Update Library Templates (automated)

modules/archetypes/lib/archetype_definitions/archetype_definition_es_landing_zones.tmpl.json

@@ -25,7 +25,7 @@
       "Enforce-ASR",
       "Enforce-GR-KeyVault",
       "Enforce-Subnet-Private",
-      "Enforce-TLS-SSL-H224"
+      "Enforce-TLS-SSL-Q225"
     ],
     "policy_definitions": [],
     "policy_set_definitions": [],

modules/archetypes/lib/archetype_definitions/archetype_definition_es_root.tmpl.json

@@ -29,6 +29,8 @@
       "Audit-PrivateLinkDnsZones",
       "Audit-PublicIpAddresses-UnusedResourcesCostOptimization",
       "Audit-ServerFarms-UnusedResourcesCostOptimization",
+      "Audit-Tags-Mandatory-Rg",
+      "Audit-Tags-Mandatory",
       "Deny-AA-child-resources",
       "Deny-APIM-TLS",
       "Deny-AppGw-Without-Tls",
@@ -196,6 +198,7 @@
       "Enforce-Backup",
       "Enforce-Encryption-CMK",
       "Enforce-EncryptTransit_20240509",
+      "Enforce-EncryptTransit_20241211",
       "Enforce-EncryptTransit",
       "Enforce-Guardrails-APIM",
       "Enforce-Guardrails-AppServices",

modules/archetypes/lib/policy_assignments/policy_assignment_es_audit_appgw_waf.tmpl.json

@@ -1,12 +1,13 @@
 {
   "type": "Microsoft.Authorization/policyAssignments",
-  "apiVersion": "2022-06-01",
+  "apiVersion": "2024-04-01",
   "name": "Audit-AppGW-WAF",
   "dependsOn": [],
   "properties": {
     "description": "Assign the WAF should be enabled for Application Gateway audit policy.",
     "displayName": "Web Application Firewall (WAF) should be enabled for Application Gateway",
     "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66",
+    "definitionVersion": "2.*.*",
     "enforcementMode": "Default",
     "nonComplianceMessages": [
       {

modules/archetypes/lib/policy_assignments/policy_assignment_es_audit_resourcerglocation.tmpl.json

@@ -1,12 +1,13 @@
 {
   "type": "Microsoft.Authorization/policyAssignments",
-  "apiVersion": "2022-06-01",
+  "apiVersion": "2024-04-01",
   "name": "Audit-ResourceRGLocation",
   "dependsOn": [],
   "properties": {
     "description": "Resource Group and Resource locations should match.",
     "displayName": "Resource Group and Resource locations should match",
     "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a914e76-4921-4c19-b460-a2d36003525a",
+    "definitionVersion": "2.*.*",
     "enforcementMode": "Default",
     "nonComplianceMessages": [
       {

modules/archetypes/lib/policy_assignments/policy_assignment_es_audit_trustedlaunch.tmpl.json

@@ -11,7 +11,7 @@
     "enforcementMode": "Default",
     "nonComplianceMessages": [
       {
-        "message": "Trust Launch {enforcementMode} be used on supported virtual machines for enhanced security."
+        "message": "Trusted Launch {enforcementMode} be used on supported virtual machines for enhanced security."
       }
     ],
     "parameters": {

modules/archetypes/lib/policy_assignments/policy_assignment_es_audit_zoneresiliency.tmpl.json

@@ -1,12 +1,13 @@
 {
   "type": "Microsoft.Authorization/policyAssignments",
-  "apiVersion": "2022-06-01",
+  "apiVersion": "2024-04-01",
   "name": "Audit-ZoneResiliency",
   "dependsOn": [],
   "properties": {
     "description": "Resources should be Zone Resilient.",
     "displayName": "Resources should be Zone Resilient",
     "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/130fb88f-0fc9-4678-bfe1-31022d71c7d5",
+    "definitionVersion": "1.*.*-preview",
     "enforcementMode": "Default",
     "nonComplianceMessages": [
       {

modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_classic_resources.tmpl.json

@@ -1,12 +1,13 @@
 {
   "type": "Microsoft.Authorization/policyAssignments",
-  "apiVersion": "2022-06-01",
+  "apiVersion": "2024-04-01",
   "name": "Deny-Classic-Resources",
   "dependsOn": [],
   "properties": {
     "description": "Denies deployment of classic resource types under the assigned scope.",
     "displayName": "Deny the deployment of classic resources",
     "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749",
+    "definitionVersion": "2.*.*",
     "enforcementMode": "Default",
     "nonComplianceMessages": [
       {

modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_hybridnetworking.tmpl.json

