Built-in Policy Release 74b1e6d3 (#1535)

Co-authored-by: Azure Policy Bot <azgovpolicy@microsoft.com>

Author: robga

built-in-policies/policyDefinitions/App Service/HostingEnvironment_LatestVersions_Audit.json

@@ -1,18 +1,19 @@
 {
   "properties": {
-    "displayName": "App Service Environment should be provisioned with latest versions",
+    "displayName": "[Deprecated]: App Service Environment should be provisioned with latest versions",
     "policyType": "BuiltIn",
     "mode": "Indexed",
-    "description": "Only allow App Service Environment version 2 or version 3 to be provisioned. Older versions of App Service Environment require manual management of Azure resources and have greater scaling limitations.",
+    "description": "Only allow App Service Environment version 2 or version 3 to be provisioned. This policy is deprecated because App Service Environment v1 and v2 are retired and no longer supported. Learn more about policy definition deprecation at aka.ms/policydefdeprecation.",
     "metadata": {
-      "version": "1.0.0",
-      "category": "App Service"
+      "version": "1.1.0-deprecated",
+      "category": "App Service",
+      "deprecated": true
     },
-    "version": "1.0.0",
+    "version": "1.1.0",
     "parameters": {
       "effect": {
         "type": "string",
-        "defaultValue": "Audit",
+        "defaultValue": "Disabled",
         "allowedValues": [
           "Audit",
           "Deny",
@@ -42,6 +43,7 @@
       }
     },
     "versions": [
+      "1.1.0",
       "1.0.0"
     ]
   },

built-in-policies/policyDefinitions/Durable Task/DurableTaskSchedulerOpenIpAllowlist_AuditDeny.json

@@ -0,0 +1,56 @@
+{
+  "properties": {
+    "displayName": "Durable Task schedulers should not allow open IP allowlists",
+    "description": "Deny Durable Task schedulers that include 0.0.0.0/0 in their IP allowlist to prevent exposure to the public internet. Remove the open entry so that only trusted networks can reach the scheduler.",
+    "policyType": "BuiltIn",
+    "mode": "Indexed",
+    "metadata": {
+      "version": "1.0.0",
+      "category": "Durable Task"
+    },
+    "version": "1.0.0",
+    "parameters": {
+      "effect": {
+        "type": "String",
+        "defaultValue": "Audit",
+        "allowedValues": [
+          "Audit",
+          "Deny",
+          "Disabled"
+        ],
+        "metadata": {
+          "displayName": "Effect",
+          "description": "Enable or disable the execution of the policy"
+        }
+      }
+    },
+    "policyRule": {
+      "if": {
+        "allOf": [
+          {
+            "field": "type",
+            "equals": "Microsoft.DurableTask/schedulers"
+          },
+          {
+            "count": {
+              "field": "Microsoft.DurableTask/schedulers/ipAllowlist[*]",
+              "where": {
+                "field": "Microsoft.DurableTask/schedulers/ipAllowlist[*]",
+                "equals": "0.0.0.0/0"
+              }
+            },
+            "greater": 0
+          }
+        ]
+      },
+      "then": {
+        "effect": "[parameters('effect')]"
+      }
+    },
+    "versions": [
+      "1.0.0"
+    ]
+  },
+  "id": "/providers/Microsoft.Authorization/policyDefinitions/d82527a7-91cd-409f-b96e-049600b16b9e",
+  "name": "d82527a7-91cd-409f-b96e-049600b16b9e"
+}

built-in-policies/policyDefinitions/Monitoring/AzureMonitor_AddSystemIdentity_Prerequisite.json

@@ -6,10 +6,10 @@
     "description": "Configure system-assigned managed identity to virtual machines hosted in Azure that are supported by Azure Monitor and do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Azure Monitor assignments and must be added to machines before using any Azure Monitor extension. Target virtual machines must be in a supported location.",
     "metadata": {
       "category": "Monitoring",
-      "version": "6.1.0-preview",
+      "version": "6.2.0-preview",
       "preview": true
     },
-    "version": "6.1.0-preview",
+    "version": "6.2.0-preview",
     "parameters": {
       "effect": {
         "type": "String",
@@ -67,25 +67,34 @@
               "centralindia",
               "centralus",
               "centraluseuap",
+              "chilecentral",
               "eastasia",
               "eastus",
               "eastus2",
               "eastus2euap",
               "francecentral",
               "germanywestcentral",
+              "indonesiacentral",
+              "israelcentral",
+              "italynorth",
               "japaneast",
               "japanwest",
               "jioindiawest",
               "koreacentral",
               "koreasouth",
+              "malaysiawest",
+              "mexicocentral",
+              "newzealandnorth",
               "northcentralus",
               "northeurope",
               "norwayeast",
+              "polandcentral",
               "qatarcentral",
               "southafricanorth",
               "southcentralus",
               "southeastasia",
               "southindia",
+              "spaincentral",
               "swedencentral",
               "switzerlandnorth",
               "uaenorth",
@@ -716,6 +725,7 @@
       }
     },
     "versions": [
+      "6.2.0-PREVIEW",
       "6.1.0-PREVIEW",
       "6.0.0-PREVIEW"
     ]

