diff --git a/README.md b/README.md
index 8ed9d6f..cdab52b 100644
--- a/README.md
+++ b/README.md
@@ -7,12 +7,12 @@
Azure Policy as Code with Terraform
- 
- 
- 
+ 
+ 
+
diff --git a/examples/README.md b/examples/README.md
index 4fb31a5..bc9a7db 100644
--- a/examples/README.md
+++ b/examples/README.md
@@ -34,6 +34,7 @@ This examples folder demonstrates an effective deployment of Azure Policy Defini
| [org\_mg\_storage\_enforce\_https](#module\_org\_mg\_storage\_enforce\_https) | ..//modules/def_assignment | n/a |
| [org\_mg\_storage\_enforce\_minimum\_tls1\_2](#module\_org\_mg\_storage\_enforce\_minimum\_tls1\_2) | ..//modules/def_assignment | n/a |
| [org\_mg\_whitelist\_regions](#module\_org\_mg\_whitelist\_regions) | ..//modules/def_assignment | n/a |
+| [parameterised\_test](#module\_parameterised\_test) | ..//modules/definition | n/a |
| [platform\_diagnostics\_initiative](#module\_platform\_diagnostics\_initiative) | ..//modules/initiative | n/a |
| [storage\_enforce\_https](#module\_storage\_enforce\_https) | ..//modules/definition | n/a |
| [storage\_enforce\_minimum\_tls1\_2](#module\_storage\_enforce\_minimum\_tls1\_2) | ..//modules/definition | n/a |
diff --git a/policies/Network/create_nsg_rule_append.json b/policies/Network/create_nsg_rule_append.json
deleted file mode 100644
index c8e1565..0000000
--- a/policies/Network/create_nsg_rule_append.json
+++ /dev/null
@@ -1,125 +0,0 @@
-{
- "type": "Microsoft.Authorization/policyDefinitions",
- "name": "create_nsg_rule_append",
- "properties": {
- "metadata": {
- "category": "Network"
- },
- "parameters": {
- "name": {
- "type": "String"
- },
- "protocol": {
- "type": "String",
- "allowedValues": [
- "TCP",
- "UDP",
- "ICMP",
- "*"
- ]
- },
- "access": {
- "type": "String",
- "allowedValues": [
- "Allow",
- "Deny"
- ]
- },
- "priority": {
- "type": "String"
- },
- "direction": {
- "type": "String",
- "allowedValues": [
- "Inbound",
- "Outbound"
- ]
- },
- "sourcePortRanges": {
- "type": "Array"
- },
- "destinationPortRanges": {
- "type": "Array"
- },
- "sourceAddressPrefixes": {
- "type": "Array"
- },
- "destinationAddressPrefixes": {
- "type": "Array"
- },
- "effect": {
- "type": "String",
- "defaultValue": "Append",
- "allowedValues": [
- "Append",
- "Disabled"
- ],
- "metadata": {
- "displayName": "Effect",
- "description": "The effect determines what happens when the policy rule is evaluated to match"
- }
- }
- },
- "policyRule": {
- "if": {
- "allOf": [
- {
- "field": "type",
- "equals": "Microsoft.Network/networkSecurityGroups"
- },
- {
- "count": {
- "field": "Microsoft.Network/networkSecurityGroups/securityRules[*]",
- "where": {
- "allOf": [
- {
- "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].access",
- "equals": "Deny"
- },
- {
- "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].direction",
- "equals": "Outbound"
- },
- {
- "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].priority",
- "equals": "4000"
- },
- {
- "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].destinationAddressPrefix",
- "equals": "Internet"
- }
- ]
- }
- },
- "less": 1
- }
- ]
- },
- "then": {
- "effect": "[parameters('effect')]",
- "details": [
- {
- "field": "Microsoft.Network/networkSecurityGroups/securityRules[*]",
- "value": {
- "name": "[parameters('name')]",
- "properties": {
- "protocol": "[parameters('protocol')]",
- "sourcePortRange": "[if(equals(length(parameters('sourcePortRanges')), 1), first(parameters('sourcePortRanges')), '')]",
- "destinationPortRange": "[if(equals(length(parameters('destinationPortRanges')), 1), first(parameters('destinationPortRanges')), '')]",
- "sourceAddressPrefix": "[if(equals(length(parameters('sourceAddressPrefixes')), 1), first(parameters('sourceAddressPrefixes')), '')]",
- "destinationAddressPrefix": "[if(equals(length(parameters('destinationAddressPrefixes')), 1), first(parameters('destinationAddressPrefixes')), '')]",
- "access": "[parameters('access')]",
- "priority": "[parameters('priority')]",
- "direction": "[parameters('direction')]",
- "sourcePortRanges": "[if(greater(length(parameters('sourcePortRanges')), 1), parameters('sourcePortRanges'), take(parameters('sourcePortRanges'),0))]",
- "destinationPortRanges": "[if(greater(length(parameters('destinationPortRanges')), 1), parameters('destinationPortRanges'), take(parameters('destinationPortRanges'),0))]",
- "sourceAddressPrefixes": "[if(greater(length(parameters('sourceAddressPrefixes')), 1), parameters('sourceAddressPrefixes'), take(parameters('sourceAddressPrefixes'),0))]",
- "destinationAddressPrefixes": "[if(greater(length(parameters('destinationAddressPrefixes')), 1), parameters('destinationAddressPrefixes'), take(parameters('destinationAddressPrefixes'),0))]"
- }
- }
- }
- ]
- }
- }
- }
-}
diff --git a/policies/Network/deny_nat_rules_firewalls.json b/policies/Network/deny_nat_rules_firewalls.json
deleted file mode 100644
index 48955f6..0000000
--- a/policies/Network/deny_nat_rules_firewalls.json
+++ /dev/null
@@ -1,43 +0,0 @@
-{
- "type": "Microsoft.Authorization/policyDefinitions",
- "name": "deny_nat_rules_firewalls",
- "properties": {
- "metadata": {
- "category": "Network"
- },
- "parameters": {
- "effect": {
- "type": "String",
- "metadata": {
- "displayName": "Effect",
- "description": "The effect determines what happens when the policy rule is evaluated to match"
- },
- "allowedValues": [
- "Audit",
- "Deny",
- "Disabled"
- ],
- "defaultValue": "Deny"
- }
- },
- "policyRule": {
- "if": {
- "allOf": [
- {
- "field": "type",
- "equals": "Microsoft.Network/azureFirewalls"
- },
- {
- "not": {
- "field": "Microsoft.Network/azureFirewalls/natRuleCollections[*].name",
- "notLike": "*"
- }
- }
- ]
- },
- "then": {
- "effect": "[parameters('effect')]"
- }
- }
- }
-}
diff --git a/policies/Network/deny_nic_on_unapproved_vnet.json b/policies/Network/deny_nic_on_unapproved_vnet.json
deleted file mode 100644
index b42b063..0000000
--- a/policies/Network/deny_nic_on_unapproved_vnet.json
+++ /dev/null
@@ -1,50 +0,0 @@
-{
- "type": "Microsoft.Authorization/policyDefinitions",
- "name": "deny_nic_on_unapproved_vnet",
- "properties": {
- "metadata": {
- "category": "Network"
- },
- "parameters": {
- "effect": {
- "type": "String",
- "metadata": {
- "displayName": "Effect",
- "description": "The effect determines what happens when the policy rule is evaluated to match"
- },
- "allowedValues": [
- "Audit",
- "Deny",
- "Disabled"
- ],
- "defaultValue": "Deny"
- },
- "virtualNetworkId": {
- "type": "String",
- "metadata": {
- "displayName": "Virtual network Id",
