diff --git a/built-in-policies/policyDefinitions/App Service/RequireLatestTls_FunctionApp_Audit.json b/built-in-policies/policyDefinitions/App Service/RequireLatestTls_FunctionApp_Audit.json index a9c56ec56..0c187e542 100644 --- a/built-in-policies/policyDefinitions/App Service/RequireLatestTls_FunctionApp_Audit.json +++ b/built-in-policies/policyDefinitions/App Service/RequireLatestTls_FunctionApp_Audit.json @@ -5,10 +5,10 @@ "mode": "Indexed", "description": "Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.", "metadata": { - "version": "2.0.1", + "version": "2.1.0", "category": "App Service" }, - "version": "2.0.1", + "version": "2.1.0", "parameters": { "effect": { "type": "string", @@ -47,12 +47,13 @@ "name": "web", "existenceCondition": { "field": "Microsoft.Web/sites/config/minTlsVersion", - "equals": "1.2" + "equals": "1.3" } } } }, "versions": [ + "2.1.0", "2.0.1" ] }, diff --git a/built-in-policies/policyDefinitions/App Service/RequireLatestTls_FunctionApp_DINE.json b/built-in-policies/policyDefinitions/App Service/RequireLatestTls_FunctionApp_DINE.json index e1f4744d3..fee7a5e96 100644 --- a/built-in-policies/policyDefinitions/App Service/RequireLatestTls_FunctionApp_DINE.json +++ b/built-in-policies/policyDefinitions/App Service/RequireLatestTls_FunctionApp_DINE.json @@ -5,10 +5,10 @@ "mode": "Indexed", "description": "Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.", "metadata": { - "version": "1.0.1", + "version": "1.1.0", "category": "App Service" }, - "version": "1.0.1", + "version": "1.1.0", "parameters": { "effect": { "type": "string", @@ -47,7 +47,7 @@ "name": "web", "existenceCondition": { "field": "Microsoft.Web/sites/config/minTlsVersion", - "equals": "1.2" + "equals": "1.3" }, "roleDefinitionIds": [ "/providers/microsoft.authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772" @@ -75,7 +75,7 @@ "apiVersion": "2021-02-01", "name": "[concat(parameters('siteName'), '/web')]", "properties": { - "minTlsVersion": "1.2" + "minTlsVersion": "1.3" } } ], @@ -87,6 +87,7 @@ } }, "versions": [ + "1.1.0", "1.0.1" ] }, diff --git a/built-in-policies/policyDefinitions/App Service/RequireLatestTls_FunctionApp_Slot_Audit.json b/built-in-policies/policyDefinitions/App Service/RequireLatestTls_FunctionApp_Slot_Audit.json index feb21d308..63d8f5954 100644 --- a/built-in-policies/policyDefinitions/App Service/RequireLatestTls_FunctionApp_Slot_Audit.json +++ b/built-in-policies/policyDefinitions/App Service/RequireLatestTls_FunctionApp_Slot_Audit.json @@ -5,10 +5,10 @@ "mode": "Indexed", "description": "Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "App Service" }, - "version": "1.0.0", + "version": "1.1.0", "parameters": { "effect": { "type": "string", @@ -47,12 +47,13 @@ "name": "web", "existenceCondition": { "field": "Microsoft.Web/sites/slots/config/minTlsVersion", - "equals": "1.2" + "equals": "1.3" } } } }, "versions": [ + "1.1.0", "1.0.0" ] }, diff --git a/built-in-policies/policyDefinitions/App Service/RequireLatestTls_FunctionApp_Slot_DINE.json b/built-in-policies/policyDefinitions/App Service/RequireLatestTls_FunctionApp_Slot_DINE.json index 175f132f0..66ed78a28 100644 --- a/built-in-policies/policyDefinitions/App Service/RequireLatestTls_FunctionApp_Slot_DINE.json +++ b/built-in-policies/policyDefinitions/App Service/RequireLatestTls_FunctionApp_Slot_DINE.json @@ -5,10 +5,10 @@ "mode": "Indexed", "description": "Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.", "metadata": { - "version": "1.1.0", + "version": "1.2.0", "category": "App