36,7 +36,7 @@ }, "definitionEntry": { "policySetName": "Deploy-Private-DNS-Zones", - "friendlyNameToDocumentIfGuid": "Deploy Private DNS Zones" + "displayName": "Deploy Private DNS Zones" }, "parameters": { // Replace --DNSZonePrefix-- with a value similar to diff --git a/Scripts/CloudAdoptionFramework/policyAssignments/CAF-IdentityMG-Default.json b/Scripts/CloudAdoptionFramework/policyAssignments/CAF-IdentityMG-Default.json index 7ee8df4e..f7ab0ce5 100644 --- a/Scripts/CloudAdoptionFramework/policyAssignments/CAF-IdentityMG-Default.json +++ b/Scripts/CloudAdoptionFramework/policyAssignments/CAF-IdentityMG-Default.json @@ -19,7 +19,7 @@ }, "definitionEntry": { "policyId": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749", - "friendlyNameToDocumentIfGuid": "Deny Public IP" + "displayName": "Deny Public IP" }, "parameters": { "listOfResourceTypesNotAllowed": [ @@ -42,7 +42,7 @@ }, "definitionEntry": { "policyName": "Deny-MgmtPorts-From-Internet", - "friendlyNameToDocumentIfGuid": "Deny Management Ports" + "displayName": "Deny Management Ports" }, "nonComplianceMessages": [ { @@ -59,7 +59,7 @@ }, "definitionEntry": { "policyName": "Deny-Subnet-Without-Nsg", - "friendlyNameToDocumentIfGuid": "Deny Subnet without NSG" + "displayName": "Deny Subnet without NSG" }, "nonComplianceMessages": [ { @@ -81,7 +81,7 @@ }, "definitionEntry": { "policyId": "/providers/Microsoft.Authorization/policyDefinitions/98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86", - "friendlyNameToDocumentIfGuid": "Deploy VM Backup" + "displayName": "Deploy VM Backup" }, "parameters": { "exclusionTagName": "", diff --git a/Scripts/CloudAdoptionFramework/policyAssignments/CAF-LandingZonesMG.json b/Scripts/CloudAdoptionFramework/policyAssignments/CAF-LandingZonesMG.json index 77fa5ab8..07419d0a 100644 --- a/Scripts/CloudAdoptionFramework/policyAssignments/CAF-LandingZonesMG.json +++ b/Scripts/CloudAdoptionFramework/policyAssignments/CAF-LandingZonesMG.json @@ -22,7 +22,7 @@ }, "definitionEntry": { "policyId": "/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99", - "friendlyNameToDocumentIfGuid": "AKS Privilege Escalation" + "displayName": "AKS Privilege Escalation" }, "parameters": { "effect": "Deny" @@ -37,7 +37,7 @@ }, "definitionEntry": { "policyId": "/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4", - "friendlyNameToDocumentIfGuid": "AKS Privilege Containers" + "displayName": "AKS Privilege Containers" } }, { @@ -49,7 +49,7 @@ }, "definitionEntry": { "policyId": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d", - "friendlyNameToDocumentIfGuid": "AKS HTTPS Access" + "displayName": "AKS HTTPS Access" } }, { @@ -61,7 +61,7 @@ }, "definitionEntry": { "policyId": "/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7", - "friendlyNameToDocumentIfGuid": "Deploy AKS Policy" + "displayName": "Deploy AKS Policy" } } ] @@ -78,7 +78,7 @@ }, "definitionEntry": { "policyId": "/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900", - "friendlyNameToDocumentIfGuid": "Deny IP Forwarding" + "displayName": "Deny IP Forwarding" }, "nonComplianceMessages": [ { @@ -95,7 +95,7 @@ }, "definitionEntry": { "policyName": "Deny-Subnet-Without-Nsg", - "friendlyNameToDocumentIfGuid": "Deny Subnet without NSG" + "displayName": "Deny Subnet without NSG" }, "nonComplianceMessages": [ { @@ -112,7 +112,7 @@ }, "definitionEntry": { "policyId": "/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d", - "friendlyNameToDocumentIfGuid": "Audit DDOS Landing Zones" + "displayName": "Audit DDOS Landing Zones" }, "parameters": { "effect": "Modify", @@ -133,7 +133,7 @@ }, "definitionEntry": { "policyId": "/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66", - "friendlyNameToDocumentIfGuid": "Application Gateway with WAF" + "displayName": "Application Gateway with WAF" }, "nonComplianceMessages": [ { @@ -155,7 +155,7 @@ }, "definitionEntry": { "policyId": "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9", - "friendlyNameToDocumentIfGuid": "Deny Storage HTTP" + "displayName": "Deny Storage HTTP" }, "parameters": { "effect": "Deny" @@ -180,7 +180,7 @@ }, "definitionEntry": { "policyId": "/providers/Microsoft.Authorization/policyDefinitions/25da7dfb-0666-4a15-a8f5-402127efd8bb", - "friendlyNameToDocumentIfGuid": "Deploy SQL DB Auditing" + "displayName": "Deploy SQL DB Auditing" }, "nonComplianceMessages": [ { @@ -202,7 +202,7 @@ }, "definitionEntry": { "policyId": "/providers/Microsoft.Authorization/policyDefinitions/98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86", - "friendlyNameToDocumentIfGuid": "Deploy VM Backup" + "displayName": "Deploy VM Backup" }, "parameters": { "exclusionTagName": "", @@ -228,7 +228,7 @@ }, "definitionEntry": { "policySetName": "Enforce-Guardrails-KeyVault", - "friendlyNameToDocumentIfGuid": "Key