- "description": "Resource Id of the virtual network. Example: /subscriptions/YourSubscriptionId/resourceGroups/YourResourceGroupName/providers/Microsoft.Network/virtualNetworks/Name"
- }
- }
- },
- "policyRule": {
- "if": {
- "allOf": [
- {
- "field": "type",
- "equals": "Microsoft.Network/networkInterfaces"
- },
- {
- "not": {
- "field": "Microsoft.Network/networkInterfaces/ipconfigurations[*].subnet.id",
- "like": "[concat(parameters('virtualNetworkId'),'/*')]"
- }
- }
- ]
- },
- "then": {
- "effect": "[parameters('effect')]"
- }
- }
- }
-}
diff --git a/policies/Network/deny_nic_public_ip_on_specific_subnets.json b/policies/Network/deny_nic_public_ip_on_specific_subnets.json
deleted file mode 100644
index aa9550b..0000000
--- a/policies/Network/deny_nic_public_ip_on_specific_subnets.json
+++ /dev/null
@@ -1,62 +0,0 @@
-{
- "type": "Microsoft.Authorization/policyDefinitions",
- "name": "deny_nic_public_ip_on_specific_subnets",
- "properties": {
- "metadata": {
- "category": "Network"
- },
- "parameters": {
- "deniedSuffix": {
- "type": "String",
- "metadata": {
- "displayName": "Denied Subnet Suffix",
- "description": "NICs attached to a subnet containing this suffix will be unable to attach a Public IP"
- }
- },
- "effect": {
- "type": "String",
- "defaultValue": "Deny",
- "allowedValues": [
- "Audit",
- "Deny",
- "Disabled"
- ],
- "metadata": {
- "displayName": "Effect",
- "description": "The effect determines what happens when the policy rule is evaluated to match"
- }
- }
- },
- "policyRule": {
- "if": {
- "allOf": [
- {
- "field": "type",
- "equals": "Microsoft.Network/networkInterfaces"
- },
- {
- "count": {
- "field": "Microsoft.Network/networkInterfaces/ipconfigurations[*]",
- "where": {
- "allOf": [
- {
- "value": "[substring(last(split(string(field('Microsoft.Network/networkInterfaces/ipconfigurations[*].subnet.id')), 'subnets/')), 0, sub(length(last(split(string(field('Microsoft.Network/networkInterfaces/ipconfigurations[*].subnet.id')), 'subnets/'))), 2))]",
- "like": "[concat('*', parameters('deniedSuffix'))]"
- },
- {
- "field": "Microsoft.Network/networkInterfaces/ipConfigurations[*].publicIPAddress",
- "exists": true
- }
- ]
- }
- },
- "greater": 0
- }
- ]
- },
- "then": {
- "effect": "[parameters('effect')]"
- }
- }
- }
-}
diff --git a/policies/Network/deny_nsg_outbound_allow_all.json b/policies/Network/deny_nsg_outbound_allow_all.json
deleted file mode 100644
index 3cfd6c4..0000000
--- a/policies/Network/deny_nsg_outbound_allow_all.json
+++ /dev/null
@@ -1,83 +0,0 @@
-{
- "type": "Microsoft.Authorization/policyDefinitions",
- "name": "deny_nsg_outbound_allow_all",
- "properties": {
- "metadata": {
- "category": "Network"
- },
- "parameters": {
- "effect": {
- "type": "String",
- "defaultValue": "Deny",
- "allowedValues": [
- "Audit",
- "Deny",
- "Disabled"
- ],
- "metadata": {
- "displayName": "Effect",
- "description": "The effect determines what happens when the policy rule is evaluated to match"
- }
- }
- },
- "policyRule": {
- "if": {
- "allOf": [
- {
- "field": "type",
- "equals": "Microsoft.Network/networkSecurityGroups/securityRules"
- },
- {
- "allOf": [
- {
- "field": "Microsoft.Network/networkSecurityGroups/securityRules/access",
- "equals": "Allow"
- },
- {
- "field": "Microsoft.Network/networkSecurityGroups/securityRules/direction",
- "equals": "Outbound"
- },
- {
- "anyOf": [
- {
- "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange",
- "equals": "*"
- },
- {
- "not": {
- "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]",
- "notEquals": "*"
- }
- }
- ]
- },
- {
- "anyOf": [
- {
- "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix",
- "in": [
- "*",
- "Internet"
- ]
- },
- {
- "not": {
- "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]",
- "notIn": [
- "*",
- "Internet"
- ]
- }
- }
- ]
- }
- ]
- }
- ]
- },
- "then": {
- "effect": "[parameters('effect')]"
- }
- }
- }
-}
diff --git a/policies/Network/deny_nsgs_with_rules_with_source_inbound_any.json b/policies/Network/deny_nsgs_with_rules_with_source_inbound_any.json
deleted file mode 100644
index 870f9c9..0000000
--- a/policies/Network/deny_nsgs_with_rules_with_source_inbound_any.json
+++ /dev/null
@@ -1,73 +0,0 @@
-{
- "type": "Microsoft.Authorization/policyDefinitions",
- "name": "deny_nsgs_with_rules_with_source_inbound_any",
- "properties": {
- "metadata": {
- "category": "Network"
- },
- "parameters": {
- "effect": {
- "type": "String",
- "defaultValue": "Deny",
- "allowedValues": [
- "Audit",
- "Deny",
- "Disabled"
- ],
- "metadata": {
- "displayName": "Effect",
- "description": "The effect determines what happens when the policy rule is evaluated to match"
- }
- }
- },
- "policyRule": {
- "if": {
- "allOf": [
- {
- "field": "type",
- "equals": "Microsoft.Network/networkSecurityGroups"
- },
- {
- "count": {
- "field": "Microsoft.Network/networkSecurityGroups/securityRules[*]",
- "where": {
- "allOf": [
- {
- "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefix",
- "equals": "*"
- },
- {
- "anyOf": [
- {
- "not": {
- "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefixes[*]",
- "notIn": []
- }
- },
- {
- "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefixes[*]",
- "exists": false
- }
- ]
- },
- {
- "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].access",
- "equals": "Allow"
- },
- {
- "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].direction",
- "equals": "Inbound"
- }
- ]
- }
- },
- "greater": 0
- }
- ]
- },
- "then": {
- "effect": "[parameters('effect')]"
- }
- }
- }
-}
diff --git a/policies/Network/deny_pip_if_not_associated_authorised_resource.json b/policies/Network/deny_pip_if_not_associated_authorised_resource.json
deleted file mode 100644
index 1fe3f89..0000000
--- a/policies/Network/deny_pip_if_not_associated_authorised_resource.json
+++ /dev/null
@@ -1,101 +0,0 @@
-{
- "type": "Microsoft.Authorization/policyDefinitions",
- "name": "deny_pip_if_not_associated_authorised_resource",
- "properties": {
- "metadata": {
- "category": "Network"
- },
- "parameters": {
- "effect": {
- "type": "String",
- "defaultValue": "Deny",
- "allowedValues": [
- "Audit",
- "Deny",
- "Disabled"
- ],
- "metadata": {
- "displayName": "Effect",
- "description": "The effect determines what happens when the policy rule is evaluated to match"
- }
- }
- },
- "policyRule": {
- "if": {
- "anyOf": [
- {
- "allOf": [
- {
- "field": "type",
- "equals": "Microsoft.Network/virtualNetworkGateways"
- },
- {
- "not": {
- "field": "Microsoft.Network/virtualNetworkGateways/ipconfigurations[*].publicIpAddress.id",
- "exists": false
- }
- },
- {
- "not": {
- "field": "Microsoft.Network/virtualNetworkGateways/ipconfigurations[*].subnet.id",
- "contains": "/subnets/GatewaySubnet"