Service" }, - "version": "1.1.0", + "version": "1.2.0", "parameters": { "effect": { "type": "string", @@ -47,7 +47,7 @@ "name": "web", "existenceCondition": { "field": "Microsoft.Web/sites/slots/config/minTlsVersion", - "equals": "1.2" + "equals": "1.3" }, "roleDefinitionIds": [ "/providers/microsoft.authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772" @@ -81,7 +81,7 @@ "apiVersion": "2021-02-01", "name": "[format('{0}/{1}/web', split(parameters('siteId'),'/')[8], parameters('siteName'))]", "properties": { - "minTlsVersion": "1.2" + "minTlsVersion": "1.3" } } ], @@ -93,6 +93,7 @@ } }, "versions": [ + "1.2.0", "1.1.0" ] }, diff --git a/built-in-policies/policyDefinitions/App Service/RequireLatestTls_WebApp_Audit.json b/built-in-policies/policyDefinitions/App Service/RequireLatestTls_WebApp_Audit.json index cfeab3712..b1867c842 100644 --- a/built-in-policies/policyDefinitions/App Service/RequireLatestTls_WebApp_Audit.json +++ b/built-in-policies/policyDefinitions/App Service/RequireLatestTls_WebApp_Audit.json @@ -5,10 +5,10 @@ "mode": "Indexed", "description": "Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.", "metadata": { - "version": "2.0.1", + "version": "2.1.0", "category": "App Service" }, - "version": "2.0.1", + "version": "2.1.0", "parameters": { "effect": { "type": "string", @@ -43,12 +43,13 @@ "name": "web", "existenceCondition": { "field": "Microsoft.Web/sites/config/minTlsVersion", - "equals": "1.2" + "equals": "1.3" } } } }, "versions": [ + "2.1.0", "2.0.1" ] }, diff --git a/built-in-policies/policyDefinitions/App Service/RequireLatestTls_WebApp_DINE.json b/built-in-policies/policyDefinitions/App Service/RequireLatestTls_WebApp_DINE.json index 3c3dc5807..878f81fae 100644 --- a/built-in-policies/policyDefinitions/App Service/RequireLatestTls_WebApp_DINE.json +++ b/built-in-policies/policyDefinitions/App Service/RequireLatestTls_WebApp_DINE.json @@ -5,10 +5,10 @@ "mode": "Indexed", "description": "Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.", "metadata": { - "version": "1.0.1", + "version": "1.1.0", "category": "App Service" }, - "version": "1.0.1", + "version": "1.1.0", "parameters": { "effect": { "type": "string", @@ -43,7 +43,7 @@ "name": "web", "existenceCondition": { "field": "Microsoft.Web/sites/config/minTlsVersion", - "equals": "1.2" + "equals": "1.3" }, "roleDefinitionIds": [ "/providers/microsoft.authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772" @@ -71,7 +71,7 @@ "apiVersion": "2021-02-01", "name": "[concat(parameters('siteName'), '/web')]", "properties": { - "minTlsVersion": "1.2" + "minTlsVersion": "1.3" } } ], @@ -83,6 +83,7 @@ } }, "versions": [ + "1.1.0", "1.0.1" ] }, diff --git a/built-in-policies/policyDefinitions/App Service/RequireLatestTls_WebApp_Slot_Audit.json b/built-in-policies/policyDefinitions/App Service/RequireLatestTls_WebApp_Slot_Audit.json index 48877a3d9..ba7de6afb 100644 --- a/built-in-policies/policyDefinitions/App Service/RequireLatestTls_WebApp_Slot_Audit.json +++ b/built-in-policies/policyDefinitions/App Service/RequireLatestTls_WebApp_Slot_Audit.json @@ -5,10 +5,10 @@ "mode": "Indexed", "description": "Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "App Service" }, - "version": "1.0.0", + "version": "1.1.0", "parameters": { "effect": { "type": "string", @@ -43,12 +43,13 @@ "name": "web", "existenceCondition": { "field": "Microsoft.Web/sites/slots/config/minTlsVersion", - "equals": "1.2" + "equals": "1.3" } } } }, "versions": [ + "1.1.0", "1.0.0" ] }, diff --git