Built-in Policy Release af243e38 (#1524)

Co-authored-by: Azure Policy Bot <azgovpolicy@microsoft.com>

Author: robga

built-in-policies/policyDefinitions/Automatic Update/Compute_virtualMachineScaleSets_Automatic_Modify.json

@@ -0,0 +1,76 @@
+{
+  "properties": {
+    "displayName": "[Preview]: Virtual Machine Scale Sets with more than 2 availability zones should have automatic AZ rebalancing enabled",
+    "policyType": "BuiltIn",
+    "mode": "indexed",
+    "description": "This policy enables automatic AZ rebalancing for Virtual Machine Scale Sets that are otherwise zone resilient. Automatic zone rebalancing helps to ensure that your Virtual Machine Scale Sets are evenly distributed across the zones in the region.",
+    "metadata": {
+      "category": "Automatic Update",
+      "version": "1.0.0-preview",
+      "preview": true
+    },
+    "version": "1.0.0-preview",
+    "parameters": {
+      "effect": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Effect",
+          "description": "This parameter lets you choose the effect of the policy. If you choose Modify (default), the policy will enable automatic AZ rebalancing for all zone redundant Virtual Machine Scale Sets. If you choose Disabled, the policy will not enforce compliance (useful, for example, as a second assignment to ignore a subset of non-compliant resources in a single resource group)."
+        },
+        "allowedValues": [
+          "Modify",
+          "Disabled"
+        ],
+        "defaultValue": "Modify"
+      }
+    },
+    "policyRule": {
+      "if": {
+        "allOf": [
+          {
+            "field": "type",
+            "equals": "Microsoft.Compute/virtualMachineScaleSets"
+          },
+          {
+            "count": {
+              "field": "Microsoft.Compute/virtualMachineScaleSets/zones[*]"
+            },
+            "greater": 2
+          },
+          {
+            "field": "Microsoft.Compute/virtualMachineScaleSets/resiliencyPolicy.automaticZoneRebalancingPolicy",
+            "exists": false
+          }
+        ]
+      },
+      "then": {
+        "effect": "[parameters('effect')]",
+        "details": {
+          "conflictEffect": "audit",
+          "operations": [
+            {
+              "condition": "[greaterOrEquals(requestContext().apiVersion, '2024-07-01')]",
+              "operation": "addOrReplace",
+              "field": "Microsoft.Compute/virtualMachineScaleSets/resiliencyPolicy",
+              "value": {
+                "automaticZoneRebalancingPolicy": {
+                  "enabled": true,
+                  "rebalanceStrategy": "Recreate",
+                  "rebalanceBehavior": "CreateBeforeDelete"
+                }
+              }
+            }
+          ],
+          "roleDefinitionIds": [
+            "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"
+          ]
+        }
+      }
+    },
+    "versions": [
+      "1.0.0-PREVIEW"
+    ]
+  },
+  "id": "/providers/Microsoft.Authorization/policyDefinitions/40d17f6f-a9d2-4f1d-8c37-a699a5372a87",
+  "name": "40d17f6f-a9d2-4f1d-8c37-a699a5372a87"
+}

built-in-policies/policyDefinitions/Azure Update Manager/AzUpdateMgmtCenter_AutoAssessmentMode_Audit.json

@@ -5,10 +5,10 @@
     "mode": "Indexed",
     "description": "To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.",
     "metadata": {
-      "version": "3.8.0",
+      "version": "3.9.0",
       "category": "Azure Update Manager"
     },
-    "version": "3.8.0",
+    "version": "3.9.0",
     "parameters": {
       "effect": {
         "type": "String",
@@ -2130,15 +2130,15 @@
                                         "anyOf": [
                                           {
                                             "field": "Microsoft.Compute/imageSKU",
-                                            "like": "cis-windows-server:cis-windows-server2019-l*"
+                                            "like": "cis-windows-server2019-l*"
                                           },
                                           {
                                             "field": "Microsoft.Compute/imageSKU",
-                                            "like": "cis-windows-server:cis-windows-server2022-l*"
+                                            "like": "cis-windows-server2022-l*"
                                           },
                                           {
                                             "field": "Microsoft.Compute/imageSKU",
-                                            "like": "cis-windows-server:cis-windows-server2016-l*"
+                                            "like": "cis-windows-server2016-l*"
                                           }
                                         ]
                                       }
@@ -2550,6 +2550,7 @@
       }
     },
     "versions": [
+      "3.9.0",
       "3.8.0",
       "3.7.0",
       "3.6.0",

built-in-policies/policyDefinitions/Azure Update Manager/AzUpdateMgmtCenter_CRP_AutoAssessmentMode_Modify.json