- }
- }
- ]
- },
- {
- "allOf": [
- {
- "field": "type",
- "equals": "Microsoft.Network/azureFirewalls"
- },
- {
- "not": {
- "field": "Microsoft.Network/azureFirewalls/ipconfigurations[*].publicIpAddress.id",
- "exists": false
- }
- },
- {
- "not": {
- "field": "Microsoft.Network/azureFirewalls/ipconfigurations[*].subnet.id",
- "contains": "/subnets/AzureFirewallSubnet"
- }
- }
- ]
- },
- {
- "allOf": [
- {
- "field": "type",
- "equals": "Microsoft.Network/loadBalancers"
- },
- {
- "not": {
- "field": "Microsoft.Network/loadBalancers/frontendIPConfigurations[*].publicIpAddress.id",
- "exists": false
- }
- }
- ]
- },
- {
- "allOf": [
- {
- "field": "type",
- "equals": "Microsoft.Network/networkInterfaces"
- },
- {
- "not": {
- "field": "Microsoft.Network/networkInterfaces/ipconfigurations[*].publicIpAddress.id",
- "exists": false
- }
- }
- ]
- }
- ]
- },
- "then": {
- "effect": "[parameters('effect')]"
- }
- }
- }
-}
diff --git a/policies/Network/deny_unapproved_udr.json b/policies/Network/deny_unapproved_udr.json
deleted file mode 100644
index 2d10383..0000000
--- a/policies/Network/deny_unapproved_udr.json
+++ /dev/null
@@ -1,60 +0,0 @@
-{
- "type": "Microsoft.Authorization/policyDefinitions",
- "name": "deny_unapproved_udr",
- "properties": {
- "metadata": {
- "category": "Network"
- },
- "parameters": {
- "allowedHops": {
- "type": "Array",
- "metadata": {
- "displayName": "Allowed next hops",
- "description": "A list of the permitted 'next hops' for a UDR"
- }
- },
- "effect": {
- "type": "String",
- "defaultValue": "Audit",
- "allowedValues": [
- "Audit",
- "Deny",
- "Disabled"
- ],
- "metadata": {
- "displayName": "Effect",
- "description": "The effect determines what happens when the policy rule is evaluated to match"
- }
- }
- },
- "policyRule": {
- "if": {
- "allOf": [
- {
- "field": "type",
- "contains": "Microsoft.Network/routeTables"
- },
- {
- "anyOf": [
- {
- "allOf": [
- {
- "field": "Microsoft.Network/routeTables/routes/nextHopIpAddress",
- "exists": "true"
- },
- {
- "field": "Microsoft.Network/routeTables/routes/nextHopIpAddress",
- "notIn": "[parameters('allowedHops')]"
- }
- ]
- }
- ]
- }
- ]
- },
- "then": {
- "effect": "[parameters('effect')]"
- }
- }
- }
-}
diff --git a/policies/Network/deny_unapproved_udr_hop_type.json b/policies/Network/deny_unapproved_udr_hop_type.json
deleted file mode 100644
index 448cd7b..0000000
--- a/policies/Network/deny_unapproved_udr_hop_type.json
+++ /dev/null
@@ -1,102 +0,0 @@
-{
- "type": "Microsoft.Authorization/policyDefinitions",
- "name": "deny_unapproved_udr_hop_type",
- "properties": {
- "metadata": {
- "category": "Network"
- },
- "parameters": {
- "allowedHopType1": {
- "type": "String",
- "metadata": {
- "displayName": "Allowed hop type",
- "description": "A permitted hop type for a UDR"
- }
- },
- "allowedHopType2": {
- "type": "String",
- "metadata": {
- "displayName": "Allowed hop type",
- "description": "A permitted hop type for a UDR"
- }
- },
- "allowedHopType3": {
- "type": "String",
- "metadata": {
- "displayName": "Allowed hop type",
- "description": "A permitted hop type for a UDR"
- }
- },
- "effect": {
- "type": "String",
- "defaultValue": "Audit",
- "allowedValues": [
- "Audit",
- "Deny",
- "Disabled"
- ],
- "metadata": {
- "displayName": "Effect",
- "description": "The effect determines what happens when the policy rule is evaluated to match"
- }
- }
- },
- "policyRule": {
- "if": {
- "allOf": [
- {
- "field": "type",
- "contains": "Microsoft.Network/routeTables"
- },
- {
- "anyOf": [
- {
- "allOf": [
- {
- "field": "Microsoft.Network/routeTables/routes",
- "exists": "true"
- },
- {
- "field": "Microsoft.Network/routeTables/routes[*].nextHopType",
- "notEquals": "[parameters('allowedHopType1')]"
- },
- {
- "field": "Microsoft.Network/routeTables/routes[*].nextHopType",
- "notEquals": "[parameters('allowedHopType2')]"
- },
- {
- "field": "Microsoft.Network/routeTables/routes[*].nextHopType",
- "notEquals": "[parameters('allowedHopType3')]"
- }
- ]
- },
- {
- "allOf": [
- {
- "field": "Microsoft.Network/routeTables/routes/nextHopType",
- "exists": "true"
- },
- {
- "field": "Microsoft.Network/routeTables/routes/nextHopType",
- "notEquals": "[parameters('allowedHopType1')]"
- },
- {
- "field": "Microsoft.Network/routeTables/routes/nextHopType",
- "notEquals": "[parameters('allowedHopType2')]"
- },
- {
- "field": "Microsoft.Network/routeTables/routes/nextHopType",
- "notEquals": "[parameters('allowedHopType3')]"
- }
- ]
- }
- ]
- }
- ]
- },
- "then": {
- "effect": "[parameters('effect')]"
- }
- }
- }
-}
diff --git a/policies/Network/require_nsg_on_vnet.json b/policies/Network/require_nsg_on_vnet.json
deleted file mode 100644
index 9e6bb42..0000000
--- a/policies/Network/require_nsg_on_vnet.json
+++ /dev/null
@@ -1,60 +0,0 @@
-{
- "type": "Microsoft.Authorization/policyDefinitions",
- "name": "require_nsg_on_vnet",
- "properties": {
- "metadata": {
- "category": "Network"
- },
- "parameters": {
- "allowedRanges": {
- "type": "Array",
- "metadata": {
- "displayName": "Approved ranges",
- "description": "Provide the list of approved IP ranges for NSGs"
- }
- },
- "effect": {
- "type": "String",
- "defaultValue": "Audit",
- "allowedValues": [
- "Audit",
- "Deny",
- "Disabled"
- ],
- "metadata": {
- "displayName": "Effect",
- "description": "The effect determines what happens when the policy rule is evaluated to match"
- }
- }
- },
- "policyRule": {
- "if": {
- "anyOf": [
- {
- "allOf": [
- {
- "field": "type",
- "equals": "Microsoft.Network/networkSecurityGroups/securityRules"
- },
- {
- "anyOf": [
- {
- "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix",
- "notin": "[parameters('allowedRanges')]"
- },
- {
- "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationAddressPrefix",
- "notin": "[parameters('allowedRanges')]"
- }
- ]
- }
- ]
- }
- ]
- },
- "then": {
- "effect": "[parameters('effect')]"
- }
- }
- }
-}
diff --git a/policies/Network/restrict_vnet_peering.json b/policies/Network/restrict_vnet_peering.json
deleted file mode 100644
index eb1e63f..0000000
--- a/policies/Network/restrict_vnet_peering.json
+++ /dev/null
@@ -1,57 +0,0 @@
-{
- "type": "Microsoft.Authorization/policyDefinitions",
- "name": "restrict_vnet_peering",
- "properties": {
- "metadata": {
- "category": "Network"
- },
- "parameters": {
- "trustedVnetIds": {
- "type": "Array",
- "metadata": {
- "description": "Trusted vNet IDs",
- "displayName": "Trusted vNet IDs"
- },
- "defaultValue": []
- },
- "effect": {
- "type": "String",
- "defaultValue": "Audit",
- "allowedValues": [
- "Audit",
- "Deny",
- "Disabled"
- ],
- "metadata": {
- "displayName": "Effect",