@@ -1,12 +1,13 @@
 {
   "type": "Microsoft.Authorization/policyAssignments",
-  "apiVersion": "2022-06-01",
+  "apiVersion": "2024-04-01",
   "name": "Deny-HybridNetworking",
   "dependsOn": [],
   "properties": {
     "description": "Denies deployment of vWAN/ER/VPN gateway resources in the Corp landing zone.",
     "displayName": "Deny the deployment of vWAN/ER/VPN gateway resources",
     "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749",
+    "definitionVersion": "2.*.*",
     "enforcementMode": "Default",
     "nonComplianceMessages": [
       {

modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_ip_forwarding.tmpl.json

@@ -1,6 +1,6 @@
 {
   "type": "Microsoft.Authorization/policyAssignments",
-  "apiVersion": "2022-06-01",
+  "apiVersion": "2024-04-01",
   "name": "Deny-IP-forwarding",
   "dependsOn": [],
   "properties": {
@@ -13,6 +13,7 @@
       }
     ],
     "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900",
+    "definitionVersion": "1.*.*",
     "scope": "${current_scope_resource_id}",
     "notScopes": [],
     "parameters": {}

modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_priv_esc_aks.tmpl.json

@@ -1,12 +1,13 @@
 {
   "type": "Microsoft.Authorization/policyAssignments",
-  "apiVersion": "2022-06-01",
+  "apiVersion": "2024-04-01",
   "name": "Deny-Priv-Esc-AKS",
   "dependsOn": [],
   "properties": {
     "description": "Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.",
     "displayName": "Kubernetes clusters should not allow container privilege escalation",
     "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99",
+    "definitionVersion": "7.*.*",
     "enforcementMode": "Default",
     "parameters": {
       "effect": {

modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_privileged_aks.tmpl.json

@@ -1,12 +1,13 @@
 {
   "type": "Microsoft.Authorization/policyAssignments",
-  "apiVersion": "2022-06-01",
+  "apiVersion": "2024-04-01",
   "name": "Deny-Privileged-AKS",
   "dependsOn": [],
   "properties": {
     "description": "Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.",
     "displayName": "Kubernetes cluster should not allow privileged containers",
     "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4",
+    "definitionVersion": "9.*.*",
     "enforcementMode": "Default",
     "parameters": {
       "effect": {

modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json

@@ -1,12 +1,13 @@
 {
   "type": "Microsoft.Authorization/policyAssignments",
-  "apiVersion": "2022-06-01",
+  "apiVersion": "2024-04-01",
   "name": "Deny-Public-IP",
   "dependsOn": [],
   "properties": {
     "description": "This policy denies creation of Public IPs under the assigned scope.",
     "displayName": "Deny the creation of public IP",
     "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749",
+    "definitionVersion": "2.*.*",
     "enforcementMode": "Default",
     "nonComplianceMessages": [
       {

modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_public_ip_on_nic.tmpl.json

@@ -1,12 +1,13 @@
 {
   "type": "Microsoft.Authorization/policyAssignments",
-  "apiVersion": "2022-06-01",
+  "apiVersion": "2024-04-01",
   "name": "Deny-Public-IP-On-NIC",
   "dependsOn": [],
   "properties": {
     "description": "This policy denies network interfaces from having a public IP associated to it under the assigned scope.",
     "displayName": "Deny network interfaces having a public IP associated",
     "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114",
+    "definitionVersion": "1.*.*",
     "enforcementMode": "Default",
     "nonComplianceMessages": [
       {

modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_storage_http.tmpl.json

@@ -1,12 +1,13 @@
 {
   "type": "Microsoft.Authorization/policyAssignments",
-  "apiVersion": "2022-06-01",
+  "apiVersion": "2024-04-01",
   "name": "Deny-Storage-http",
   "dependsOn": [],
   "properties": {
     "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking",
     "displayName": "Secure transfer to storage accounts should be enabled",
     "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9",
+    "definitionVersion": "2.*.*",
     "enforcementMode": "Default",
     "nonComplianceMessages": [
       {

modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_unmanageddisk.tmpl.json

@@ -1,12 +1,13 @@
 {
   "type": "Microsoft.Authorization/policyAssignments",
-  "apiVersion": "2022-06-01",
+  "apiVersion": "2024-04-01",
   "name": "Deny-UnmanagedDisk",
   "dependsOn": [],
   "properties": {
     "description": "Deny virtual machines that do not use managed disk. It checks the managed disk property on virtual machine OS Disk fields.",
     "displayName": "Deny virtual machines and virtual machine scale sets that do not use managed disk",
     "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d",
+    "definitionVersion": "1.*.*",
     "enforcementMode": "Default",
     "nonComplianceMessages": [
       {

modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_asc_monitoring.tmpl.json

