Built-in Policy Release c062cc99 (Azure#1164)

Co-authored-by: Azure Policy Bot <[email protected]>

built-in-policies/policyDefinitions/App Platform/Spring_VNETEnabled_Audit.json

@@ -5,10 +5,10 @@
     "mode": "Indexed",
     "description": "Azure Spring Cloud instances should use virtual network injection for the following purposes: 1. Isolate Azure Spring Cloud from Internet. 2. Enable Azure Spring Cloud to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Spring Cloud.",
     "metadata": {
-      "version": "1.1.0",
+      "version": "1.2.0",
       "category": "App Platform"
     },
-    "version": "1.1.0",
+    "version": "1.2.0",
     "parameters": {
       "effect": {
         "type": "String",
@@ -34,7 +34,8 @@
           "Enterprise"
         ],
         "defaultValue": [
-          "Standard"
+          "Standard",
+          "Enterprise"
         ]
       }
     },

built-in-policies/policyDefinitions/Automanage/Automanage_Deploy.json

@@ -5,20 +5,19 @@
     "displayName": "[Deprecated]: Configure virtual machines to be onboarded to Azure Automanage",
     "description": "Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage to your selected scope.",
     "metadata": {
-      "version": "4.1.1-deprecated",
+      "version": "4.2.1-deprecated",
       "category": "Automanage",
       "deprecated": true
     },
-    "version": "4.1.1",
+    "version": "4.2.1",
     "parameters": {
       "automanageAccount": {
         "type": "String",
         "metadata": {
           "displayName": "Automanage account",
-          "description": "The Automanage account is an Azure managed identity under which virtual machine operations are performed. If this account is outside of the scope of the assignment you must manually grant 'Contributor' permissions (or similar) on the account to the policy assignment's principal ID.",
-          "strongType": "Microsoft.Automanage/accounts",
-          "assignPermissions": true
-        }
+          "description": "The Automanage account is an Azure managed identity under which virtual machine operations are performed. If this account is outside of the scope of the assignment you must manually grant 'Contributor' permissions (or similar) on the account to the policy assignment's principal ID."
+        },
+        "defaultValue": ""
       },
       "configurationProfileAssignment": {
         "type": "String",
@@ -491,11 +490,7 @@
             "allOf": [
               {
                 "field": "Microsoft.Automanage/configurationProfileAssignments/configurationProfile",
-                "equals": "[parameters('configurationProfileAssignment')]"
-              },
-              {
-                "field": "Microsoft.Automanage/configurationProfileAssignments/accountId",
-                "equals": "[parameters('automanageAccount')]"
+                "equals": "[if(equals(parameters('configurationProfileAssignment'),'Azure virtual machine best practices – Dev/test'), '/providers/Microsoft.Automanage/bestPractices/AzureBestPracticesDevTest', '/providers/Microsoft.Automanage/bestPractices/AzureBestPracticesProduction')]"
               }
             ]
           },
@@ -530,11 +525,10 @@
                 "resources": [
                   {
                     "type": "Microsoft.Compute/virtualMachines/providers/configurationProfileAssignments",
-                    "apiVersion": "2020-06-30-preview",
+                    "apiVersion": "[if(equals(parameters('automanageAccount'),''), '2022-05-04', '2022-05-04')]",
                     "name": "[concat(parameters('machineName'), '/Microsoft.Automanage/', 'default')]",
                     "properties": {
-                      "configurationProfile": "[parameters('configurationProfileAssignment')]",
-                      "accountId": "[parameters('automanageAccount')]"
+                      "configurationProfile": "[if(equals(parameters('configurationProfileAssignment'),'Azure virtual machine best practices – Dev/test'), '/providers/Microsoft.Automanage/bestPractices/AzureBestPracticesDevTest', '/providers/Microsoft.Automanage/bestPractices/AzureBestPracticesProduction')]"
                     }
                   }
                 ]

built-in-policies/policyDefinitions/Azure Government/Kubernetes/AllowedHostPaths.json

@@ -3,12 +3,12 @@
     "displayName": "Kubernetes cluster pod hostPath volumes should only use allowed host paths",
     "policyType": "BuiltIn",
     "mode": "Microsoft.Kubernetes.Data",
-    "description": "Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.",
+    "description": "Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.",
     "metadata": {
-      "version": "7.1.0",
+      "version": "7.1.1",
       "category": "Kubernetes"
     },
-    "version": "7.1.0",
+    "version": "7.1.1",
     "parameters": {
       "effect": {
         "type": "String",

built-in-policies/policyDefinitions/Azure Government/Kubernetes/AllowedProcMountType.json

@@ -3,12 +3,12 @@
     "displayName": "Kubernetes cluster containers should only use allowed ProcMountType",
     "policyType": "BuiltIn",
     "mode": "Microsoft.Kubernetes.Data",
-    "description": "Pod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.",
+    "description": "Pod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.",
     "metadata": {
-      "version": "9.1.0",
+      "version": "9.1.1",
       "category": "Kubernetes"
     },
-    "version": "9.1.0",
+    "version": "9.1.1",
     "parameters": {
       "effect": {
         "type": "String",

built-in-policies/policyDefinitions/Azure Government/Kubernetes/AllowedSeccompProfile.json