a/built-in-policies/policyDefinitions/App Service/RequireLatestTls_WebApp_Slot_DINE.json b/built-in-policies/policyDefinitions/App Service/RequireLatestTls_WebApp_Slot_DINE.json index d86b65d36..23671ffd0 100644 --- a/built-in-policies/policyDefinitions/App Service/RequireLatestTls_WebApp_Slot_DINE.json +++ b/built-in-policies/policyDefinitions/App Service/RequireLatestTls_WebApp_Slot_DINE.json @@ -5,10 +5,10 @@ "mode": "Indexed", "description": "Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.", "metadata": { - "version": "1.1.0", + "version": "1.2.0", "category": "App Service" }, - "version": "1.1.0", + "version": "1.2.0", "parameters": { "effect": { "type": "string", @@ -43,7 +43,7 @@ "name": "web", "existenceCondition": { "field": "Microsoft.Web/sites/slots/config/minTlsVersion", - "equals": "1.2" + "equals": "1.3" }, "roleDefinitionIds": [ "/providers/microsoft.authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772" @@ -77,7 +77,7 @@ "apiVersion": "2021-02-01", "name": "[format('{0}/{1}/web', split(parameters('siteId'),'/')[8], parameters('siteName'))]", "properties": { - "minTlsVersion": "1.2" + "minTlsVersion": "1.3" } } ], @@ -89,6 +89,7 @@ } }, "versions": [ + "1.2.0", "1.1.0" ] }, diff --git a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/PrintMutationsAnnotations.json b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/PrintMutationsAnnotations.json new file mode 100644 index 000000000..03204ba7a --- /dev/null +++ b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/PrintMutationsAnnotations.json @@ -0,0 +1,160 @@ +{ + "properties": { + "displayName": "[Preview]: Prints a message if a mutation is applied", + "policyType": "BuiltIn", + "mode": "Microsoft.Kubernetes.Data", + "description": "Looks up the mutation annotations applied and prints a message if annotation exists.", + "metadata": { + "version": "1.0.0-preview", + "category": "Kubernetes", + "preview": true + }, + "version": "1.0.0-preview", + "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, + "warn": { + "type": "Boolean", + "metadata": { + "displayName": "Enable warnings", + "description": "Whether or not to return warnings back to the user in the kubectl cli" + }, + "defaultValue": true + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "'Audit' allows a non-compliant resource to be created or updated, but flags it as non-compliant. 'Disabled' turns off the policy." + }, + "allowedValues": [ + "Audit", + "Disabled" + ], + "defaultValue": "Audit" + }, + "excludedNamespaces": { + "type": "Array", + "metadata": { + "displayName": "Namespace exclusions", + "description": "List of Kubernetes namespaces to exclude from policy evaluation." + }, + "defaultValue": [ + "kube-system", + "gatekeeper-system", + "azure-arc" + ] + }, + "labelSelector": { + "type": "Object", + "metadata": { + "displayName": "Kubernetes label selector", + "description": "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources." + }, + "defaultValue": {}, + "schema": { + "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.", + "type": "object", + "properties": { + "matchLabels": { + "description": "matchLabels is a map of {key,value} pairs.", + "type": "object", + "additionalProperties": { + "type": "string" + }, + "minProperties": 1 + }, + "matchExpressions": { + "description": "matchExpressions is a list of values, a key, and an operator.", + "type": "array", + "items": { + "type": "object", + "properties": { + "key": { + "description": "key is the label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "operator