@@ -1,6 +1,6 @@
 {
   "type": "Microsoft.Authorization/policyAssignments",
-  "apiVersion": "2022-06-01",
+  "apiVersion": "2024-04-01",
   "name": "Deploy-ASC-Monitoring",
   "location": "${default_location}",
   "dependsOn": [],
@@ -11,6 +11,7 @@
     "description": "Microsoft Cloud Security Benchmark policy initiative.",
     "displayName": "Microsoft Cloud Security Benchmark",
     "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8",
+    "definitionVersion": "57.*.*",
     "enforcementMode": "Default",
     "nonComplianceMessages": [
       {

modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_azactivity_log.tmpl.json

@@ -1,6 +1,6 @@
 {
   "type": "Microsoft.Authorization/policyAssignments",
-  "apiVersion": "2022-06-01",
+  "apiVersion": "2024-04-01",
   "name": "Deploy-AzActivity-Log",
   "location": "${default_location}",
   "dependsOn": [],
@@ -11,6 +11,7 @@
     "description": "Deploys the diagnostic settings for Azure Activity to stream subscriptions audit logs to a Log Analytics workspace to monitor subscription-level events",
     "displayName": "Configure Azure Activity logs to stream to specified Log Analytics workspace",
     "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2465583e-4e78-4c15-b6be-a36cbc7c8b0f",
+    "definitionVersion": "1.*.*",
     "enforcementMode": "Default",
     "nonComplianceMessages": [
       {

modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_azsqldb_auditing.tmpl.json

@@ -1,6 +1,6 @@
 {
   "type": "Microsoft.Authorization/policyAssignments",
-  "apiVersion": "2022-06-01",
+  "apiVersion": "2024-04-01",
   "name": "Deploy-AzSqlDb-Auditing",
   "location": "${default_location}",
   "dependsOn": [],
@@ -11,6 +11,7 @@
     "description": "To ensure the operations performed against your SQL assets are captured, SQL servers should have auditing enabled. If auditing is not enabled, this policy will configure auditing events to flow to the specified Log Analytics workspace.",
     "displayName": "Configure SQL servers to have auditing enabled to Log Analytics workspace",
     "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/25da7dfb-0666-4a15-a8f5-402127efd8bb",
+    "definitionVersion": "1.*.*",
     "enforcementMode": "Default",
     "nonComplianceMessages": [
       {

modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_diag_logscat.tmpl.json

@@ -1,6 +1,6 @@
 {
   "type": "Microsoft.Authorization/policyAssignments",
-  "apiVersion": "2022-06-01",
+  "apiVersion": "2024-04-01",
   "name": "Deploy-Diag-LogsCat",
   "location": "${default_location}",
   "dependsOn": [],
@@ -11,6 +11,7 @@
     "description": "Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This initiative deploys diagnostic setting using the allLogs category group to route logs to an Event Hub for all supported resources.",
     "displayName": "Enable category group resource logging for supported resources to Log Analytics",
     "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/f5b29bc4-feca-4cc6-a58a-772dd5e290a5",
+    "definitionVersion": "1.*.*",
     "enforcementMode": "Default",
     "nonComplianceMessages": [
       {

modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_log_analytics.tmpl.json

@@ -1,6 +1,6 @@
 {
   "type": "Microsoft.Authorization/policyAssignments",
-  "apiVersion": "2022-06-01",
+  "apiVersion": "2024-04-01",
   "name": "Deploy-Log-Analytics",
   "location": "${default_location}",
   "dependsOn": [],
@@ -11,6 +11,7 @@
     "description": "Deploy resource group containing Log Analytics workspace and linked automation account to centralize logs and monitoring. The automation account is aprerequisite for solutions like Updates and Change Tracking.",
     "displayName": "Configure Log Analytics workspace and automation account to centralize logs and monitoring",
     "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8e3e61b3-0b32-22d5-4edf-55f87fdb5955",
+    "definitionVersion": "2.*.*",
     "enforcementMode": "DoNotEnforce",
     "nonComplianceMessages": [
       {

modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_mdendpoints.tmpl.json

@@ -1,6 +1,6 @@
 {
   "type": "Microsoft.Authorization/policyAssignments",
-  "apiVersion": "2022-06-01",
+  "apiVersion": "2024-04-01",
   "name": "Deploy-MDEndpoints",
   "location": "${default_location}",
   "dependsOn": [],
@@ -11,6 +11,7 @@
     "description": "Deploy Microsoft Defender for Endpoint agent on applicable images.",
     "displayName": "[Preview]: Deploy Microsoft Defender for Endpoint agent",
     "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/e20d08c5-6d64-656d-6465-ce9e37fd0ebc",
+    "definitionVersion": "1.*.*-preview",
     "enforcementMode": "Default",
     "nonComplianceMessages": [
       {

modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_mdendpointsama.tmpl.json