@@ -3,12 +3,12 @@
     "displayName": "Kubernetes cluster containers should only use allowed seccomp profiles",
     "policyType": "BuiltIn",
     "mode": "Microsoft.Kubernetes.Data",
-    "description": "Pod containers can only use allowed seccomp profiles in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.",
+    "description": "Pod containers can only use allowed seccomp profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.",
     "metadata": {
-      "version": "8.1.0",
+      "version": "8.1.1",
       "category": "Kubernetes"
     },
-    "version": "8.1.0",
+    "version": "8.1.1",
     "parameters": {
       "effect": {
         "type": "String",

built-in-policies/policyDefinitions/Azure Government/Kubernetes/AllowedUsersGroups.json

@@ -3,12 +3,12 @@
     "displayName": "Kubernetes cluster pods and containers should only run with approved user and group IDs",
     "policyType": "BuiltIn",
     "mode": "Microsoft.Kubernetes.Data",
-    "description": "Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.",
+    "description": "Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.",
     "metadata": {
-      "version": "7.1.0",
+      "version": "7.1.1",
       "category": "Kubernetes"
     },
-    "version": "7.1.0",
+    "version": "7.1.1",
     "parameters": {
       "effect": {
         "type": "String",

built-in-policies/policyDefinitions/Azure Government/Kubernetes/AllowedVolumeTypes.json

@@ -3,12 +3,12 @@
     "displayName": "Kubernetes cluster pods should only use allowed volume types",
     "policyType": "BuiltIn",
     "mode": "Microsoft.Kubernetes.Data",
-    "description": "Pods can only use allowed volume types in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.",
+    "description": "Pods can only use allowed volume types in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.",
     "metadata": {
-      "version": "6.1.0",
+      "version": "6.1.1",
       "category": "Kubernetes"
     },
-    "version": "6.1.0",
+    "version": "6.1.1",
     "parameters": {
       "effect": {
         "type": "String",

built-in-policies/policyDefinitions/Azure Government/Kubernetes/EnforceAppArmorProfile.json

@@ -3,12 +3,12 @@
     "displayName": "Kubernetes cluster containers should only use allowed AppArmor profiles",
     "policyType": "BuiltIn",
     "mode": "Microsoft.Kubernetes.Data",
-    "description": "Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.",
+    "description": "Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.",
     "metadata": {
-      "version": "7.1.0",
+      "version": "7.1.1",
       "category": "Kubernetes"
     },
-    "version": "7.1.0",
+    "version": "7.1.1",
     "parameters": {
       "effect": {
         "type": "String",

built-in-policies/policyDefinitions/Azure Government/Kubernetes/FlexVolumeDrivers.json

@@ -3,12 +3,12 @@
     "displayName": "Kubernetes cluster pod FlexVolume volumes should only use allowed drivers",
     "policyType": "BuiltIn",
     "mode": "Microsoft.Kubernetes.Data",
-    "description": "Pod FlexVolume volumes should only use allowed drivers in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.",
+    "description": "Pod FlexVolume volumes should only use allowed drivers in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.",
     "metadata": {
-      "version": "6.1.0",
+      "version": "6.1.1",
       "category": "Kubernetes"
     },
-    "version": "6.1.0",
+    "version": "6.1.1",
     "parameters": {
       "effect": {
         "type": "String",

built-in-policies/policyDefinitions/Azure Government/Kubernetes/ForbiddenSysctlInterfaces.json

@@ -3,12 +3,12 @@
     "displayName": "Kubernetes cluster containers should not use forbidden sysctl interfaces",
     "policyType": "BuiltIn",
     "mode": "Microsoft.Kubernetes.Data",
-    "description": "Containers should not use forbidden sysctl interfaces in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.",
+    "description": "Containers should not use forbidden sysctl interfaces in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.",
     "metadata": {
-      "version": "8.1.0",
+      "version": "8.1.1",
       "category": "Kubernetes"
     },
-    "version": "8.1.0",
+    "version": "8.1.1",
     "parameters": {
       "effect": {
         "type": "String",

built-in-policies/policyDefinitions/Azure Government/Kubernetes/SELinux.json

@@ -3,12 +3,12 @@
     "displayName": "Kubernetes cluster pods and containers should only use allowed SELinux options",
     "policyType": "BuiltIn",
     "mode": "Microsoft.Kubernetes.Data",
-    "description": "Pods and containers should only use allowed SELinux options in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.",
+    "description": "Pods and containers should only use allowed SELinux options in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.",
     "metadata": {
-      "version": "8.1.0",
+      "version": "8.1.1",
       "category": "Kubernetes"
     },
-    "version": "8.1.0",
+    "version": "8.1.1",
     "parameters": {
       "effect": {
         "type": "String",

