Updated from upstream (#10)

Co-authored-by: System <noreply@azure.com>

Author: matt-FFFFFF

policydefinition-deny_aa_child_resources.tf

@@ -0,0 +1,39 @@
+# This file was auto generated
+resource "azurerm_policy_definition" "deny_aa_child_resources" {
+  name         = "Deny-AA-child-resources"
+  policy_type  = "Custom"
+  mode         = "All"
+  display_name = "Deny-AA-child-resources"
+  description  = "Denies creation of child resources on the Automation Account"
+
+  management_group_name = var.management_group_name
+  policy_rule           = <<POLICYRULE
+{
+  "if": {
+    "allOf": [
+      {
+        "field": "type",
+        "in": [
+          "Microsoft.Automation/automationAccounts/runbooks",
+          "Microsoft.Automation/automationAccounts/variables",
+          "Microsoft.Automation/automationAccounts/modules",
+          "Microsoft.Automation/automationAccounts/credentials",
+          "Microsoft.Automation/automationAccounts/connections",
+          "Microsoft.Automation/automationAccount/certificates"
+        ]
+      }
+    ]
+  },
+  "then": {
+    "effect": "deny"
+  }
+}
+POLICYRULE
+
+
+}
+
+output "policydefinition_deny_aa_child_resources" {
+  value = azurerm_policy_definition.deny_aa_child_resources
+}
+

policydefinition-deny_subnet_without_udr.tf

@@ -0,0 +1,36 @@
+# This file was auto generated
+resource "azurerm_policy_definition" "deny_subnet_without_udr" {
+  name         = "Deny-Subnet-Without-UDR"
+  policy_type  = "Custom"
+  mode         = "All"
+  display_name = "Deny-Subnets-Without-UDR"
+  description  = "null"
+
+  management_group_name = var.management_group_name
+  policy_rule           = <<POLICYRULE
+{
+  "if": {
+    "allOf": [
+      {
+        "field": "type",
+        "equals": "Microsoft.Network/virtualNetworks/subnets"
+      },
+      {
+        "field": "Microsoft.Network/virtualNetworks/subnets/routeTable.id",
+        "exists": "false"
+      }
+    ]
+  },
+  "then": {
+    "effect": "deny"
+  }
+}
+POLICYRULE
+
+
+}
+
+output "policydefinition_deny_subnet_without_udr" {
+  value = azurerm_policy_definition.deny_subnet_without_udr
+}
+

policydefinition-deploy_diagnostics_recoveryvault.tf

@@ -47,7 +47,7 @@ resource "azurerm_policy_definition" "deploy_diagnostics_recoveryvault" {
           },
           {
             "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
-            "notEquals": "[parameters('logAnalytics')]"
+            "equals": "[parameters('logAnalytics')]"
           },
           {
             "field": "Microsoft.Insights/diagnosticSettings/logAnalyticsDestinationType",

policydefinition-deploy_log_analytics.tf

@@ -42,6 +42,9 @@ resource "azurerm_policy_definition" "deploy_log_analytics" {
             "rgName": {
               "value": "[parameters('rgName')]"
             },
+            "retentionInDays": {
+              "value": "[parameters('retentionInDays')]"
+            },
             "workspaceName": {
               "value": "[parameters('workspaceName')]"
             },
@@ -73,6 +76,9 @@ resource "azurerm_policy_definition" "deploy_log_analytics" {
               },
               "automationRegion": {
                 "type": "string"
+              },
+              "retentionInDays": {
+                "type": "string"
               }
             },
             "variables": {},
@@ -121,7 +127,8 @@ resource "azurerm_policy_definition" "deploy_log_analytics" {
                           "sku": {
                             "name": "pernode"
                           },
-                          "enableLogAccessUsingOnlyResourcePermissions": true
+                          "enableLogAccessUsingOnlyResourcePermissions": true,
+                          "retentionInDays": "[int(parameters('retentionInDays'))]"
                         },
                         "resources": [
                           {
@@ -183,6 +190,14 @@ POLICYRULE
       "description": "Select Azure region for Automation account"
     }
   },
+  "retentionInDays": {
+    "type": "String",
+    "metadata": {
+      "displayName": "Data retention",
+      "description": "Select data retention (days) for Log Analytics."
+    },
+    "defaultValue": "30"
+  },
   "rgName": {
     "type": "String",
     "metadata": {

policydefinition-deploy_nsg_flowlogs.tf

@@ -4,7 +4,7 @@ resource "azurerm_policy_definition" "deploy_nsg_flowlogs" {
   policy_type  = "Custom"
   mode         = "All"
   display_name = "Deploy-Nsg-FlowLogs"
-  description  = "null"
+  description  = "Deploys NSG flow logs and traffic analytics"
 