- "description": "The effect determines what happens when the policy rule is evaluated to match"
- }
- }
- },
- "policyRule": {
- "if": {
- "anyOf": [
- {
- "allOf": [
- {
- "field": "type",
- "equals": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings"
- },
- {
- "allOf": [
- {
- "field": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id",
- "notin": "[parameters('trustedVnetIds')]"
- }
- ]
- }
- ]
- }
- ]
- },
- "then": {
- "effect": "[parameters('effect')]"
- }
- }
- }
-}
diff --git a/policies/README.md b/policies/README.md
index 4882237..7646bbb 100644
--- a/policies/README.md
+++ b/policies/README.md
@@ -1,6 +1,6 @@
# Custom Policy Definition Library
-Compile time: 04/21/2023 17:19:05 UTC
+Compile time: 05/17/2023 12:18:07 UTC
Example custom definitions located in the local library
## Categories
@@ -381,19 +381,19 @@ Example custom definitions located in the local library
## Monitoring
-### 📜 [deploy_virtual_machine_diagnostic_setting](./Monitoring/deploy_virtual_machine_diagnostic_setting.json)
+### 📜 [deploy_loadbalancer_diagnostic_setting](./Monitoring/deploy_loadbalancer_diagnostic_setting.json)
| Title | Description |
| ----- | ----------- |
-| Name | deploy_virtual_machine_diagnostic_setting |
-| DisplayName | Deploy Diagnostic Settings for Virtual Machines to a Log Analytics workspace |
-| Description | Deploys the diagnostic settings for Virtual Machines to stream to a regional Log Analytics workspace when any Virtual Machine which is missing this diagnostic settings is created or updated. |
+| Name | deploy_loadbalancer_diagnostic_setting |
+| DisplayName | Deploy Diagnostic Settings for Load Balancers to a Log Analytics workspace |
+| Description | Deploys the diagnostic settings for Load Balancers to stream to a regional Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. |
| Version | |
| Effect | [parameters('effect')] |
#### 🧮 ~ Parameters
| Name | Description | Default Value | Allowed Values |
| ---- | ----------- | ------------- | -------------- |
-| effect | Enable or disable the execution of the policy | DeployIfNotExists | AuditIfNotExists DeployIfNotExists Disabled |
+| effect | Enable or disable the execution of the policy | DeployIfNotExists | AuditIfNotExists AuditIfNotExists DeployIfNotExists Disabled |
| profileName | The diagnostic settings profile name | setbypolicy_Diagnostics | |
| workspaceId | Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID. | | |
| storageAccountId | The Storage Account Resource Id to send activity logs | | |
@@ -406,12 +406,12 @@ Example custom definitions located in the local library
-### 📜 [deploy_vnet_diagnostic_setting](./Monitoring/deploy_vnet_diagnostic_setting.json)
+### 📜 [deploy_network_interface_diagnostic_setting](./Monitoring/deploy_network_interface_diagnostic_setting.json)
| Title | Description |
| ----- | ----------- |
-| Name | deploy_vnet_diagnostic_setting |
-| DisplayName | Deploy Diagnostic Settings for Virtual Networks to a Log Analytics workspace |
-| Description | Deploys the diagnostic settings for Virtual Networks to stream to a regional Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. |
+| Name | deploy_network_interface_diagnostic_setting |
+| DisplayName | Deploy Diagnostic Settings for Network Interfaces to a Log Analytics workspace |
+| Description | Deploys the diagnostic settings for Network Interfaces to stream to a regional Log Analytics workspace when any Network Interface which is missing this diagnostic settings is created or updated. |
| Version | |
| Effect | [parameters('effect')] |
@@ -424,19 +424,18 @@ Example custom definitions located in the local library
| storageAccountId | The Storage Account Resource Id to send activity logs | | |
| eventHubAuthorizationRuleId | The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule} | | |
| eventHubName | The EventHub name to stream activity logs to | | |
-| metricsEnabled | Whether to enable metrics stream to the Log Analytics workspace - True or False | False | True False |
-| logsEnabled | Whether to enable logs stream to the Log Analytics workspace - True or False | True | True False |
+| metricsEnabled | Enable Metrics - True or False | True | True False |
-### 📜 [deploy_vnet_gateway_diagnostic_setting](./Monitoring/deploy_vnet_gateway_diagnostic_setting.json)
+### 📜 [deploy_network_security_group_diagnostic_setting](./Monitoring/deploy_network_security_group_diagnostic_setting.json)
| Title | Description |
| ----- | ----------- |
-| Name | deploy_vnet_gateway_diagnostic_setting |
-| DisplayName | Deploy Diagnostic Settings for Virtual Network Gateways to a Log Analytics workspace |
-| Description | Deploys the diagnostic settings for Virtual Network Gateways to stream to a regional Log Analytics workspace when any Virtual Network Gateway which is missing this diagnostic settings is created or updated. |
+| Name | deploy_network_security_group_diagnostic_setting |
+| DisplayName | Deploy Diagnostic Settings for Network Security Groups to a Log Analytics workspace |
+| Description | Deploys the diagnostic settings for Network Security Groups to stream to a regional Log Analytics workspace when any Network Security Group which is missing this diagnostic settings is created or updated. |
| Version | |
| Effect | [parameters('effect')] |
@@ -449,31 +448,31 @@ Example custom definitions located in the local library
| storageAccountId | The Storage Account Resource Id to send activity logs | | |
| eventHubAuthorizationRuleId | The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule} | | |
| eventHubName | The EventHub name to stream activity logs to | | |
-| metricsEnabled | Whether to enable metrics stream to the Log Analytics workspace - True or False | False | True False |
-| logsEnabled | Whether to enable logs stream to the Log Analytics workspace - True or False | True | True False |
+| logsEnabled | Enable Logs - True or False | True | True False |
-### 📜 [deploy_subscription_diagnostic_setting](./Monitoring/deploy_subscription_diagnostic_setting.json)
+### 📜 [deploy_public_ip_diagnostic_setting](./Monitoring/deploy_public_ip_diagnostic_setting.json)
| Title | Description |
| ----- | ----------- |
-| Name | deploy_subscription_diagnostic_setting |
-| DisplayName | Deploy Diagnostic Settings for Subscriptions to a Log Analytics workspace |
-| Description | Deploys the diagnostic settings for Subscriptions to stream to a regional Log Analytics workspace when any Subscription which is missing this diagnostic settings is created or updated. |
+| Name | deploy_public_ip_diagnostic_setting |
