Remove duplicate assignment and portal option for Azure Policy Add-on at Landing Zones scope

Author: Springstone

docs/wiki/Whats-new.md

@@ -46,6 +46,10 @@ This article will be updated as and when changes are made to the above and anyth
 
 Here's what's changed in Enterprise Scale/Azure Landing Zones:
 
+### 🔃 Policy Refresh Q1 FY25
+
+- Removed duplicate assignment and portal option of [Deploy Azure Policy Add-on to Azure Kubernetes Service clusters](https://www.azadvertizer.net/azpolicyadvertizer/a8eff44f-8c92-45c3-a3fb-9880802d67a7.html) at Landing Zones scope, as this policy is assigned in the initiative [Deploy Microsoft Defender for Cloud configuration](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config_20240319.html) at Intermediate Root scope.
+
 ### June 2024
 
 #### Documentation

eslzArm/eslz-portal.json

@@ -831,26 +831,6 @@
                                 ]
                             }
                         },
-                        {
-                            "name": "enableAscForDns",
-                            "type": "Microsoft.Common.OptionsGroup",
-                            "label": "Enable Microsoft Defender for Cloud for DNS",
-                            "defaultValue": "Yes (recommended)",
-                            "toolTip": "If 'Yes' is selected, Microsoft Defender for Cloud will be enabled for DNS.<br>Uses the custom initiative <a href=\"https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config.html\">Deploy Microsoft Defender for Cloud configuration</a>.",
-                            "visible": "[and(equals(steps('management').enableAsc,'Yes'), or(equals(steps('basics').cloudEnvironment.selection, 'AzureCloud'), equals(steps('basics').cloudEnvironment.selection, 'AzureUSGovernment')))]",
-                            "constraints": {
-                                "allowedValues": [
-                                    {
-                                        "label": "Yes (recommended)",
-                                        "value": "DeployIfNotExists"
-                                    },
-                                    {
-                                        "label": "No",
-                                        "value": "Disabled"
-                                    }
-                                ]
-                            }
-                        },
                         {
                             "name": "enableAscForContainers",
                             "type": "Microsoft.Common.OptionsGroup",
@@ -4374,30 +4354,6 @@
                                     },
                                     "visible": "[equals(steps('management').enableLogAnalytics,'Yes')]"
                                 },
-                                {
-                                    "name": "enableAksPolicy",
-                                    "type": "Microsoft.Common.OptionsGroup",
-                                    "label": "Enable Kubernetes (AKS) for Azure Policy",
-                                    "defaultValue": "Yes (recommended)",
-                                    "toolTip": "If 'Yes' is selected the Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters will be enabled.<br>Uses the policy <a href=\"https://www.azadvertizer.net/azpolicyadvertizer/a8eff44f-8c92-45c3-a3fb-9880802d67a7.html\">Deploy Azure Policy Add-on to Azure Kubernetes Service clusters</a>.",
-                                    "constraints": {
-                                        "allowedValues": [
-                                            {
-                                                "label": "Yes (recommended)",
-                                                "value": "Yes"
-                                            },
-                                            {
-                                                "label": "Audit only",
-                                                "value": "Audit"
-                                            },
-                                            {
-                                                "label": "No",
-                                                "value": "No"
-                                            }
-                                        ]
-                                    },
-                                    "visible": true
-                                },
                                 {
                                     "name": "denyAksPrivileged",
                                     "type": "Microsoft.Common.OptionsGroup",
@@ -9073,7 +9029,6 @@
                 "enableVmMonitoring": "[steps('landingZones').lzSection.enableVmMonitoring]",
                 "enableVmssMonitoring": "[steps('landingZones').lzSection.enableVmssMonitoring]",
                 "enableVmHybridMonitoring": "[steps('landingZones').lzSection.enableVmHybridMonitoring]",
-                "enableAksPolicy": "[steps('landingZones').lzSection.enableAksPolicy]",
                 "denyAksPrivileged": "[steps('landingZones').lzSection.denyAksPrivileged]",
                 "denyAksPrivilegedEscalation": "[steps('landingZones').lzSection.denyAksPrivilegedEscalation]",
                 "denyHttpIngressForAks": "[steps('landingZones').lzSection.denyHttpIngressForAks]",