@@ -1,6 +1,6 @@
 {
   "type": "Microsoft.Authorization/policyAssignments",
-  "apiVersion": "2022-06-01",
+  "apiVersion": "2024-04-01",
   "name": "Deploy-MDEndpointsAMA",
   "location": "${default_location}",
   "dependsOn": [],
@@ -11,6 +11,7 @@
     "description": "Configure the multiple Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud (WDATP, WDATP_EXCLUDE_LINUX_PUBLIC_PREVIEW, WDATP_UNIFIED_SOLUTION etc.). See: https://learn.microsoft.com/azure/defender-for-cloud/integration-defender-for-endpoint for more information.",
     "displayName": "Configure multiple Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud",
     "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/77b391e3-2d5d-40c3-83bf-65c846b3c6a3",
+    "definitionVersion": "1.*.*",
     "enforcementMode": "Default",
     "nonComplianceMessages": [
       {

modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_mdfc_defsql_ama.tmpl.json

@@ -1,6 +1,6 @@
 {
   "type": "Microsoft.Authorization/policyAssignments",
-  "apiVersion": "2022-06-01",
+  "apiVersion": "2024-04-01",
   "name": "Deploy-MDFC-DefSQL-AMA",
   "location": "${default_location}",
   "dependsOn": [],
@@ -11,6 +11,7 @@
     "description": "Microsoft Defender for SQL collects events from the agents and uses them to provide security alerts and tailored hardening tasks (recommendations).",
     "displayName": "Enable Defender for SQL on SQL VMs and Arc-enabled SQL Servers",
     "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/de01d381-bae9-4670-8870-786f89f49e26",
+    "definitionVersion": "1.*.*",
     "enforcementMode": "Default",
     "nonComplianceMessages": [
       {

modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_mdfc_ossdb.tmpl.json

@@ -1,6 +1,6 @@
 {
   "type": "Microsoft.Authorization/policyAssignments",
-  "apiVersion": "2022-06-01",
+  "apiVersion": "2024-04-01",
   "name": "Deploy-MDFC-OssDb",
   "location": "${default_location}",
   "dependsOn": [],
@@ -11,6 +11,7 @@
     "description": "Enable Advanced Threat Protection on your non-Basic tier open-source relational databases to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. See https://aka.ms/AzDforOpenSourceDBsDocu.",
     "displayName": "Configure Advanced Threat Protection to be enabled on open-source relational databases",
     "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/e77fc0b3-f7e9-4c58-bc13-cb753ed8e46e",
+    "definitionVersion": "1.*.*",
     "enforcementMode": "Default",
     "nonComplianceMessages": [
       {

modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_mdfc_sqlatp.tmpl.json

@@ -1,6 +1,6 @@
 {
   "type": "Microsoft.Authorization/policyAssignments",
-  "apiVersion": "2022-06-01",
+  "apiVersion": "2024-04-01",
   "name": "Deploy-MDFC-SqlAtp",
   "location": "${default_location}",
   "dependsOn": [],
@@ -11,6 +11,7 @@
     "description": "Enable Azure Defender on your SQL Servers and SQL Managed Instances to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.",
     "displayName": "Configure Azure Defender to be enabled on SQL Servers and SQL Managed Instances",
     "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/9cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97",
+    "definitionVersion": "3.*.*",
     "enforcementMode": "Default",
     "nonComplianceMessages": [
       {

modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_sql_tde.tmpl.json

@@ -1,6 +1,6 @@
 {
   "type": "Microsoft.Authorization/policyAssignments",
-  "apiVersion": "2022-06-01",
+  "apiVersion": "2024-04-01",
   "name": "Deploy-SQL-TDE",
   "location": "${default_location}",
   "dependsOn": [],
@@ -11,6 +11,7 @@
     "description": "This policy ensures that Transparent Data Encryption is enabled on SQL Servers.",
     "displayName": "Deploy TDE on SQL servers",
     "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f",
+    "definitionVersion": "2.*.*",
     "enforcementMode": "Default",
     "nonComplianceMessages": [
       {