fix: update Enforce-Encryption-CMK.json (#1926)

Co-authored-by: Zach Trocinski <[email protected]> Co-authored-by: Zach Trocinski <[email protected]> Co-authored-by: Jack Tracey <[email protected]>
Azure · Feb 18, 2025 · bfc54ce · bfc54ce
1 parent b724975
commit bfc54ce
Show file tree

Hide file tree

Showing 8 changed files with 717 additions and 26 deletions.
diff --git a/docs/wiki/ALZ-Deprecated-Services.md b/docs/wiki/ALZ-Deprecated-Services.md
@@ -44,6 +44,7 @@ Policies being deprecated:
 | Configure Arc-enabled SQL Servers with DCR Association to Microsoft Defender for SQL user-defined DCR<br>ID: `Deploy-MDFC-Arc-SQL-DCR-Association` | [`2227e1f1-23dd-4c3a-85a9-7024a401d8b2`](https://www.azadvertizer.net/azpolicyadvertizer/2227e1f1-23dd-4c3a-85a9-7024a401d8b2.html) | Custom policy replaced by built-in requires less administration overhead |
 | Deploy User Assigned Managed Identity for VM Insights<br>ID: `Deploy-UserAssignedManagedIdentity-VMInsights` | Deprecating as it's no longer required | User-Assigned Management Identity is now centralized and deployed by Azure Landing Zones to the Management Subscription. |
 | Deploy Azure Monitor Baseline Alerts for Landing Zone<br>ID: `Alerting-LandingZone` | [`Alerting-KeyManagement`](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Alerting-KeyManagement)<br>[`Alerting-LoadBalancing`](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Alerting-LoadBalancing)<br>[`Alerting-NetworkChanges`](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Alerting-NetworkChanges)<br>[`Alerting-RecoveryServices`](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Alerting-RecoveryServices)<br>[`Alerting-Storage`](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Alerting-Storage)<br>[`Alerting-VM`](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Alerting-VM)<br>[`Alerting-Web`](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Alerting-Web) | To provide more flexibility for future growth we are transitioning from a single Landing Zone policy initiative and instead we are adopting a modular approach by splitting the Landing Zone initiative into distinct components (initiatives) |
+| Deny or Audit resources without Encryption with a customer-managed key (CMK)<br>ID: `Enforce-Encryption-CMK` | [`Enforce-Encryption-CMK_20250218`](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Encryption-CMK_20250218.html) | The policy definition [Azure AI Search services should use customer-managed keys to encrypt data at rest](https://www.azadvertizer.net/azpolicyadvertizer/76a56461-9dc0-40f0-82f5-2453283afa2f.html) has been updated to version 2.0.0. This changes the default effect value from "Deny" to "AuditIfNotExists" while removing "Deny" from allowedValues, therefore we needed to adopt this change in our initiative. |
 
 >IMPORTANT: note that we have deprecated ALL ALZ custom Diagnostic Setting features as part of Azure Landing Zones, which includes the initiatives and all 53 policies. These are being deprecated in favor of using (and assigning) the built-in initiative [Enable allLogs category group resource logging for supported resources to Log Analytics](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html)
 

diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md
@@ -1,6 +1,7 @@
 ## In this Section
 
 - [Updates](#updates)
+  - [February 2025](#february-2025)
   - [January 2025](#january-2025)
   - [🔃 Policy Refresh Q2 FY25](#-policy-refresh-q2-fy25)
   - [December 2024](#december-2024)
@@ -58,6 +59,10 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones:
 
 - Updated the ***Baseline alerts and monitoring*** integration section in the portal accelerator to deploy the latest release of AMBA (2025-02-05). To read more on the changes, see the [What's new](https://aka.ms/amba/alz/whatsnew) page in the AMBA documentation.
 
+#### Breaking Changes
+
+- The policy definition [Azure AI Search services should use customer-managed keys to encrypt data at rest](https://www.azadvertizer.net/azpolicyadvertizer/76a56461-9dc0-40f0-82f5-2453283afa2f.html) has been updated to version 2.0.0. This changes the default effect value from "Deny" to "AuditIfNotExists" while removing "Deny" from allowedValues, therefore we needed to adopt this change in our initiative.
+
 ### January 2025
 
 #### Tooling

diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json
@@ -5408,7 +5408,7 @@
                                     "label": "Customer Managed Keys",
                                     "defaultValue": "No",
                                     "visible": true,
-                                    "toolTip": "If 'Yes' is selected you will have the option to selected management groups to apply Customer Managed Keys initiative to. This applies to all services that support CMK if enabled. Check initiative <a href=\"https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Encryption-CMK.html\">here</a>.",
+                                    "toolTip": "If 'Yes' is selected you will have the option to selected management groups to apply Customer Managed Keys initiative to. This applies to all services that support CMK if enabled. Check initiative <a href=\"https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Encryption-CMK_20250218.html\">here</a>.",
                                     "constraints": {
                                         "allowedValues": [
                                             {

diff --git a/...Arm/managementGroupTemplates/policyAssignments/ENFORCE-EncryptionCMKPolicyAssignment.json b/...Arm/managementGroupTemplates/policyAssignments/ENFORCE-EncryptionCMKPolicyAssignment.json
@@ -27,7 +27,7 @@
     },
     "variables": {
         "policyDefinitions": {
-            "enforceGuardrailsCMK": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK')]"
+            "enforceGuardrailsCMK": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK_20250218')]"
         },
         "policyAssignmentNames": {
             "enforceGuardrailsCMK": "[concat('Enforce-Encrypt-CMK', parameters('assignmentIndex'))]",

diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json b/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json
diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK.json
@@ -5,10 +5,12 @@
     "scope": null,
     "properties": {
         "policyType": "Custom",
-        "displayName": "Deny or Audit resources without Encryption with a customer-managed key (CMK)",
-        "description": "Deny or Audit resources without Encryption with a customer-managed key (CMK)",
+        "displayName": "[Deprecated]: Deny or Audit resources without Encryption with a customer-managed key (CMK)",
+        "description": "Deny or Audit resources without Encryption with a customer-managed key (CMK). Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Encryption-CMK_20250218.html",
         "metadata": {
-            "version": "3.2.0",
+            "version": "3.2.0-deprecated",
+            "deprecated": true,
+            "supersededBy": "Enforce-Encryption-CMK_202502189",
             "category": "Encryption",
             "source": "https://github.com/Azure/Enterprise-Scale/",
             "alzCloudEnvironments": [