@@ -5,10 +5,10 @@
     "mode": "Indexed",
     "description": "Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.",
     "metadata": {
-      "version": "4.9.0",
+      "version": "4.10.0",
       "category": "Azure Update Manager"
     },
-    "version": "4.9.0",
+    "version": "4.10.0",
     "parameters": {
       "assessmentMode": {
         "type": "String",
@@ -2315,15 +2315,15 @@
                                         "anyOf": [
                                           {
                                             "field": "Microsoft.Compute/imageSKU",
-                                            "like": "cis-windows-server:cis-windows-server2019-l*"
+                                            "like": "cis-windows-server2019-l*"
                                           },
                                           {
                                             "field": "Microsoft.Compute/imageSKU",
-                                            "like": "cis-windows-server:cis-windows-server2022-l*"
+                                            "like": "cis-windows-server2022-l*"
                                           },
                                           {
                                             "field": "Microsoft.Compute/imageSKU",
-                                            "like": "cis-windows-server:cis-windows-server2016-l*"
+                                            "like": "cis-windows-server2016-l*"
                                           }
                                         ]
                                       }
@@ -2739,6 +2739,7 @@
       }
     },
     "versions": [
+      "4.10.0",
       "4.9.0",
       "4.8.0",
       "4.7.0",

built-in-policies/policyDefinitions/Azure Update Manager/AzUpdateMgmtCenter_CustomerManagedSchedules_DINE.json

@@ -5,10 +5,10 @@
     "mode": "Indexed",
     "description": "This policy will set the prerequisite needed to schedule recurring updates on Azure Update Manager by configuring patch orchestration to 'Customer Managed Schedules'. This change will automatically set the patch mode to 'AutomaticByPlatform' and enables 'BypassPlatformSafetyChecksOnUserSchedule' to 'True' on Azure VMs. The prerequisite is not applicable for Arc-enabled servers. Learn more - https://learn.microsoft.com/en-us/azure/update-manager/dynamic-scope-overview?tabs=avms#prerequisites",
     "metadata": {
-      "version": "1.2.0",
+      "version": "1.3.0",
       "category": "Azure Update Manager"
     },
-    "version": "1.2.0",
+    "version": "1.3.0",
     "parameters": {
       "resourceGroups": {
         "type": "Array",
@@ -2419,15 +2419,15 @@
                                         "anyOf": [
                                           {
                                             "field": "Microsoft.Compute/imageSKU",
-                                            "like": "cis-windows-server:cis-windows-server2019-l*"
+                                            "like": "cis-windows-server2019-l*"
                                           },
                                           {
                                             "field": "Microsoft.Compute/imageSKU",
-                                            "like": "cis-windows-server:cis-windows-server2022-l*"
+                                            "like": "cis-windows-server2022-l*"
                                           },
                                           {
                                             "field": "Microsoft.Compute/imageSKU",
-                                            "like": "cis-windows-server:cis-windows-server2016-l*"
+                                            "like": "cis-windows-server2016-l*"
                                           }
                                         ]
                                       }
@@ -2982,6 +2982,7 @@
       }
     },
     "versions": [
+      "1.3.0",
       "1.2.0",
       "1.1.0-PREVIEW",
       "1.0.0-PREVIEW"

built-in-policies/policyDefinitions/Azure Update Manager/AzUpdateMgmtCenter_ScheduledPatching_DINE.json

@@ -5,10 +5,10 @@
     "mode": "Indexed",
     "description": "You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching",
     "metadata": {
-      "version": "3.13.0",
+      "version": "3.14.0",
       "category": "Azure Update Manager"
     },
-    "version": "3.13.0",
+    "version": "3.14.0",
     "parameters": {
       "maintenanceConfigurationResourceId": {
         "type": "String",
@@ -2462,15 +2462,15 @@
                                         "anyOf": [
                                           {
                                             "field": "Microsoft.Compute/imageSKU",
-                                            "like": "cis-windows-server:cis-windows-server2019-l*"
+                                            "like": "cis-windows-server2019-l*"
                                           },
                                           {
                                             "field": "Microsoft.Compute/imageSKU",
-                                            "like": "cis-windows-server:cis-windows-server2022-l*"
+                                            "like": "cis-windows-server2022-l*"
                                           },
                                           {
                                             "field": "Microsoft.Compute/imageSKU",
-                                            "like": "cis-windows-server:cis-windows-server2016-l*"
+                                            "like": "cis-windows-server2016-l*"
                                           }
                                         ]
                                       }
@@ -3028,6 +3028,7 @@
       }
     },
     "versions": [
+      "3.14.0",
       "3.13.0",
       "3.12.0",
       "3.11.0",