built-in-policies/policyDefinitions/Data Factory/Factory_None_GIT_Audit.json

@@ -3,12 +3,12 @@
     "displayName": "Azure Data Factory should use a Git repository for source control",
     "policyType": "BuiltIn",
     "mode": "Indexed",
-    "description": "Enable source control on data factories, to gain capabilities such as change tracking, collaboration, continuous integration, and deployment.",
+    "description": "Configure only your development data factory with Git integration. Changes to test and production should be deployed via CI/CD and should NOT have Git integration.  DO NOT apply this policy on your QA / Test / Production data factories.",
     "metadata": {
-      "version": "1.0.0",
+      "version": "1.0.1",
       "category": "Data Factory"
     },
-    "version": "1.0.0",
+    "version": "1.0.1",
     "parameters": {
       "effect": {
         "type": "String",

built-in-policies/policyDefinitions/Data Factory/LinkedService_ResourceType_Audit.json

@@ -5,10 +5,10 @@
     "mode": "All",
     "description": "Define the allow list of Azure Data Factory linked service types. Restricting allowed resource types enables control over the boundary of data movement. For example, restrict a scope to only allow blob storage with Data Lake Storage Gen1 and Gen2 for analytics or a scope to only allow SQL and Kusto access for real-time queries.",
     "metadata": {
-      "version": "1.0.0",
+      "version": "1.1.0",
       "category": "Data Factory"
     },
-    "version": "1.0.0",
+    "version": "1.1.0",
     "parameters": {
       "effect": {
         "type": "String",
@@ -50,6 +50,7 @@
           "AzureSqlDatabase",
           "AzureSqlDW",
           "AzureSqlMI",
+          "AzureSynapseArtifacts",
           "AzureTableStorage",
           "Cassandra",
           "CommonDataServiceForApps",

built-in-policies/policyDefinitions/Key Vault/Keys_KeyRotationPolicy_MaximumDaysToRotate.json

@@ -0,0 +1,61 @@
+{
+  "properties": {
+    "displayName": "Keys should have a rotation policy ensuring that their rotation is scheduled within the specified number of days after creation.",
+    "policyType": "BuiltIn",
+    "mode": "Microsoft.KeyVault.Data",
+    "description": "Manage your organizational compliance requirements by specifying the maximum number of days after key creation until it must be rotated.",
+    "metadata": {
+      "version": "1.0.0",
+      "category": "Key Vault"
+    },
+    "version": "1.0.0",
+    "parameters": {
+      "maximumDaysToRotate": {
+        "type": "Integer",
+        "metadata": {
+          "displayName": "The maximum days to rotate",
+          "description": "The maximum number of days after key creation until it must be rotated."
+        }
+      },
+      "effect": {
+        "type": "string",
+        "metadata": {
+          "displayName": "Effect",
+          "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant.  'Disable' turns off the policy."
+        },
+        "allowedValues": [
+          "Audit",
+          "Disabled"
+        ],
+        "defaultValue": "Audit"
+      }
+    },
+    "policyRule": {
+      "if": {
+        "allOf": [
+          {
+            "field": "type",
+            "equals": "Microsoft.KeyVault.Data/vaults/keys"
+          },
+          {
+            "anyOf": [
+              {
+                "field": "Microsoft.KeyVault.Data/vaults/keys/scheduledRotationDate",
+                "exists": "false"
+              },
+              {
+                "field": "Microsoft.KeyVault.Data/vaults/keys/scheduledRotationDate",
+                "greater": "[addDays(field('Microsoft.KeyVault.Data/vaults/keys/attributes.createdOn'), parameters('maximumDaysToRotate'))]"
+              }
+            ]
+          }
+        ]
+      },
+      "then": {
+        "effect": "[parameters('effect')]"
+      }
+    }
+  },
+  "id": "/providers/Microsoft.Authorization/policyDefinitions/d8cf8476-a2ec-4916-896e-992351803c44",
+  "name": "d8cf8476-a2ec-4916-896e-992351803c44"
+}

built-in-policies/policyDefinitions/Kubernetes/AllowedHostPaths.json

@@ -3,12 +3,12 @@
     "displayName": "Kubernetes cluster pod hostPath volumes should only use allowed host paths",
     "policyType": "BuiltIn",
     "mode": "Microsoft.Kubernetes.Data",
-    "description": "Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.",
+    "description": "Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.",
     "metadata": {
-      "version": "6.1.0",
+      "version": "6.1.1",
       "category": "Kubernetes"
     },
-    "version": "6.1.0",
+    "version": "6.1.1",
     "parameters": {
       "effect": {
         "type": "String",

built-in-policies/policyDefinitions/Kubernetes/AllowedProcMountType.json

@@ -3,12 +3,12 @@
     "displayName": "Kubernetes cluster containers should only use allowed ProcMountType",
     "policyType": "BuiltIn",
     "mode": "Microsoft.Kubernetes.Data",
-    "description": "Pod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.",
+    "description": "Pod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.",
     "metadata": {
-      "version": "8.1.0",
+      "version": "8.1.1",
       "category": "Kubernetes"
     },
-    "version": "8.1.0",
+    "version": "8.1.1",
     "parameters": {
       "effect": {
         "type": "String",