Built-in Policy Release 64b24ce2 (#1493)

Co-authored-by: Azure Policy Bot <[email protected]>

Author: robga

built-in-policies/policyDefinitions/App Service/FunctionApp_Audit_AutoGeneratedDomainNameLabelScope.json

@@ -0,0 +1,62 @@
+{
+  "properties": {
+    "displayName": "Function apps should provide an auto-generated domain name label scope",
+    "policyType": "BuiltIn",
+    "mode": "Indexed",
+    "description": "Providing an auto-generated domain name label scope for your app ensures that the app can be accessed via a unique URL. For more information, see https://aka.ms/app-service-autoGeneratedDomainNameLabelScope.",
+    "version": "1.0.0",
+    "metadata": {
+      "version": "1.0.0",
+      "category": "App Service"
+    },
+    "parameters": {
+      "effect": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Effect",
+          "description": "Enable or disable the execution of the policy"
+        },
+        "allowedValues": [
+          "Audit",
+          "Disabled",
+          "Deny"
+        ],
+        "defaultValue": "Audit"
+      }
+    },
+    "policyRule": {
+      "if": {
+        "allOf": [
+          {
+            "field": "type",
+            "equals": "Microsoft.Web/sites"
+          },
+          {
+            "field": "kind",
+            "contains": "functionapp"
+          },
+          {
+            "field": "kind",
+            "notContains": "workflowapp"
+          },
+          {
+            "field": "Microsoft.Web/sites/sku",
+            "notContains": "Isolated"
+          },
+          {
+            "field": "Microsoft.Web/sites/autoGeneratedDomainNameLabelScope",
+            "exists": "false"
+          }
+        ]
+      },
+      "then": {
+        "effect": "[parameters('effect')]"
+      }
+    },
+    "versions": [
+      "1.0.0"
+    ]
+  },
+  "id": "/providers/Microsoft.Authorization/policyDefinitions/5f78d1de-663e-4a6b-8dd8-791621f3b6d6",
+  "name": "5f78d1de-663e-4a6b-8dd8-791621f3b6d6"
+}

built-in-policies/policyDefinitions/App Service/FunctionApp_Slot_Audit_AutoGeneratedDomainNameLabelScope.json

@@ -0,0 +1,62 @@
+{
+  "properties": {
+    "displayName": "Function app slots should provide an auto-generated domain name label scope",
+    "policyType": "BuiltIn",
+    "mode": "Indexed",
+    "description": "Providing an auto-generated domain name label scope for your app ensures that the app can be accessed via a unique URL. For more information, see https://aka.ms/app-service-autoGeneratedDomainNameLabelScope.",
+    "version": "1.0.0",
+    "metadata": {
+      "version": "1.0.0",
+      "category": "App Service"
+    },
+    "parameters": {
+      "effect": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Effect",
+          "description": "Enable or disable the execution of the policy"
+        },
+        "allowedValues": [
+          "Audit",
+          "Disabled",
+          "Deny"
+        ],
+        "defaultValue": "Audit"
+      }
+    },
+    "policyRule": {
+      "if": {
+        "allOf": [
+          {
+            "field": "type",
+            "equals": "Microsoft.Web/sites/slots"
+          },
+          {
+            "field": "kind",
+            "contains": "functionapp"
+          },
+          {
+            "field": "kind",
+            "notContains": "workflowapp"
+          },
+          {
+            "field": "Microsoft.Web/sites/slots/sku",
+            "notContains": "Isolated"
+          },
+          {
+            "field": "Microsoft.Web/sites/slots/autoGeneratedDomainNameLabelScope",
+            "exists": "false"
+          }
+        ]
+      },
+      "then": {
+        "effect": "[parameters('effect')]"
+      }
+    },
+    "versions": [
+      "1.0.0"
+    ]
+  },
+  "id": "/providers/Microsoft.Authorization/policyDefinitions/67da6a60-29e0-471d-b856-4cd2dee72fc0",
+  "name": "67da6a60-29e0-471d-b856-4cd2dee72fc0"
+}

built-in-policies/policyDefinitions/App Service/WebApp_Audit_AutoGeneratedDomainNameLabelScope.json

@@ -0,0 +1,54 @@
+{
+  "properties": {
+    "displayName": "App Service apps should provide an auto-generated domain name label scope",
+    "policyType": "BuiltIn",
+    "mode": "Indexed",
+    "description": "Providing an auto-generated domain name label scope for your app ensures that the app can be accessed via a unique URL. For more information, see https://aka.ms/app-service-autoGeneratedDomainNameLabelScope.",
+    "version": "1.0.0",
+    "metadata": {
+      "version": "1.0.0",
+      "category": "App Service"
+    },
+    "parameters": {
+      "effect": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Effect",
+          "description": "Enable or disable the execution of the policy"
+        },
+        "allowedValues": [
+          "Audit",
+          "Disabled",
+          "Deny"
+        ],
+        "defaultValue": "Audit"
+      }
+    },
+    "policyRule": {
+      "if": {
+        "allOf": [
+          {
+            "field": "type",
+            "equals": "Microsoft.Web/sites"
+          },
+          {
+            "field": "Microsoft.Web/sites/sku",
+            "notContains": "Isolated"
+          },
+          {
+            "field": "Microsoft.Web/sites/autoGeneratedDomainNameLabelScope",
+            "exists": "false"
+          }
+        ]
+      },
+      "then": {
+        "effect": "[parameters('effect')]"
+      }
+    },
+    "versions": [
+      "1.0.0"
+    ]
+  },
+  "id": "/providers/Microsoft.Authorization/policyDefinitions/80a53f01-1f9a-49af-a5d5-0248e947dc8e",
+  "name": "80a53f01-1f9a-49af-a5d5-0248e947dc8e"
+}

