Skip to content

Commit 69e0ff0

Browse files
robgaAzure Policy Bot
andauthored
Built-in Policy Release af243e38 (#1524)
Co-authored-by: Azure Policy Bot <azgovpolicy@microsoft.com>
1 parent dfe29e5 commit 69e0ff0

23 files changed

+4557
-84
lines changed
Lines changed: 76 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,76 @@
1+
{
2+
"properties": {
3+
"displayName": "[Preview]: Virtual Machine Scale Sets with more than 2 availability zones should have automatic AZ rebalancing enabled",
4+
"policyType": "BuiltIn",
5+
"mode": "indexed",
6+
"description": "This policy enables automatic AZ rebalancing for Virtual Machine Scale Sets that are otherwise zone resilient. Automatic zone rebalancing helps to ensure that your Virtual Machine Scale Sets are evenly distributed across the zones in the region.",
7+
"metadata": {
8+
"category": "Automatic Update",
9+
"version": "1.0.0-preview",
10+
"preview": true
11+
},
12+
"version": "1.0.0-preview",
13+
"parameters": {
14+
"effect": {
15+
"type": "String",
16+
"metadata": {
17+
"displayName": "Effect",
18+
"description": "This parameter lets you choose the effect of the policy. If you choose Modify (default), the policy will enable automatic AZ rebalancing for all zone redundant Virtual Machine Scale Sets. If you choose Disabled, the policy will not enforce compliance (useful, for example, as a second assignment to ignore a subset of non-compliant resources in a single resource group)."
19+
},
20+
"allowedValues": [
21+
"Modify",
22+
"Disabled"
23+
],
24+
"defaultValue": "Modify"
25+
}
26+
},
27+
"policyRule": {
28+
"if": {
29+
"allOf": [
30+
{
31+
"field": "type",
32+
"equals": "Microsoft.Compute/virtualMachineScaleSets"
33+
},
34+
{
35+
"count": {
36+
"field": "Microsoft.Compute/virtualMachineScaleSets/zones[*]"
37+
},
38+
"greater": 2
39+
},
40+
{
41+
"field": "Microsoft.Compute/virtualMachineScaleSets/resiliencyPolicy.automaticZoneRebalancingPolicy",
42+
"exists": false
43+
}
44+
]
45+
},
46+
"then": {
47+
"effect": "[parameters('effect')]",
48+
"details": {
49+
"conflictEffect": "audit",
50+
"operations": [
51+
{
52+
"condition": "[greaterOrEquals(requestContext().apiVersion, '2024-07-01')]",
53+
"operation": "addOrReplace",
54+
"field": "Microsoft.Compute/virtualMachineScaleSets/resiliencyPolicy",
55+
"value": {
56+
"automaticZoneRebalancingPolicy": {
57+
"enabled": true,
58+
"rebalanceStrategy": "Recreate",
59+
"rebalanceBehavior": "CreateBeforeDelete"
60+
}
61+
}
62+
}
63+
],
64+
"roleDefinitionIds": [
65+
"/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"
66+
]
67+
}
68+
}
69+
},
70+
"versions": [
71+
"1.0.0-PREVIEW"
72+
]
73+
},
74+
"id": "/providers/Microsoft.Authorization/policyDefinitions/40d17f6f-a9d2-4f1d-8c37-a699a5372a87",
75+
"name": "40d17f6f-a9d2-4f1d-8c37-a699a5372a87"
76+
}

built-in-policies/policyDefinitions/Azure Update Manager/AzUpdateMgmtCenter_AutoAssessmentMode_Audit.json

Lines changed: 6 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -5,10 +5,10 @@
55
"mode": "Indexed",
66
"description": "To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.",
77
"metadata": {
8-
"version": "3.8.0",
8+
"version": "3.9.0",
99
"category": "Azure Update Manager"
1010
},
11-
"version": "3.8.0",
11+
"version": "3.9.0",
1212
"parameters": {
1313
"effect": {
1414
"type": "String",
@@ -2130,15 +2130,15 @@
21302130
"anyOf": [
21312131
{
21322132
"field": "Microsoft.Compute/imageSKU",
2133-
"like": "cis-windows-server:cis-windows-server2019-l*"
2133+
"like": "cis-windows-server2019-l*"
21342134
},
21352135
{
21362136
"field": "Microsoft.Compute/imageSKU",
2137-
"like": "cis-windows-server:cis-windows-server2022-l*"
2137+
"like": "cis-windows-server2022-l*"
21382138
},
21392139
{
21402140
"field": "Microsoft.Compute/imageSKU",
2141-
"like": "cis-windows-server:cis-windows-server2016-l*"
2141+
"like": "cis-windows-server2016-l*"
21422142
}
21432143
]
21442144
}
@@ -2550,6 +2550,7 @@
25502550
}
25512551
},
25522552
"versions": [
2553+
"3.9.0",
25532554
"3.8.0",
25542555
"3.7.0",
25552556
"3.6.0",

built-in-policies/policyDefinitions/Azure Update Manager/AzUpdateMgmtCenter_CRP_AutoAssessmentMode_Modify.json