built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Linux_VMSS_Audit.json

@@ -5,10 +5,10 @@
     "mode": "Indexed",
     "description": "Linux virtual machine scale sets should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit virtual machine scale sets with supported OS images in supported regions. Learn more: https://aka.ms/AMAOverview.",
     "metadata": {
-      "version": "3.5.0",
+      "version": "3.6.0",
       "category": "Monitoring"
     },
-    "version": "3.5.0",
+    "version": "3.6.0",
     "parameters": {
       "effect": {
         "type": "String",
@@ -64,6 +64,7 @@
               "centralindia",
               "centralus",
               "centraluseuap",
+              "chilecentral",
               "eastasia",
               "eastus",
               "eastus2",
@@ -72,6 +73,7 @@
               "francesouth",
               "germanynorth",
               "germanywestcentral",
+              "indonesiacentral",
               "israelcentral",
               "italynorth",
               "japaneast",
@@ -81,7 +83,9 @@
               "koreacentral",
               "koreasouth",
               "malaysiasouth",
+              "malaysiawest",
               "mexicocentral",
+              "newzealandnorth",
               "northcentralus",
               "northeurope",
               "norwayeast",
@@ -563,6 +567,7 @@
       }
     },
     "versions": [
+      "3.6.0",
       "3.5.0",
       "3.4.0",
       "3.3.0",

built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Linux_VMSS_DINE.json

@@ -5,10 +5,10 @@
     "mode": "Indexed",
     "description": "Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview.",
     "metadata": {
-      "version": "3.9.0",
+      "version": "3.10.0",
       "category": "Monitoring"
     },
-    "version": "3.9.0",
+    "version": "3.10.0",
     "parameters": {
       "effect": {
         "type": "String",
@@ -68,6 +68,7 @@
               "centralindia",
               "centralus",
               "centraluseuap",
+              "chilecentral",
               "eastasia",
               "eastus",
               "eastus2",
@@ -76,6 +77,7 @@
               "francesouth",
               "germanynorth",
               "germanywestcentral",
+              "indonesiacentral",
               "israelcentral",
               "italynorth",
               "japaneast",
@@ -85,7 +87,9 @@
               "koreacentral",
               "koreasouth",
               "malaysiasouth",
+              "malaysiawest",
               "mexicocentral",
+              "newzealandnorth",
               "northcentralus",
               "northeurope",
               "norwayeast",
@@ -616,6 +620,7 @@
       }
     },
     "versions": [
+      "3.10.0",
       "3.9.0",
       "3.8.0",
       "3.7.0",

built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Linux_VMSS_UAI_DINE.json

@@ -5,10 +5,10 @@
     "mode": "Indexed",
     "description": "Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview.",
     "metadata": {
-      "version": "3.10.0",
+      "version": "3.11.0",
       "category": "Monitoring"
     },
-    "version": "3.10.0",
+    "version": "3.11.0",
     "parameters": {
       "effect": {
         "type": "String",
@@ -111,6 +111,7 @@
               "centralindia",
               "centralus",
               "centraluseuap",
+              "chilecentral",
               "eastasia",
               "eastus",
               "eastus2",
@@ -119,6 +120,7 @@
               "francesouth",
               "germanynorth",
               "germanywestcentral",
+              "indonesiacentral",
               "israelcentral",
               "italynorth",
               "japaneast",
@@ -128,7 +130,9 @@
               "koreacentral",
               "koreasouth",
               "malaysiasouth",
+              "malaysiawest",
               "mexicocentral",
+              "newzealandnorth",
               "northcentralus",
               "northeurope",
               "norwayeast",
@@ -684,6 +688,7 @@
       }
     },
     "versions": [
+      "3.11.0",
       "3.10.0",
       "3.9.0",
       "3.8.0",

built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Linux_VM_Audit.json

@@ -5,10 +5,10 @@
     "mode": "Indexed",
     "description": "Linux virtual machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit virtual machines with supported OS images in supported regions. Learn more: https://aka.ms/AMAOverview.",
     "metadata": {
-      "version": "3.5.0",
+      "version": "3.6.0",
       "category": "Monitoring"
     },
-    "version": "3.5.0",
+    "version": "3.6.0",
     "parameters": {
       "effect": {
         "type": "String",
@@ -64,6 +64,7 @@
               "centralindia",
               "centralus",
               "centraluseuap",
+              "chilecentral",
               "eastasia",
               "eastus",
               "eastus2",
@@ -72,6 +73,7 @@
               "francesouth",
               "germanynorth",
               "germanywestcentral",
+              "indonesiacentral",
               "israelcentral",
               "italynorth",
               "japaneast",
@@ -81,7 +83,9 @@
               "koreacentral",
               "koreasouth",
               "malaysiasouth",
+              "malaysiawest",
               "mexicocentral",
+              "newzealandnorth",
               "northcentralus",
               "northeurope",
               "norwayeast",
@@ -563,6 +567,7 @@
       }
     },
     "versions": [
+      "3.6.0",
       "3.5.0",
       "3.4.0",
       "3.3.0",

built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Linux_VM_DINE.json

@@ -5,10 +5,10 @@
     "mode": "Indexed",
     "description": "Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview.",
     "metadata": {
-      "version": "3.9.0",
+      "version": "3.10.0",
       "category": "Monitoring"
     },
-    "version": "3.9.0",
+    "version": "3.10.0",
     "parameters": {
       "effect": {
         "type": "String",
@@ -68,6 +68,7 @@
               "centralindia",
               "centralus",
               "centraluseuap",
+              "chilecentral",
               "eastasia",
               "eastus",
               "eastus2",
@@ -76,6 +77,7 @@
               "francesouth",
               "germanynorth",
               "germanywestcentral",
+              "indonesiacentral",
               "israelcentral",
               "italynorth",
               "japaneast",
@@ -85,7 +87,9 @@
               "koreacentral",
               "koreasouth",
               "malaysiasouth",
+              "malaysiawest",
               "mexicocentral",
+              "newzealandnorth",
               "northcentralus",
               "northeurope",
               "norwayeast",
@@ -616,6 +620,7 @@
       }
     },
     "versions": [
+      "3.10.0",
       "3.9.0",
       "3.8.0",
       "3.7.0",