eslzArm/eslzArm.json

@@ -771,15 +771,6 @@
                 "description": "If 'Yes' is selected, policy will be assigned to enforce Hybrid VM monitoring."
             }
         },
-        "enableAksPolicy": {
-            "type": "string",
-            "defaultValue": "No",
-            "allowedValues": [
-                "Yes",
-                "Audit",
-                "No"
-            ]
-        },
         "denyAksPrivileged": {
             "type": "string",
             "defaultValue": "No",
@@ -1610,7 +1601,6 @@
             "azVmssMonitorPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-VMSSMonitoringPolicyAssignment.json')]",
             "azVmHybridMonitorPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-VMHybridMonitoringPolicyAssignment.json')]",
             "azVmBackupPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-VMBackupPolicyAssignment.json')]",
-            "azPolicyForAksPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-AksPolicyPolicyAssignment.json')]",
             "aksPrivEscalationPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-AksPrivEscalationPolicyAssignment.json')]",
             "aksPrivilegedPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-AksPrivilegedPolicyAssignment.json')]",
             "tlsSslPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-DINE-APPEND-TLS-SSL-PolicyAssignment.json')]",
@@ -1735,7 +1725,6 @@
             "azVmHybridMonitorPolicyDeploymentName": "[take(concat('alz-AzVmHybridMonitor', variables('deploymentSuffix')), 64)]",
             "azBackupLzPolicyDeploymentName": "[take(concat('alz-AzBackupLz', variables('deploymentSuffix')), 64)]",
             "azBackupIdentityPolicyDeploymentName": "[take(concat('alz-AzBackupIdentity', variables('deploymentSuffix')), 64)]",
-            "azPolicyForAksPolicyDeploymentName": "[take(concat('alz-AksPolicy', variables('deploymentSuffix')), 64)]",
             "aksPrivEscalationPolicyDeploymentName": "[take(concat('alz-AksPrivEsc', variables('deploymentSuffix')), 64)]",
             "aksHttpsPolicyDeploymentName": "[take(concat('alz-AksHttps', variables('deploymentSuffix')), 64)]",
             "aksPrivilegedPolicyDeploymentName": "[take(concat('alz-AksPrivileged', variables('deploymentSuffix')), 64)]",
@@ -6236,33 +6225,6 @@
                 }
             }
         },
-        {
-            // Assigning Azure Policy enablement policy for AKS to landing zones management group if condition is true
-            "condition": "[or(equals(parameters('enableAksPolicy'), 'Yes'), equals(parameters('enableAksPolicy'), 'Audit'))]",
-            "type": "Microsoft.Resources/deployments",
-            "apiVersion": "2020-10-01",
-            "name": "[variables('deploymentNames').azPolicyForAksPolicyDeploymentName]",
-            "scope": "[variables('scopes').lzsManagementGroup]",
-            "location": "[deployment().location]",
-            "dependsOn": [
-                "policyCompletion"
-            ],
-            "properties": {
-                "mode": "Incremental",
-                "templateLink": {
-                    "contentVersion": "1.0.0.0",
-                    "uri": "[variables('deploymentUris').azPolicyForAksPolicyAssignment]"
-                },
-                "parameters": {
-                    "topLevelManagementGroupPrefix": {
-                        "value": "[parameters('enterpriseScaleCompanyPrefix')]"
-                    },
-                    "enforcementMode": {
-                        "value": "[if(equals(parameters('enableaksPolicy'), 'Yes'), 'Default', 'DoNotEnforce')]"
-                    }
-                }
-            }
-        },
         {
             // Assigning Aks Priv Escalation policy to landing zones management group if condition is true
             "condition": "[or(equals(parameters('denyAksPrivilegedEscalation'), 'Yes'), equals(parameters('denyAksPrivilegedEscalation'), 'Audit'))]",