   management_group_name = var.management_group_name
   policy_rule           = <<POLICYRULE
@@ -20,11 +20,18 @@ resource "azurerm_policy_definition" "deploy_nsg_flowlogs" {
       "roleDefinitionIds": [
         "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
       ],
-      "name": "[concat('NetworkWatcher_', field('location'), '/', 'Microsoft.Network', resourceGroup().name, field('name'))]",
       "resourceGroupName": "NetworkWatcherRG",
       "existenceCondition": {
-        "field": "Microsoft.Network/networkWatchers/flowLogs/enabled",
-        "equals": "true"
+        "allOf": [
+          {
+            "field": "Microsoft.Network/networkWatchers/flowLogs/enabled",
+            "equals": "true"
+          },
+          {
+            "field": "Microsoft.Network/networkWatchers/flowLogs/flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled",
+            "equals": "[parameters('flowAnalyticsEnabled')]"
+          }
+        ]
       },
       "deployment": {
         "properties": {
@@ -44,6 +51,15 @@ resource "azurerm_policy_definition" "deploy_nsg_flowlogs" {
             },
             "retention": {
               "value": "[parameters('retention')]"
+            },
+            "flowAnalyticsEnabled": {
+              "value": "[parameters('flowAnalyticsEnabled')]"
+            },
+            "trafficAnalyticsInterval": {
+              "value": "[parameters('trafficAnalyticsInterval')]"
+            },
+            "logAnalytics": {
+              "value": "[parameters('logAnalytics')]"
             }
           },
           "template": {
@@ -63,16 +79,24 @@ resource "azurerm_policy_definition" "deploy_nsg_flowlogs" {
                 "type": "string"
               },
               "retention": {
-                "type": "int",
-                "defaultValue": 5
+                "type": "int"
+              },
+              "flowAnalyticsEnabled": {
+                "type": "bool"
+              },
+              "trafficAnalyticsInterval": {
+                "type": "int"
+              },
+              "logAnalytics": {
+                "type": "string"
               }
             },
             "variables": {},
             "resources": [
               {
                 "type": "Microsoft.Network/networkWatchers/flowLogs",
-                "apiVersion": "2019-11-01",
-                "name": "[concat('NetworkWatcher_', toLower(parameters('location')), '/', 'flowLogs')]",
+                "apiVersion": "2020-05-01",
+                "name": "[take(concat('NetworkWatcher_', toLower(parameters('location')), '/', parameters('networkSecurityGroupName'), '-', parameters('resourceGroupName'), '-flowlog' ), 80)]",
                 "location": "[parameters('location')]",
                 "properties": {
                   "targetResourceId": "[resourceId(parameters('resourceGroupName'), 'Microsoft.Network/networkSecurityGroups', parameters('networkSecurityGroupName'))]",
@@ -85,6 +109,15 @@ resource "azurerm_policy_definition" "deploy_nsg_flowlogs" {
                   "format": {
                     "type": "JSON",
                     "version": 2
+                  },
+                  "flowAnalyticsConfiguration": {
+                    "networkWatcherFlowAnalyticsConfiguration": {
+                      "enabled": "[bool(parameters('flowAnalyticsEnabled'))]",
+                      "trafficAnalyticsInterval": "[parameters('trafficAnalyticsInterval')]",
+                      "workspaceId": "[if(not(empty(parameters('logAnalytics'))), reference(parameters('logAnalytics'), '2020-03-01-preview', 'Full').properties.customerId, json('null')) ]",
+                      "workspaceRegion": "[if(not(empty(parameters('logAnalytics'))), reference(parameters('logAnalytics'), '2020-03-01-preview', 'Full').location, json('null')) ]",
+                      "workspaceResourceId": "[if(not(empty(parameters('logAnalytics'))), parameters('logAnalytics'), json('null'))]"
+                    }
                   }
                 }
               }
@@ -104,13 +137,37 @@ POLICYRULE
     "type": "Integer",
     "metadata": {
       "displayName": "Retention"
-    }
+    },
+    "defaultValue": 5
   },
   "storageAccountResourceId": {
     "type": "String",
     "metadata": {
-      "displayName": "Storage Account Resource Id"
+      "displayName": "Storage Account Resource Id",
+      "strongType": "Microsoft.Storage/storageAccounts"
     }
+  },
+  "trafficAnalyticsInterval": {
+    "type": "Integer",
+    "metadata": {
+      "displayName": "Traffic Analytics processing interval mins (10/60)"
+    },
+    "defaultValue": 60
+  },
+  "flowAnalyticsEnabled": {
+    "type": "Boolean",
+    "metadata": {
+      "displayName": "Enable Traffic Analytics"
+    },
+    "defaultValue": false
+  },
+  "logAnalytics": {
+    "type": "String",
+    "metadata": {
+      "strongType": "omsWorkspace",
+      "displayName": "Resource ID of Log Analytics workspace"
+    },
+    "defaultValue": ""
   }
 }
 PARAMETERS