Lines changed: 6 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -5,10 +5,10 @@
55
"mode": "Indexed",
66
"description": "Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.",
77
"metadata": {
8-
"version": "4.9.0",
8+
"version": "4.10.0",
99
"category": "Azure Update Manager"
1010
},
11-
"version": "4.9.0",
11+
"version": "4.10.0",
1212
"parameters": {
1313
"assessmentMode": {
1414
"type": "String",
@@ -2315,15 +2315,15 @@
23152315
"anyOf": [
23162316
{
23172317
"field": "Microsoft.Compute/imageSKU",
2318-
"like": "cis-windows-server:cis-windows-server2019-l*"
2318+
"like": "cis-windows-server2019-l*"
23192319
},
23202320
{
23212321
"field": "Microsoft.Compute/imageSKU",
2322-
"like": "cis-windows-server:cis-windows-server2022-l*"
2322+
"like": "cis-windows-server2022-l*"
23232323
},
23242324
{
23252325
"field": "Microsoft.Compute/imageSKU",
2326-
"like": "cis-windows-server:cis-windows-server2016-l*"
2326+
"like": "cis-windows-server2016-l*"
23272327
}
23282328
]
23292329
}
@@ -2739,6 +2739,7 @@
27392739
}
27402740
},
27412741
"versions": [
2742+
"4.10.0",
27422743
"4.9.0",
27432744
"4.8.0",
27442745
"4.7.0",

built-in-policies/policyDefinitions/Azure Update Manager/AzUpdateMgmtCenter_CustomerManagedSchedules_DINE.json

Lines changed: 6 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -5,10 +5,10 @@
55
"mode": "Indexed",
66
"description": "This policy will set the prerequisite needed to schedule recurring updates on Azure Update Manager by configuring patch orchestration to 'Customer Managed Schedules'. This change will automatically set the patch mode to 'AutomaticByPlatform' and enables 'BypassPlatformSafetyChecksOnUserSchedule' to 'True' on Azure VMs. The prerequisite is not applicable for Arc-enabled servers. Learn more - https://learn.microsoft.com/en-us/azure/update-manager/dynamic-scope-overview?tabs=avms#prerequisites",
77
"metadata": {
8-
"version": "1.2.0",
8+
"version": "1.3.0",
99
"category": "Azure Update Manager"
1010
},
11-
"version": "1.2.0",
11+
"version": "1.3.0",
1212
"parameters": {
1313
"resourceGroups": {
1414
"type": "Array",
@@ -2419,15 +2419,15 @@
24192419
"anyOf": [
24202420
{
24212421
"field": "Microsoft.Compute/imageSKU",
2422-
"like": "cis-windows-server:cis-windows-server2019-l*"
2422+
"like": "cis-windows-server2019-l*"
24232423
},
24242424
{
24252425
"field": "Microsoft.Compute/imageSKU",
2426-
"like": "cis-windows-server:cis-windows-server2022-l*"
2426+
"like": "cis-windows-server2022-l*"
24272427
},
24282428
{
24292429
"field": "Microsoft.Compute/imageSKU",
2430-
"like": "cis-windows-server:cis-windows-server2016-l*"
2430+
"like": "cis-windows-server2016-l*"
24312431
}
24322432
]
24332433
}
@@ -2982,6 +2982,7 @@
29822982
}
29832983
},
29842984
"versions": [
2985+
"1.3.0",
29852986
"1.2.0",
29862987
"1.1.0-PREVIEW",
29872988
"1.0.0-PREVIEW"

built-in-policies/policyDefinitions/Azure Update Manager/AzUpdateMgmtCenter_ScheduledPatching_DINE.json

Lines changed: 6 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -5,10 +5,10 @@
55
"mode": "Indexed",
66
"description": "You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching",
77
"metadata": {
8-
"version": "3.13.0",
8+
"version": "3.14.0",
99
"category": "Azure Update Manager"
1010
},
11-
"version": "3.13.0",
11+
"version": "3.14.0",
1212
"parameters": {
1313
"maintenanceConfigurationResourceId": {
1414
"type": "String",
@@ -2462,15 +2462,15 @@
24622462
"anyOf": [
24632463
{
24642464
"field": "Microsoft.Compute/imageSKU",
2465-
"like": "cis-windows-server:cis-windows-server2019-l*"
2465+
"like": "cis-windows-server2019-l*"
24662466
},
24672467
{
24682468
"field": "Microsoft.Compute/imageSKU",
2469-
"like": "cis-windows-server:cis-windows-server2022-l*"
2469+
"like": "cis-windows-server2022-l*"
24702470
},
24712471
{
24722472
"field": "Microsoft.Compute/imageSKU",
2473-
"like": "cis-windows-server:cis-windows-server2016-l*"
2473+
"like": "cis-windows-server2016-l*"
24742474
}
24752475
]
24762476
}
@@ -3028,6 +3028,7 @@
30283028
}
30293029
},
30303030
"versions": [
3031+
"3.14.0",
30313032
"3.13.0",
30323033
"3.12.0",
30333034
"3.11.0",