+| DisplayName | Deploy Diagnostic Settings for Public IPs to a Log Analytics workspace |
+| Description | Deploys the diagnostic settings for Public IPs to stream to a regional Log Analytics workspace when any Public IP which is missing this diagnostic settings is created or updated. |
| Version | |
| Effect | [parameters('effect')] |
#### 🧮 ~ Parameters
| Name | Description | Default Value | Allowed Values |
| ---- | ----------- | ------------- | -------------- |
-| effect | Enable or disable the execution of the policy | DeployIfNotExists | DeployIfNotExists AuditIfNotExists Disabled |
+| effect | Enable or disable the execution of the policy | DeployIfNotExists | AuditIfNotExists DeployIfNotExists Disabled |
| profileName | The diagnostic settings profile name | setbypolicy_Diagnostics | |
| workspaceId | Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID. | | |
| storageAccountId | The Storage Account Resource Id to send activity logs | | |
| eventHubAuthorizationRuleId | The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule} | | |
| eventHubName | The EventHub name to stream activity logs to | | |
+| metricsEnabled | Enable Metrics - True or False | True | True False |
| logsEnabled | Enable Logs - True or False | True | True False |
@@ -505,37 +504,36 @@ Example custom definitions located in the local library
-### 📜 [deploy_public_ip_diagnostic_setting](./Monitoring/deploy_public_ip_diagnostic_setting.json)
+### 📜 [deploy_subscription_diagnostic_setting](./Monitoring/deploy_subscription_diagnostic_setting.json)
| Title | Description |
| ----- | ----------- |
-| Name | deploy_public_ip_diagnostic_setting |
-| DisplayName | Deploy Diagnostic Settings for Public IPs to a Log Analytics workspace |
-| Description | Deploys the diagnostic settings for Public IPs to stream to a regional Log Analytics workspace when any Public IP which is missing this diagnostic settings is created or updated. |
+| Name | deploy_subscription_diagnostic_setting |
+| DisplayName | Deploy Diagnostic Settings for Subscriptions to a Log Analytics workspace |
+| Description | Deploys the diagnostic settings for Subscriptions to stream to a regional Log Analytics workspace when any Subscription which is missing this diagnostic settings is created or updated. |
| Version | |
| Effect | [parameters('effect')] |
#### 🧮 ~ Parameters
| Name | Description | Default Value | Allowed Values |
| ---- | ----------- | ------------- | -------------- |
-| effect | Enable or disable the execution of the policy | DeployIfNotExists | AuditIfNotExists DeployIfNotExists Disabled |
+| effect | Enable or disable the execution of the policy | DeployIfNotExists | DeployIfNotExists AuditIfNotExists Disabled |
| profileName | The diagnostic settings profile name | setbypolicy_Diagnostics | |
| workspaceId | Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID. | | |
| storageAccountId | The Storage Account Resource Id to send activity logs | | |
| eventHubAuthorizationRuleId | The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule} | | |
| eventHubName | The EventHub name to stream activity logs to | | |
-| metricsEnabled | Enable Metrics - True or False | True | True False |
| logsEnabled | Enable Logs - True or False | True | True False |
-### 📜 [deploy_network_security_group_diagnostic_setting](./Monitoring/deploy_network_security_group_diagnostic_setting.json)
+### 📜 [deploy_virtual_machine_diagnostic_setting](./Monitoring/deploy_virtual_machine_diagnostic_setting.json)
| Title | Description |
| ----- | ----------- |
-| Name | deploy_network_security_group_diagnostic_setting |
-| DisplayName | Deploy Diagnostic Settings for Network Security Groups to a Log Analytics workspace |
-| Description | Deploys the diagnostic settings for Network Security Groups to stream to a regional Log Analytics workspace when any Network Security Group which is missing this diagnostic settings is created or updated. |
+| Name | deploy_virtual_machine_diagnostic_setting |
+| DisplayName | Deploy Diagnostic Settings for Virtual Machines to a Log Analytics workspace |
+| Description | Deploys the diagnostic settings for Virtual Machines to stream to a regional Log Analytics workspace when any Virtual Machine which is missing this diagnostic settings is created or updated. |
| Version | |
| Effect | [parameters('effect')] |
@@ -548,55 +546,69 @@ Example custom definitions located in the local library
| storageAccountId | The Storage Account Resource Id to send activity logs | | |
| eventHubAuthorizationRuleId | The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule} | | |
| eventHubName | The EventHub name to stream activity logs to | | |
-| logsEnabled | Enable Logs - True or False | True | True False |
+| metricsEnabled | Whether to enable metrics stream to the Log Analytics workspace - True or False | False | True False |
+| logsEnabled | Whether to enable logs stream to the Log Analytics workspace - True or False | True | True False |
-### 📜 [audit_log_analytics_workspace_retention](./Monitoring/audit_log_analytics_workspace_retention.json)
+### 📜 [deploy_vnet_diagnostic_setting](./Monitoring/deploy_vnet_diagnostic_setting.json)
| Title | Description |
| ----- | ----------- |
-| Name | audit_log_analytics_workspace_retention |
-| DisplayName | |
-| Description | |
+| Name | deploy_vnet_diagnostic_setting |
+| DisplayName | Deploy Diagnostic Settings for Virtual Networks to a Log Analytics workspace |
+| Description | Deploys the diagnostic settings for Virtual Networks to stream to a regional Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. |
| Version | |
| Effect | [parameters('effect')] |
#### 🧮 ~ Parameters
| Name | Description | Default Value | Allowed Values |
| ---- | ----------- | ------------- | -------------- |
-| effect | Enable or disable the execution of the policy | AuditIfNotExists | AuditIfNotExists Disabled |
-| workspaceRetentionDays | Log Analytics Workspace should be retained for the specified amount of days. Defaults to 15 months | 456 | |
+| effect | Enable or disable the execution of the policy | DeployIfNotExists | AuditIfNotExists DeployIfNotExists Disabled |
+| profileName | The diagnostic settings profile name | setbypolicy_Diagnostics | |
+| workspaceId | Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID. | | |
+| storageAccountId | The Storage Account Resource Id to send activity logs | | |
+| eventHubAuthorizationRuleId | The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule} | | |
+| eventHubName | The EventHub name to stream activity logs to | | |
+| metricsEnabled | Whether to enable metrics stream to the Log Analytics workspace - True or False | False | True False |