Vault Guardrails" + "displayName": "Key Vault Guardrails" }, "nonComplianceMessages": [ { @@ -250,7 +250,7 @@ }, "definitionEntry": { "policySetName": "Enforce-EncryptTransit", - "friendlyNameToDocumentIfGuid": "Enforce Encrypt Transit" + "displayName": "Enforce Encrypt Transit" }, "nonComplianceMessages": [ { @@ -267,7 +267,7 @@ }, "definitionEntry": { "policyId": "/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5", - "friendlyNameToDocumentIfGuid": "Deploy SQL Threat Detection" + "displayName": "Deploy SQL Threat Detection" }, "nonComplianceMessages": [ { @@ -284,7 +284,7 @@ }, "definitionEntry": { "policyId": "/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f", - "friendlyNameToDocumentIfGuid": "Deploy SQL TDE" + "displayName": "Deploy SQL TDE" }, "nonComplianceMessages": [ { @@ -317,7 +317,7 @@ }, "definitionEntry": { "policyName": "Deny-MgmtPorts-From-Internet", - "friendlyNameToDocumentIfGuid": "Deny Management Ports" + "displayName": "Deny Management Ports" }, "nonComplianceMessages": [ { diff --git a/Scripts/CloudAdoptionFramework/policyAssignments/CAF-RootMG-Default.json b/Scripts/CloudAdoptionFramework/policyAssignments/CAF-RootMG-Default.json index 1b4f9075..4043a9b3 100644 --- a/Scripts/CloudAdoptionFramework/policyAssignments/CAF-RootMG-Default.json +++ b/Scripts/CloudAdoptionFramework/policyAssignments/CAF-RootMG-Default.json @@ -26,7 +26,7 @@ }, "definitionEntry": { "policySetName": "1f3afdf9-d0c9-4c3d-847f-89da613e70a8", - "friendlyNameToDocumentIfGuid": "Microsoft Cloud Security Benchmark" + "displayName": "Microsoft Cloud Security Benchmark" }, "parameters": {}, "nonComplianceMessages": [ @@ -44,7 +44,7 @@ }, "definitionEntry": { "policySetName": "Deploy-MDFC-Config", - "friendlyNameToDocumentIfGuid": "Microsoft Defender For Cloud" + "displayName": "Microsoft Defender For Cloud" }, "parameters": { "enableAscForServers": "Disabled", @@ -77,7 +77,7 @@ }, "definitionEntry": { "policySetName": "e20d08c5-6d64-656d-6465-ce9e37fd0ebc", - "friendlyNameToDocumentIfGuid": "Microsoft Defender for Endpoint agent" + "displayName": "Microsoft Defender for Endpoint agent" }, "parameters": { "microsoftDefenderForEndpointWindowsVmAgentDeployEffect": "DeployIfNotExists", @@ -100,7 +100,7 @@ }, "definitionEntry": { "policySetName": "e77fc0b3-f7e9-4c58-bc13-cb753ed8e46e", - "friendlyNameToDocumentIfGuid": "Microsoft Defender for Endpoint open-source relational databases" + "displayName": "Microsoft Defender for Endpoint open-source relational databases" }, "nonComplianceMessages": [ { @@ -117,7 +117,7 @@ }, "definitionEntry": { "policySetName": "9cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97", - "friendlyNameToDocumentIfGuid": "Microsoft Defender for SQL Servers and SQL Managed Instances" + "displayName": "Microsoft Defender for SQL Servers and SQL Managed Instances" }, "nonComplianceMessages": [ { @@ -134,7 +134,7 @@ }, "definitionEntry": { "policySetName": "Enforce-ACSB", - "friendlyNameToDocumentIfGuid": "Azure Compute Security Baseline" + "displayName": "Azure Compute Security Baseline" }, "nonComplianceMessages": [ { @@ -156,7 +156,7 @@ }, "definitionEntry": { "policyName": "2465583e-4e78-4c15-b6be-a36cbc7c8b0f", - "friendlyNameToDocumentIfGuid": "Activity Logs" + "displayName": "Activity Logs" }, "parameters": {}, "nonComplianceMessages": [ @@ -174,7 +174,7 @@ }, "definitionEntry": { "policySetName": "Deploy-Diagnostics-LogAnalytics", - "friendlyNameToDocumentIfGuid": "Resource Diagnostics" + "displayName": "Resource Diagnostics" }, "parameters": {}, "nonComplianceMessages": [ @@ -197,7 +197,7 @@ }, "definitionEntry": { "policySetName": "55f3eceb-5573-4f18-9695-226972c6d74a", - "friendlyNameToDocumentIfGuid": "VM Monitoring" + "displayName": "VM Monitoring" }, "nonComplianceMessages": [ { @@ -214,7 +214,7 @@ }, "definitionEntry": { "policySetName": "75714362-cae7-409e-9b99-a8e5075b7fad", - "friendlyNameToDocumentIfGuid": "VMSS Monitoring" + "displayName": "VMSS Monitoring" }, "nonComplianceMessages": [ { @@ -231,7 +231,7 @@ }, "definitionEntry": { "policyName": "06a78e20-9358-41c9-923c-fb736d382a4d", - "friendlyNameToDocumentIfGuid": "Unmanaged Disks" + "displayName": "Unmanaged Disks" }, "nonComplianceMessages": [ { @@ -259,7 +259,7 @@ }, "definitionEntry": { "policyName": "6c112d4e-5bc7-47ae-a041-ea2d9dccd749", - "friendlyNameToDocumentIfGuid": "Deny Classic Resources" + "displayName": "Deny Classic Resources" }, "parameters": { "listOfResourceTypesNotAllowed": [ @@ -337,7 +337,7 @@ }, "definitionEntry": { "policySetName": "Audit-UnusedResourcesCostOptimization", - "friendlyNameToDocumentIfGuid": "Unused Resources" + "displayName": "Unused Resources" }, "nonComplianceMessages": [ {