built-in-policies/policyDefinitions/BuiltInPolicyTest/NoAKSSpecificLabels_Versioning_Test.json

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -183,6 +183,7 @@
183183
"2.2.0",
184184
"2.1.0",
185185
"2.0.0",
186+
"1.1.0",
186187
"1.0.0"
187188
]
188189
},

built-in-policies/policyDefinitions/Key Vault/Certificates_Issuers_AllowedCustomCAs.json

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,15 +1,14 @@
11
{
22
"properties": {
3-
"displayName": "[Preview]: Certificates should be issued by one of the specified non-integrated certificate authorities",
3+
"displayName": "Certificates should be issued by one of the specified non-integrated certificate authorities",
44
"policyType": "BuiltIn",
55
"mode": "Microsoft.KeyVault.Data",
66
"description": "Manage your organizational compliance requirements by specifying custom or internal certificate authorities that can issue certificates in your key vault.",
77
"metadata": {
8-
"version": "1.0.0-preview",
9-
"category": "Key Vault",
10-
"preview": true
8+
"version": "1.0.1",
9+
"category": "Key Vault"
1110
},
12-
"version": "1.0.0-preview",
11+
"version": "1.0.1",
1312
"parameters": {
1413
"caCommonNames": {
1514
"type": "array",
@@ -57,6 +56,7 @@
5756
}
5857
},
5958
"versions": [
59+
"1.0.1",
6060
"1.0.0-PREVIEW"
6161
]
6262
},

built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Windows_HybridVM_Audit.json

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -5,10 +5,10 @@
55
"mode": "Indexed",
66
"description": "Windows Arc-enabled machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Windows Arc-enabled machines in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview.",
77
"metadata": {
8-
"version": "1.2.0",
8+
"version": "1.3.0",
99
"category": "Monitoring"
1010
},
11-
"version": "1.2.0",
11+
"version": "1.3.0",
1212
"parameters": {
1313
"effect": {
1414
"type": "String",
@@ -93,7 +93,8 @@
9393
"westindia",
9494
"westus",
9595
"westus2",
96-
"westus3"
96+
"westus3",
97+
"chilecentral"
9798
]
9899
}
99100
]
@@ -122,6 +123,7 @@
122123
}
123124
},
124125
"versions": [
126+
"1.3.0",
125127
"1.2.0",
126128
"1.1.0"
127129
]

built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Windows_HybridVM_DINE.json

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -5,10 +5,10 @@
55
"mode": "Indexed",
66
"description": "Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview.",
77
"metadata": {
8-
"version": "2.4.0",
8+
"version": "2.5.0",
99
"category": "Monitoring"
1010
},
11-
"version": "2.4.0",
11+
"version": "2.5.0",
1212
"parameters": {
1313
"effect": {
1414
"type": "String",
@@ -93,7 +93,8 @@
9393
"westindia",
9494
"westus",
9595
"westus2",
96-
"westus3"
96+
"westus3",
97+
"chilecentral"
9798
]
9899
}
99100
]
@@ -169,6 +170,7 @@
169170
}
170171
},
171172
"versions": [
173+
"2.5.0",
172174
"2.4.0",
173175
"2.3.0"
174176
]

built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Windows_VMSS_Audit.json

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -5,10 +5,10 @@
55
"mode": "Indexed",
66
"description": "Windows virtual machine scale sets should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Virtual machine scale sets with supported OS and in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview.",
77
"metadata": {
8-
"version": "3.3.0",
8+
"version": "3.4.0",
99
"category": "Monitoring"
1010
},
11-
"version": "3.3.0",
11+
"version": "3.4.0",
1212
"parameters": {
1313
"effect": {
1414
"type": "String",
@@ -109,7 +109,8 @@
109109
"westindia",
110110
"westus",
111111
"westus2",
112-
"westus3"
112+
"westus3",
113+
"chilecentral"
113114
]
114115
},
115116
{
@@ -349,6 +350,7 @@
349350
}
350351
},
351352
"versions": [
353+
"3.4.0",
352354
"3.3.0",
353355
"3.2.0",
354356
"3.1.0"

0 commit comments

Comments
 (0)