+| logsEnabled | Whether to enable logs stream to the Log Analytics workspace - True or False | True | True False |
-### 📜 [audit_subscription_diagnostic_setting_should_exist](./Monitoring/audit_subscription_diagnostic_setting_should_exist.json)
+### 📜 [deploy_vnet_gateway_diagnostic_setting](./Monitoring/deploy_vnet_gateway_diagnostic_setting.json)
| Title | Description |
| ----- | ----------- |
-| Name | audit_subscription_diagnostic_setting_should_exist |
-| DisplayName | |
-| Description | |
+| Name | deploy_vnet_gateway_diagnostic_setting |
+| DisplayName | Deploy Diagnostic Settings for Virtual Network Gateways to a Log Analytics workspace |
+| Description | Deploys the diagnostic settings for Virtual Network Gateways to stream to a regional Log Analytics workspace when any Virtual Network Gateway which is missing this diagnostic settings is created or updated. |
| Version | |
| Effect | [parameters('effect')] |
#### 🧮 ~ Parameters
| Name | Description | Default Value | Allowed Values |
| ---- | ----------- | ------------- | -------------- |
-| effect | Enable or disable the execution of the policy | AuditIfNotExists | AuditIfNotExists Disabled |
+| effect | Enable or disable the execution of the policy | DeployIfNotExists | AuditIfNotExists DeployIfNotExists Disabled |
+| profileName | The diagnostic settings profile name | setbypolicy_Diagnostics | |
+| workspaceId | Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID. | | |
+| storageAccountId | The Storage Account Resource Id to send activity logs | | |
+| eventHubAuthorizationRuleId | The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule} | | |
+| eventHubName | The EventHub name to stream activity logs to | | |
+| metricsEnabled | Whether to enable metrics stream to the Log Analytics workspace - True or False | False | True False |
+| logsEnabled | Whether to enable logs stream to the Log Analytics workspace - True or False | True | True False |
-### 📜 [deploy_application_gateway_diagnostic_setting](./Monitoring/deploy_application_gateway_diagnostic_setting.json)
+### 📜 [deploy_keyvault_diagnostic_setting](./Monitoring/deploy_keyvault_diagnostic_setting.json)
| Title | Description |
| ----- | ----------- |
-| Name | deploy_application_gateway_diagnostic_setting |
-| DisplayName | Deploy Diagnostic Settings for Application Gateways to a Log Analytics workspace |
-| Description | Deploys the diagnostic settings for Application Gateways to stream to a regional Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. |
+| Name | deploy_keyvault_diagnostic_setting |
+| DisplayName | Deploy Diagnostic Settings for KeyVaults to a Log Analytics workspace |
+| Description | Deploys the diagnostic settings for KeyVaults to stream to a regional Log Analytics workspace when any KeyVault which is missing this diagnostic settings is created or updated. |
| Version | |
| Effect | [parameters('effect')] |
@@ -616,12 +628,12 @@ Example custom definitions located in the local library
-### 📜 [deploy_eventhub_diagnostic_setting](./Monitoring/deploy_eventhub_diagnostic_setting.json)
+### 📜 [deploy_firewall_diagnostic_setting](./Monitoring/deploy_firewall_diagnostic_setting.json)
| Title | Description |
| ----- | ----------- |
-| Name | deploy_eventhub_diagnostic_setting |
-| DisplayName | Deploy Diagnostic Settings for Event Hubs to a Log Analytics workspace |
-| Description | Deploys the diagnostic settings for Event Hubs to stream to a regional Log Analytics workspace when any Event Hub which is missing this diagnostic settings is created or updated. |
+| Name | deploy_firewall_diagnostic_setting |
+| DisplayName | Deploy Diagnostic Settings for Firewalls to a Log Analytics workspace |
+| Description | Deploys the diagnostic settings for Firewalls to stream to a regional Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. |
| Version | |
| Effect | [parameters('effect')] |
@@ -691,69 +703,56 @@ Example custom definitions located in the local library
-### 📜 [deploy_firewall_diagnostic_setting](./Monitoring/deploy_firewall_diagnostic_setting.json)
+### 📜 [audit_log_analytics_workspace_retention](./Monitoring/audit_log_analytics_workspace_retention.json)
| Title | Description |
| ----- | ----------- |
-| Name | deploy_firewall_diagnostic_setting |
-| DisplayName | Deploy Diagnostic Settings for Firewalls to a Log Analytics workspace |
-| Description | Deploys the diagnostic settings for Firewalls to stream to a regional Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. |
+| Name | audit_log_analytics_workspace_retention |
+| DisplayName | |
+| Description | |
| Version | |
| Effect | [parameters('effect')] |
#### 🧮 ~ Parameters
| Name | Description | Default Value | Allowed Values |
| ---- | ----------- | ------------- | -------------- |
-| effect | Enable or disable the execution of the policy | DeployIfNotExists | AuditIfNotExists DeployIfNotExists Disabled |
-| profileName | The diagnostic settings profile name | setbypolicy_Diagnostics | |
-| workspaceId | Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID. | | |
-| storageAccountId | The Storage Account Resource Id to send activity logs | | |
-| eventHubAuthorizationRuleId | The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule} | | |
-| eventHubName | The EventHub name to stream activity logs to | | |
-| metricsEnabled | Whether to enable metrics stream to the Log Analytics workspace - True or False | False | True False |
-| logsEnabled | Whether to enable logs stream to the Log Analytics workspace - True or False | True | True False |
+| effect | Enable or disable the execution of the policy | AuditIfNotExists | AuditIfNotExists Disabled |
+| workspaceRetentionDays | Log Analytics Workspace should be retained for the specified amount of days. Defaults to 15 months | 456 | |
-### 📜 [deploy_keyvault_diagnostic_setting](./Monitoring/deploy_keyvault_diagnostic_setting.json)
+### 📜 [audit_subscription_diagnostic_setting_should_exist](./Monitoring/audit_subscription_diagnostic_setting_should_exist.json)
| Title | Description |
| ----- | ----------- |
-| Name | deploy_keyvault_diagnostic_setting |
-| DisplayName | Deploy Diagnostic Settings for KeyVaults to a Log Analytics workspace |
-| Description | Deploys the diagnostic settings for KeyVaults to stream to a regional Log Analytics workspace when any KeyVault which is missing this diagnostic settings is created or updated. |
+| Name | audit_subscription_diagnostic_setting_should_exist |
+| DisplayName | |
+| Description | |
| Version | |
| Effect | [parameters('effect')] |
#### 🧮 ~ Parameters
| Name | Description | Default Value | Allowed Values |