built-in-policies/policyDefinitions/App Service/WebApp_Slot_Audit_AutoGeneratedDomainNameLabelScope.json

@@ -0,0 +1,54 @@
+{
+  "properties": {
+    "displayName": "App Service app slots should provide an auto-generated domain name label scope",
+    "policyType": "BuiltIn",
+    "mode": "Indexed",
+    "description": "Providing an auto-generated domain name label scope for your app ensures that the app can be accessed via a unique URL. For more information, see https://aka.ms/app-service-autoGeneratedDomainNameLabelScope.",
+    "version": "1.0.0",
+    "metadata": {
+      "version": "1.0.0",
+      "category": "App Service"
+    },
+    "parameters": {
+      "effect": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Effect",
+          "description": "Enable or disable the execution of the policy"
+        },
+        "allowedValues": [
+          "Audit",
+          "Disabled",
+          "Deny"
+        ],
+        "defaultValue": "Audit"
+      }
+    },
+    "policyRule": {
+      "if": {
+        "allOf": [
+          {
+            "field": "type",
+            "equals": "Microsoft.Web/sites/slots"
+          },
+          {
+            "field": "Microsoft.Web/sites/slots/sku",
+            "notContains": "Isolated"
+          },
+          {
+            "field": "Microsoft.Web/sites/slots/autoGeneratedDomainNameLabelScope",
+            "exists": "false"
+          }
+        ]
+      },
+      "then": {
+        "effect": "[parameters('effect')]"
+      }
+    },
+    "versions": [
+      "1.0.0"
+    ]
+  },
+  "id": "/providers/Microsoft.Authorization/policyDefinitions/d1a5414f-ada4-46bf-bea7-243d5100d981",
+  "name": "d1a5414f-ada4-46bf-bea7-243d5100d981"
+}

built-in-policies/policyDefinitions/Azure Ai Services/NetworkAcls_Audit.json

@@ -5,10 +5,10 @@
     "mode": "Indexed",
     "description": "By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service.",
     "metadata": {
-      "version": "3.2.0",
+      "version": "3.3.0",
       "category": "Azure Ai Services"
     },
-    "version": "3.2.0",
+    "version": "3.3.0",
     "parameters": {
       "effect": {
         "type": "string",
@@ -52,6 +52,10 @@
               {
                 "field": "Microsoft.Search/searchServices/publicNetworkAccess",
                 "notEquals": "Disabled"
+              },
+              {
+                "field": "Microsoft.Search/searchServices/networkRuleSet.ipRules[*].value",
+                "exists": "false"
               }
             ]
           }
@@ -62,6 +66,7 @@
       }
     },
     "versions": [
+      "3.3.0",
       "3.2.0",
       "3.1.0",
       "3.0.0"

built-in-policies/policyDefinitions/Azure Government/Kubernetes/DisallowedBadPodDisruptionBudgets.json

@@ -3,13 +3,13 @@
     "displayName": "[Preview]: Kubernetes cluster should implement accurate Pod Disruption Budgets",
     "policyType": "BuiltIn",
     "mode": "Microsoft.Kubernetes.Data",
-    "description": "Prevents faulty Pod Disruption Budgets, ensuring a minimum number of operational pods. Refer to the official Kubernetes documentation for details. Relies on Gatekeeper data replication and syncs all ingress resources scoped to it into OPA. Before applying this policy, ensure that the synced ingress resources won't strain your memory capacity. Though parameters evaluate specific namespaces, all resources of that kind across namespaces will sync. Note: currently in preview for Kubernetes Service (AKS).",
+    "description": "Prevents faulty Pod Disruption Budgets, ensuring a minimum number of operational pods. Refer to the official Kubernetes documentation for details. Relies on Gatekeeper data replication and syncs all Deployment, StatefulSet, and PodDisruptionBudget resources scoped to it into OPA. Before applying this policy, ensure that the synced resources won't strain your memory capacity. All resources of these kinds across namespaces will sync. Note: currently in preview for Kubernetes Service (AKS).",
     "metadata": {
-      "version": "1.2.0-preview",
+      "version": "1.2.1-preview",
       "category": "Kubernetes",
       "preview": true
     },
-    "version": "1.2.0-preview",
+    "version": "1.2.1-preview",
     "parameters": {
       "source": {
         "type": "String",
@@ -152,6 +152,7 @@
       }
     },
     "versions": [
+      "1.2.1-PREVIEW",
       "1.2.0-PREVIEW",
       "1.1.0-PREVIEW",
       "1.0.1-PREVIEW",

built-in-policies/policyDefinitions/Azure Government/Kubernetes/ImagesDoNotUseLatest.json