represents a key's relationship to a set of values.", + "type": "string", + "enum": [ + "In", + "NotIn", + "Exists", + "DoesNotExist" + ] + }, + "values": { + "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.", + "type": "array", + "items": { + "type": "string" + } + } + }, + "required": [ + "key", + "operator" + ], + "additionalProperties": false + }, + "minItems": 1 + } + }, + "additionalProperties": false + } + }, + "messages": { + "type": "Object", + "metadata": { + "displayName": "Map of mutations annotations and respective messages", + "description": "The annotations are mapped to respective messages that will be printed upon resource mutation" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.ContainerService/managedClusters" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "source": "[parameters('source')]", + "warn": "[parameters('warn')]", + "templateInfo": { + "sourceType": "PublicURL", + "url": "https://store.policy.azure.us/kubernetes/print-mutations-annotations/v1/template.yaml" + }, + "apiGroups": [ + "" + ], + "kinds": [ + "Pod" + ], + "excludedNamespaces": "[parameters('excludedNamespaces')]", + "labelSelector": "[parameters('labelSelector')]", + "values": { + "messages": "[parameters('messages')]" + } + } + } + }, + "versions": [ + "1.0.0-PREVIEW" + ] + }, + "id": "/providers/Microsoft.Authorization/policyDefinitions/e24df237-32cb-4a6c-a2f6-85b499cda9f2", + "name": "e24df237-32cb-4a6c-a2f6-85b499cda9f2" +} \ No newline at end of file diff --git a/built-in-policies/policyDefinitions/Backup/VirtualMachineApplicationCentricBackup_DINE_WithOutTag.json b/built-in-policies/policyDefinitions/Backup/VirtualMachineApplicationCentricBackup_DINE_WithOutTag.json index f5fdfc5ac..7b6d60b0c 100644 --- a/built-in-policies/policyDefinitions/Backup/VirtualMachineApplicationCentricBackup_DINE_WithOutTag.json +++ b/built-in-policies/policyDefinitions/Backup/VirtualMachineApplicationCentricBackup_DINE_WithOutTag.json @@ -5,10 +5,10 @@ "mode": "Indexed", "description": "Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag.", "metadata": { - "version": "9.3.0", + "version": "9.4.0", "category": "Backup" }, - "version": "9.3.0", + "version": "9.4.0", "parameters": { "exclusionTagName": { "type": "String", @@ -117,7 +117,8 @@ "2022-datacenter-core-g2", "2022-datacenter-core", "2022-datacenter-core-smalldisk-g2", - "2022-datacenter-core-smalldisk" + "2022-datacenter-core-smalldisk", + "2022-datacenter-azure-edition-hotpatch" ] } ] @@ -179,6 +180,18 @@ } ] }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imageOffer", + "equals": "sql2022-ws2022" + }, + { + "field": "Microsoft.Compute/imageSKU", + "equals": "web-gen2" + } + ] + }, { "anyOf": [ { @@ -591,6 +604,7 @@ } }, "versions": [ + "9.4.0", "9.3.0", "9.2.0", "9.1.0" diff --git a/built-in-policies/policyDefinitions/Backup/VirtualMachineApplicationCentricBackup_DINE_WithTag.json b/built-in-policies/policyDefinitions/Backup/VirtualMachineApplicationCentricBackup_DINE_WithTag.json index 7c24473ee..68b039639 100644 --- a/built-in-policies/policyDefinitions/Backup/VirtualMachineApplicationCentricBackup_DINE_WithTag.json +++ b/built-in-policies/policyDefinitions/Backup/VirtualMachineApplicationCentricBackup_DINE_WithTag.json @@ -5,10 +5,10 @@ "mode": "Indexed", "description": "Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag.", "metadata": { - "version": "9.3.0", + "version": "9.4.0", "category": "Backup" }, - "version": "9.3.0", + "version": "9.4.0", "parameters": { "inclusionTagName": { "type": "String", @@ -127,7 +127,8 @@ "2022-datacenter-core-g2", "2022-datacenter-core", "2022-datacenter-core-smalldisk-g2", - "2022-datacenter-core-smalldisk" + "2022-datacenter-core-smalldisk", + "2022-datacenter-azure-edition-hotpatch" ] } ] @@ -189,6 +190,18 @@ } ] }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imageOffer", + "equals": "sql2022-ws2022" + }, + { + "field": "Microsoft.Compute/imageSKU", + "equals": "web-gen2" + } + ] + }, { "anyOf": [ { @@ -601,6 +614,7 @@ } }, "versions": [ + "9.4.0", "9.3.0", "9.2.0", "9.1.0" diff --git a/built-in-policies/policyDefinitions/Backup/VirtualMachineBackup_DINE.json b/built-in-policies/policyDefinitions/Backup/VirtualMachineBackup_DINE.json index 1e6b99d6a..4c50baecb 100644 --- a/built-in-policies/policyDefinitions/Backup/VirtualMachineBackup_DINE.json +++ b/built-in-policies/policyDefinitions/Backup/VirtualMachineBackup_DINE.json @@ -5,10 +5,10 @@ "mode": "Indexed", "description": "Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag.", "metadata": { - "version": "9.3.0", + "version": "9.4.0", "category": "Backup" }, - "version": "9.3.0", + "version": "9.4.0", "parameters": { "vaultLocation": { "type": "String", @@ -149,7 +149,8 @@ "2022-datacenter-core-g2", "2022-datacenter-core", "2022-datacenter-core-smalldisk-g2", - "2022-datacenter-core-smalldisk" + "2022-datacenter-core-smalldisk", + "2022-datacenter-azure-edition-hotpatch" ] } ] @@ -211,6 +212,18 @@ } ] }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imageOffer", + "equals": "sql2022-ws2022" + }, + { + "field": "Microsoft.Compute/imageSKU", + "equals": "web-gen2" + } + ] + }, { "anyOf": [ { @@ -648,6 +661,7 @@ } }, "versions": [ + "9.4.0", "9.3.0", "9.2.0", "9.1.0" diff --git a/built-in-policies/policyDefinitions/Backup/VirtualMachineWithTag_DINE.json b/built-in-policies/policyDefinitions/Backup/VirtualMachineWithTag_DINE.json index aede109d1..375e79bce 100644 --- a/built-in-policies/policyDefinitions/Backup/VirtualMachineWithTag_DINE.json +++ b/built-in-policies/policyDefinitions/Backup/VirtualMachineWithTag_DINE.json @@ -5,10 +5,10 @@ "mode": "Indexed", "description": "Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag.", "metadata": { - "version": "9.3.0", + "version": "9.4.0", "category": "Backup" }, - "version": "9.3.0", + "version": "9.4.0", "parameters": { "vaultLocation": { "type": "String", @@ -134,7 +134,8 @@ "2022-datacenter-core-g2", "2022-datacenter-core", "2022-datacenter-core-smalldisk-g2", - "2022-datacenter-core-smalldisk" + "2022-datacenter-core-smalldisk", + "2022-datacenter-azure-edition-hotpatch" ] } ] @@ -196,6 +197,18 @@ } ] }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imageOffer", + "equals": "sql2022-ws2022" + }, + { + "field": "Microsoft.Compute/imageSKU", + "equals": "web-gen2" + } + ] + }, { "anyOf": [ { @@ -633,6 +646,7 @@ } }, "versions": [ + "9.4.0", "9.3.0", "9.2.0", "9.1.0" diff --git a/built-in-policies/policySetDefinitions/Azure Government/Kubernetes/AKS_Safeguards.json b/built-in-policies/policySetDefinitions/Azure Government/Kubernetes/AKS_Safeguards.json index daf24dcff..81e4c1852 100644 --- a/built-in-policies/policySetDefinitions/Azure Government/Kubernetes/AKS_Safeguards.json +++ b/built-in-policies/policySetDefinitions/Azure Government/Kubernetes/AKS_Safeguards.json @@ -4,11 +4,11 @@ "policyType": "BuiltIn", "description": "A collection of Kubernetes best practices that are recommended by Azure Kubernetes Service (AKS). For the best experience, use deployment safeguards to assign this policy initiative: https://aka.ms/aks/deployment-safeguards. Azure Policy Add-On for AKS is a pre-requisite for applying these best practices to your clusters. For instructions on enabling the Azure Policy Add-On, go to aka.ms/akspolicydoc", "metadata": { - "version": "1.5.0-preview", + "version": "1.6.0-preview", "category": "Kubernetes", "preview": true }, - "version": "1.5.0-preview", + "version": "1.6.0-preview", "parameters": { "source": { "type": "String", @@ -148,6 +148,14 @@ "Disabled" ], "defaultValue": "Disabled" + }, + "messages": { + "type": "Object", + "metadata": { + "displayName": "Map of mutations annotations and respective messages", + "description": "The annotations are mapped to respective messages that will be printed upon resource mutation" + }, + "defaultValue": {} } }, "policyDefinitions": [ @@ -541,9 +549,32 @@ "value": "[parameters('source')]" } } + }, + { + "policyDefinitionReferenceId": "printMutationsAnnotations", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e24df237-32cb-4a6c-a2f6-85b499cda9f2", + "definitionVersion": "1.*.*-preview", + "parameters": { + "effect": { + "value": "[parameters('effect')]" + }, + "source": { + "value": "[parameters('source')]" + }, + "warn": { + "value": "[parameters('warn')]" + }, + "excludedNamespaces": { + "value": "[parameters('excludedNamespaces')]" + }, + "messages": { + "value": "[parameters('messages')]" + } + } } ], "versions": [ + "1.6.0-PREVIEW", "1.5.0-PREVIEW", "1.4.0-PREVIEW", "1.3.4-PREVIEW", diff --git a/built-in-policies/policySetDefinitions/Kubernetes/AKS_Safeguards.json b/built-in-policies/policySetDefinitions/Kubernetes/AKS_Safeguards.json index 480b4158c..156548141 100644 --- a/built-in-policies/policySetDefinitions/Kubernetes/AKS_Safeguards.json +++ b/built-in-policies/policySetDefinitions/Kubernetes/AKS_Safeguards.json @@ -4,11 +4,11 @@ "policyType": "BuiltIn", "description": "A collection of Kubernetes best practices that are recommended by Azure Kubernetes Service (AKS). For the best experience, use deployment safeguards to assign this policy initiative: https://aka.ms/aks/deployment-safeguards. Azure Policy Add-On for AKS is a pre-requisite for applying these best practices to your clusters. For instructions on enabling the Azure Policy Add-On, go to aka.ms/akspolicydoc", "metadata": { - "version": "1.8.0-preview", + "version": "1.9.0-preview", "category": "Kubernetes", "preview": true }, - "version": "1.8.0-preview", + "version": "1.9.0-preview", "parameters": { "source": { "type": "String", @@ -148,6 +148,14 @@ "Disabled" ], "defaultValue": "Disabled" + }, + "messages": { + "type": "Object", + "metadata": { + "displayName": "Map of mutations annotations and respective messages", + "description": "The annotations are mapped to respective messages that will be printed upon resource mutation" + }, + "defaultValue": {} } }, "policyDefinitions": [ @@ -541,9 +549,32 @@ "value": "[parameters('source')]" } } + }, + { + "policyDefinitionReferenceId": "printMutationsAnnotations", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e24df237-32cb-4a6c-a2f6-85b499cda9f2", + "definitionVersion": "1.*.*-preview", + "parameters": { + "effect": { + "value": "[parameters('effect')]" + }, + "source": { + "value": "[parameters('source')]" + }, + "warn": { + "value": "[parameters('warn')]" + }, + "excludedNamespaces": { + "value": "[parameters('excludedNamespaces')]" + }, + "messages": { + "value": "[parameters('messages')]" + } + } } ], "versions": [ + "1.9.0-PREVIEW", "1.8.0-PREVIEW", "1.7.0-PREVIEW", "1.6.0-PREVIEW",