| ---- | ----------- | ------------- | -------------- |
-| effect | Enable or disable the execution of the policy | DeployIfNotExists | AuditIfNotExists DeployIfNotExists Disabled |
-| profileName | The diagnostic settings profile name | setbypolicy_Diagnostics | |
-| workspaceId | Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID. | | |
-| storageAccountId | The Storage Account Resource Id to send activity logs | | |
-| eventHubAuthorizationRuleId | The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule} | | |
-| eventHubName | The EventHub name to stream activity logs to | | |
-| metricsEnabled | Whether to enable metrics stream to the Log Analytics workspace - True or False | False | True False |
-| logsEnabled | Whether to enable logs stream to the Log Analytics workspace - True or False | True | True False |
+| effect | Enable or disable the execution of the policy | AuditIfNotExists | AuditIfNotExists Disabled |
-### 📜 [deploy_loadbalancer_diagnostic_setting](./Monitoring/deploy_loadbalancer_diagnostic_setting.json)
+### 📜 [deploy_application_gateway_diagnostic_setting](./Monitoring/deploy_application_gateway_diagnostic_setting.json)
| Title | Description |
| ----- | ----------- |
-| Name | deploy_loadbalancer_diagnostic_setting |
-| DisplayName | Deploy Diagnostic Settings for Load Balancers to a Log Analytics workspace |
-| Description | Deploys the diagnostic settings for Load Balancers to stream to a regional Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. |
+| Name | deploy_application_gateway_diagnostic_setting |
+| DisplayName | Deploy Diagnostic Settings for Application Gateways to a Log Analytics workspace |
+| Description | Deploys the diagnostic settings for Application Gateways to stream to a regional Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. |
| Version | |
| Effect | [parameters('effect')] |
#### 🧮 ~ Parameters
| Name | Description | Default Value | Allowed Values |
| ---- | ----------- | ------------- | -------------- |
-| effect | Enable or disable the execution of the policy | DeployIfNotExists | AuditIfNotExists AuditIfNotExists DeployIfNotExists Disabled |
+| effect | Enable or disable the execution of the policy | DeployIfNotExists | AuditIfNotExists DeployIfNotExists Disabled |
| profileName | The diagnostic settings profile name | setbypolicy_Diagnostics | |
| workspaceId | Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID. | | |
| storageAccountId | The Storage Account Resource Id to send activity logs | | |
@@ -766,12 +765,12 @@ Example custom definitions located in the local library
-### 📜 [deploy_network_interface_diagnostic_setting](./Monitoring/deploy_network_interface_diagnostic_setting.json)
+### 📜 [deploy_eventhub_diagnostic_setting](./Monitoring/deploy_eventhub_diagnostic_setting.json)
| Title | Description |
| ----- | ----------- |
-| Name | deploy_network_interface_diagnostic_setting |
-| DisplayName | Deploy Diagnostic Settings for Network Interfaces to a Log Analytics workspace |
-| Description | Deploys the diagnostic settings for Network Interfaces to stream to a regional Log Analytics workspace when any Network Interface which is missing this diagnostic settings is created or updated. |
+| Name | deploy_eventhub_diagnostic_setting |
+| DisplayName | Deploy Diagnostic Settings for Event Hubs to a Log Analytics workspace |
+| Description | Deploys the diagnostic settings for Event Hubs to stream to a regional Log Analytics workspace when any Event Hub which is missing this diagnostic settings is created or updated. |
| Version | |
| Effect | [parameters('effect')] |
@@ -784,7 +783,8 @@ Example custom definitions located in the local library
| storageAccountId | The Storage Account Resource Id to send activity logs | | |
| eventHubAuthorizationRuleId | The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule} | | |
| eventHubName | The EventHub name to stream activity logs to | | |
-| metricsEnabled | Enable Metrics - True or False | True | True False |
+| metricsEnabled | Whether to enable metrics stream to the Log Analytics workspace - True or False | False | True False |
+| logsEnabled | Whether to enable logs stream to the Log Analytics workspace - True or False | True | True False |
@@ -794,89 +794,6 @@ Example custom definitions located in the local library
## Network
-### 📜 [create_nsg_rule_append](./Network/create_nsg_rule_append.json)
-| Title | Description |
-| ----- | ----------- |
-| Name | create_nsg_rule_append |
-| DisplayName | |
-| Description | |
-| Version | |
-| Effect | [parameters('effect')] |
-
-#### 🧮 ~ Parameters
-| Name | Description | Default Value | Allowed Values |
-| ---- | ----------- | ------------- | -------------- |
-| name | | | |
-| protocol | | | TCP UDP ICMP * |
-| access | | | Allow Deny |
-| priority | | | |
-| direction | | | Inbound Outbound |
-| sourcePortRanges | | | |
-| destinationPortRanges | | | |
-| sourceAddressPrefixes | | | |
-| destinationAddressPrefixes | | | |
-| effect | The effect determines what happens when the policy rule is evaluated to match | Append | Append Disabled |
-
-
-
-
-
-### 📜 [deny_nat_rules_firewalls](./Network/deny_nat_rules_firewalls.json)
-| Title | Description |
-| ----- | ----------- |
-| Name | deny_nat_rules_firewalls |
-| DisplayName | |
-| Description | |
-| Version | |
-| Effect | [parameters('effect')] |
-
-#### 🧮 ~ Parameters
-| Name | Description | Default Value | Allowed Values |
-| ---- | ----------- | ------------- | -------------- |
-| effect | The effect determines what happens when the policy rule is evaluated to match | Deny | Audit Deny Disabled |
-
-
-
-
-
-### 📜 [deny_nic_on_unapproved_vnet](./Network/deny_nic_on_unapproved_vnet.json)
-| Title | Description |
-| ----- | ----------- |
-| Name | deny_nic_on_unapproved_vnet |
-| DisplayName | |
-| Description | |
-| Version | |
-| Effect | [parameters('effect')] |
-
-#### 🧮 ~ Parameters
-| Name | Description | Default Value | Allowed Values |
-| ---- | ----------- | ------------- | -------------- |
-| effect | The effect determines what happens when the policy rule is evaluated to match | Deny | Audit Deny Disabled |
-| virtualNetworkId | Resource Id of the virtual network. Example: /subscriptions/YourSubscriptionId/resourceGroups/YourResourceGroupName/providers/Microsoft.Network/virtualNetworks/Name | | |
-
-
-
-
-
-### 📜 [deny_nic_public_ip_on_specific_subnets](./Network/deny_nic_public_ip_on_specific_subnets.json)
-| Title | Description |
-| ----- | ----------- |
-| Name | deny_nic_public_ip_on_specific_subnets |
-| DisplayName | |
-| Description | |