built-in-policies/policyDefinitions/BuiltInPolicyTest/NoAKSSpecificLabels_Versioning_Test.json

@@ -183,6 +183,7 @@
       "2.2.0",
       "2.1.0",
       "2.0.0",
+      "1.1.0",
       "1.0.0"
     ]
   },

built-in-policies/policyDefinitions/Key Vault/Certificates_Issuers_AllowedCustomCAs.json

@@ -1,15 +1,14 @@
 {
   "properties": {
-    "displayName": "[Preview]: Certificates should be issued by one of the specified non-integrated certificate authorities",
+    "displayName": "Certificates should be issued by one of the specified non-integrated certificate authorities",
     "policyType": "BuiltIn",
     "mode": "Microsoft.KeyVault.Data",
     "description": "Manage your organizational compliance requirements by specifying custom or internal certificate authorities that can issue certificates in your key vault.",
     "metadata": {
-      "version": "1.0.0-preview",
-      "category": "Key Vault",
-      "preview": true
+      "version": "1.0.1",
+      "category": "Key Vault"
     },
-    "version": "1.0.0-preview",
+    "version": "1.0.1",
     "parameters": {
       "caCommonNames": {
         "type": "array",
@@ -57,6 +56,7 @@
       }
     },
     "versions": [
+      "1.0.1",
       "1.0.0-PREVIEW"
     ]
   },

built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Windows_HybridVM_Audit.json

@@ -5,10 +5,10 @@
     "mode": "Indexed",
     "description": "Windows Arc-enabled machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Windows Arc-enabled machines in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview.",
     "metadata": {
-      "version": "1.2.0",
+      "version": "1.3.0",
       "category": "Monitoring"
     },
-    "version": "1.2.0",
+    "version": "1.3.0",
     "parameters": {
       "effect": {
         "type": "String",
@@ -93,7 +93,8 @@
               "westindia",
               "westus",
               "westus2",
-              "westus3"
+              "westus3",
+              "chilecentral"
             ]
           }
         ]
@@ -122,6 +123,7 @@
       }
     },
     "versions": [
+      "1.3.0",
       "1.2.0",
       "1.1.0"
     ]

built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Windows_HybridVM_DINE.json

@@ -5,10 +5,10 @@
     "mode": "Indexed",
     "description": "Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview.",
     "metadata": {
-      "version": "2.4.0",
+      "version": "2.5.0",
       "category": "Monitoring"
     },
-    "version": "2.4.0",
+    "version": "2.5.0",
     "parameters": {
       "effect": {
         "type": "String",
@@ -93,7 +93,8 @@
               "westindia",
               "westus",
               "westus2",
-              "westus3"
+              "westus3",
+              "chilecentral"
             ]
           }
         ]
@@ -169,6 +170,7 @@
       }
     },
     "versions": [
+      "2.5.0",
       "2.4.0",
       "2.3.0"
     ]

built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Windows_VMSS_Audit.json

@@ -5,10 +5,10 @@
     "mode": "Indexed",
     "description": "Windows virtual machine scale sets should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Virtual machine scale sets with supported OS and in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview.",
     "metadata": {
-      "version": "3.3.0",
+      "version": "3.4.0",
       "category": "Monitoring"
     },
-    "version": "3.3.0",
+    "version": "3.4.0",
     "parameters": {
       "effect": {
         "type": "String",
@@ -109,7 +109,8 @@
               "westindia",
               "westus",
               "westus2",
-              "westus3"
+              "westus3",
+              "chilecentral"
             ]
           },
           {
@@ -349,6 +350,7 @@
       }
     },
     "versions": [
+      "3.4.0",
       "3.3.0",
       "3.2.0",
       "3.1.0"