@@ -5,11 +5,11 @@
     "mode": "Microsoft.Kubernetes.Data",
     "description": "Requires that container images do not use the latest tag in Kubernetes, it is a best practice to ensure reproducibility, prevent unintended updates, and facilitate easier debugging and rollbacks by using explicit and versioned container images.",
     "metadata": {
-      "version": "1.1.0-preview",
+      "version": "2.0.0-preview",
       "category": "Kubernetes",
       "preview": true
     },
-    "version": "1.1.0-preview",
+    "version": "2.0.0-preview",
     "parameters": {
       "source": {
         "type": "String",
@@ -137,16 +137,13 @@
           "warn": "[parameters('warn')]",
           "templateInfo": {
             "sourceType": "PublicURL",
-            "url": "https://store.policy.azure.us/kubernetes/container-no-latest-image/v1/template.yaml"
+            "url": "https://store.policy.azure.us/kubernetes/container-no-latest-image/v2/template.yaml"
           },
           "apiGroups": [
-            "apps"
+            ""
           ],
           "kinds": [
-            "Deployment",
-            "StatefulSet",
-            "ReplicationController",
-            "ReplicaSet"
+            "Pod"
           ],
           "namespaces": "[parameters('namespaces')]",
           "excludedNamespaces": "[parameters('excludedNamespaces')]",
@@ -155,6 +152,7 @@
       }
     },
     "versions": [
+      "2.0.0-PREVIEW",
       "1.1.0-PREVIEW",
       "1.0.0-PREVIEW"
     ]

built-in-policies/policyDefinitions/Azure Government/Kubernetes/MustHaveAntiAffinityRulesSet.json

@@ -1,15 +1,15 @@
 {
   "properties": {
-    "displayName": "[Preview]: Must Have Anti Affinity Rules Set",
+    "displayName": "[Preview]: Must Have Anti Affinity Rules or Topology Spread Constraints Set",
     "policyType": "BuiltIn",
     "mode": "Microsoft.Kubernetes.Data",
-    "description": "This policy ensures that pods are scheduled on different nodes within the cluster. By enforcing anti-affinity rules, availability is maintained even if one of the nodes becomes unavailable. Pods will continue to run on other nodes, enhancing resilience.",
+    "description": "This policy ensures that pods are scheduled on different nodes within the cluster. By enforcing anti-affinity rules or pod topology spread constraints, availability is maintained even if one of the nodes becomes unavailable. Pods will continue to run on other nodes, enhancing resilience.",
     "metadata": {
-      "version": "1.1.0-preview",
+      "version": "1.1.1-preview",
       "category": "Kubernetes",
       "preview": true
     },
-    "version": "1.1.0-preview",
+    "version": "1.1.1-preview",
     "parameters": {
       "source": {
         "type": "String",
@@ -155,6 +155,7 @@
       }
     },
     "versions": [
+      "1.1.1-PREVIEW",
       "1.1.0-PREVIEW",
       "1.0.2-PREVIEW",
       "1.0.1-PREVIEW"

built-in-policies/policyDefinitions/Azure Government/Kubernetes/UniqueServiceSelectors.json

@@ -3,13 +3,13 @@
     "displayName": "[Preview]: Kubernetes cluster services should use unique selectors",
     "policyType": "BuiltIn",
     "mode": "Microsoft.Kubernetes.Data",
-    "description": "Ensure Services in a Namespace Have Unique Selectors. A unique service selector ensures that each service within a namespace is uniquely identifiable based on specific criteria. This policy syncs ingress resources into OPA via Gatekeeper. Before applying, verify Gatekeeper pods memory capacity won't be exceeded. Parameters apply to specific namespaces, but it syncs all resources of that type across all namespaces. Currently in preview for Kubernetes Service (AKS).",
+    "description": "Ensure Services in a Namespace Have Unique Selectors. A unique service selector ensures that each service within a namespace is uniquely identifiable based on specific criteria. This policy syncs service resources into OPA via Gatekeeper. Before applying, verify Gatekeeper pods memory capacity won't be exceeded. Parameters apply to specific namespaces, but it syncs all resources of that type across all namespaces. Currently in preview for Kubernetes Service (AKS).",
     "metadata": {
-      "version": "1.1.0-preview",
+      "version": "1.1.1-preview",
       "category": "Kubernetes",
       "preview": true
     },
-    "version": "1.1.0-preview",
+    "version": "1.1.1-preview",
     "parameters": {
       "source": {
         "type": "String",
@@ -152,6 +152,7 @@
       }
     },
     "versions": [
+      "1.1.1-PREVIEW",
       "1.1.0-PREVIEW",
       "1.0.1-PREVIEW",
       "1.0.0-PREVIEW"