-| Version | |
-| Effect | [parameters('effect')] |
-
-#### 🧮 ~ Parameters
-| Name | Description | Default Value | Allowed Values |
-| ---- | ----------- | ------------- | -------------- |
-| deniedSuffix | NICs attached to a subnet containing this suffix will be unable to attach a Public IP | | |
-| effect | The effect determines what happens when the policy rule is evaluated to match | Deny | Audit Deny Disabled |
-
-
-
-
-
### 📜 [deny_nic_public_ip](./Network/deny_nic_public_ip.json)
| Title | Description |
| ----- | ----------- |
@@ -895,161 +812,10 @@ Example custom definitions located in the local library
-### 📜 [deny_nsg_outbound_allow_all](./Network/deny_nsg_outbound_allow_all.json)
-| Title | Description |
-| ----- | ----------- |
-| Name | deny_nsg_outbound_allow_all |
-| DisplayName | |
-| Description | |
-| Version | |
-| Effect | [parameters('effect')] |
-
-#### 🧮 ~ Parameters
-| Name | Description | Default Value | Allowed Values |
-| ---- | ----------- | ------------- | -------------- |
-| effect | The effect determines what happens when the policy rule is evaluated to match | Deny | Audit Deny Disabled |
-
-
-
-
-
-### 📜 [deny_nsgs_with_rules_with_source_inbound_any](./Network/deny_nsgs_with_rules_with_source_inbound_any.json)
-| Title | Description |
-| ----- | ----------- |
-| Name | deny_nsgs_with_rules_with_source_inbound_any |
-| DisplayName | |
-| Description | |
-| Version | |
-| Effect | [parameters('effect')] |
-
-#### 🧮 ~ Parameters
-| Name | Description | Default Value | Allowed Values |
-| ---- | ----------- | ------------- | -------------- |
-| effect | The effect determines what happens when the policy rule is evaluated to match | Deny | Audit Deny Disabled |
-
-
-
-
-
-### 📜 [deny_pip_if_not_associated_authorised_resource](./Network/deny_pip_if_not_associated_authorised_resource.json)
-| Title | Description |
-| ----- | ----------- |
-| Name | deny_pip_if_not_associated_authorised_resource |
-| DisplayName | |
-| Description | |
-| Version | |
-| Effect | [parameters('effect')] |
-
-#### 🧮 ~ Parameters
-| Name | Description | Default Value | Allowed Values |
-| ---- | ----------- | ------------- | -------------- |
-| effect | The effect determines what happens when the policy rule is evaluated to match | Deny | Audit Deny Disabled |
-
-
-
-
-
-### 📜 [deny_unapproved_udr_hop_type](./Network/deny_unapproved_udr_hop_type.json)
-| Title | Description |
-| ----- | ----------- |
-| Name | deny_unapproved_udr_hop_type |
-| DisplayName | |
-| Description | |
-| Version | |
-| Effect | [parameters('effect')] |
-
-#### 🧮 ~ Parameters
-| Name | Description | Default Value | Allowed Values |
-| ---- | ----------- | ------------- | -------------- |
-| allowedHopType1 | A permitted hop type for a UDR | | |
-| allowedHopType2 | A permitted hop type for a UDR | | |
-| allowedHopType3 | A permitted hop type for a UDR | | |
-| effect | The effect determines what happens when the policy rule is evaluated to match | Audit | Audit Deny Disabled |
-
-
-
-
-
-### 📜 [deny_unapproved_udr](./Network/deny_unapproved_udr.json)
-| Title | Description |
-| ----- | ----------- |
-| Name | deny_unapproved_udr |
-| DisplayName | |
-| Description | |
-| Version | |
-| Effect | [parameters('effect')] |
-
-#### 🧮 ~ Parameters
-| Name | Description | Default Value | Allowed Values |
-| ---- | ----------- | ------------- | -------------- |
-| allowedHops | A list of the permitted 'next hops' for a UDR | | |
-| effect | The effect determines what happens when the policy rule is evaluated to match | Audit | Audit Deny Disabled |
-
-
-
-
-
-### 📜 [require_nsg_on_vnet](./Network/require_nsg_on_vnet.json)
-| Title | Description |
-| ----- | ----------- |
-| Name | require_nsg_on_vnet |
-| DisplayName | |
-| Description | |
-| Version | |
-| Effect | [parameters('effect')] |
-
-#### 🧮 ~ Parameters
-| Name | Description | Default Value | Allowed Values |
-| ---- | ----------- | ------------- | -------------- |
-| allowedRanges | Provide the list of approved IP ranges for NSGs | | |
-| effect | The effect determines what happens when the policy rule is evaluated to match | Audit | Audit Deny Disabled |
-
-
-
-
-
-### 📜 [restrict_vnet_peering](./Network/restrict_vnet_peering.json)
-| Title | Description |
-| ----- | ----------- |
-| Name | restrict_vnet_peering |
-| DisplayName | |
-| Description | |
-| Version | |
-| Effect | [parameters('effect')] |
-
-#### 🧮 ~ Parameters
-| Name | Description | Default Value | Allowed Values |
-| ---- | ----------- | ------------- | -------------- |
-| trustedVnetIds | Trusted vNet IDs | | |
-| effect | The effect determines what happens when the policy rule is evaluated to match | Audit | Audit Deny Disabled |
-
-
-
-
-
---
## Security Center
-### 📜 [auto_enroll_subscriptions](./Security%20Center/auto_enroll_subscriptions.json)
-| Title | Description |
-| ----- | ----------- |
-| Name | auto_enroll_subscriptions |
-| DisplayName | Enroll Subscriptions to Azure Security Center |
-| Description | Enroll Subscriptions to Azure Security Center Standard Pricing Tier, Note: the new Containers Plan will be replacing Container Registries and Kubernetes |
-| Version | |
-| Effect | [parameters('effect')] |
-
-#### 🧮 ~ Parameters
-| Name | Description | Default Value | Allowed Values |
-| ---- | ----------- | ------------- | -------------- |
-| effect | Enable or disable the execution of the policy | DeployIfNotExists | DeployIfNotExists AuditIfNotExists Disabled |
-| pricingTier | ASC Pricing Tier | Standard | Free Standard |
-
-
-
-
-
### 📜 [auto_provision_log_analytics_agent_custom_workspace](./Security%20Center/auto_provision_log_analytics_agent_custom_workspace.json)
| Title | Description |
| ----- | ----------- |
@@ -1161,6 +927,25 @@ Example custom definitions located in the local library
+### 📜 [auto_enroll_subscriptions](./Security%20Center/auto_enroll_subscriptions.json)
+| Title | Description |
+| ----- | ----------- |
+| Name | auto_enroll_subscriptions |
+| DisplayName | Enroll Subscriptions to Azure Security Center |
+| Description | Enroll Subscriptions to Azure Security Center Standard Pricing Tier, Note: the new Containers Plan will be replacing Container Registries and Kubernetes |
+| Version | |
+| Effect | [parameters('effect')] |
+
+#### 🧮 ~ Parameters
+| Name | Description | Default Value | Allowed Values |
+| ---- | ----------- | ------------- | -------------- |
+| effect | Enable or disable the execution of the policy | DeployIfNotExists | DeployIfNotExists AuditIfNotExists Disabled |
+| pricingTier | ASC Pricing Tier | Standard | Free Standard |
+
+
+
+
+
---
## Storage