New custom policy DenyAction Delete UAMI used by AMA

docs/wiki/ALZ-Policies.md

@@ -122,7 +122,7 @@ This management group contains all the platform child management groups, like ma
 | **Enable ChangeTracking and Inventory for virtual machine scale sets**\*     | **[Preview]: Enable ChangeTracking and Inventory for virtual machine scale sets** | `Policy Definition Set`, **Built-in** | This policy initiative enables ChangeTracking and Inventory for virtual machines scale sets. It uses a Data Collection Rule to define what data to collect and where to send it, and a user-assigned identity to authenticate the Azure Monitor Agent.                                                           | DeployIfNotExists, Disabled |
 | **Enable ChangeTracking and Inventory for Arc-enabled virtual machines**\*   | **[Preview]: Enable ChangeTracking and Inventory for Arc-enabled virtual machines** | `Policy Definition Set`, **Built-in** | This policy initiative enables ChangeTracking and Inventory for Arc-enabled servers. It uses a Data Collection Rule to define what data to collect and where to send it, and a user-assigned identity to authenticate the Azure Monitor Agent.                                                                 | DeployIfNotExists, Disabled |
 | **Enable Defender for SQL on SQL VMs and Arc-enabled SQL Servers**\*         | **Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace** | `Policy Definition Set`, **Built-in** | This policy initiative enables Microsoft Defender for SQL and AMA on SQL VMs and Arc-enabled SQL Servers.                                                                                                                                                          | DeployIfNotExists, Disabled |
-| **Do not allow deletion of resource types**\*                                | **Do not allow deletion of resource types**                              | `Policy Definition`, **Built-in** | This policy enables you to specify the resource types that your organization can protect from accidentals deletion by blocking delete calls using deny action effect. Assigned to deny the deletion of the User Assignment Managed Identity that is used for AMA.                                                              | DenyAction |
+| **Do not allow deletion of the User Assigned Managed Identity used by AMA**\*| **Do not allow deletion of specified resource and resource type**                              | `Policy Definition`, **Custom** | This policy provides a safeguard against accidental removal of the User Assigned Managed Identity used by AMA by blocking delete calls using deny action effect.                                                                                                                                                                 | DenyAction |
 
 > \* The AMA policies and initiatives are in effect for the portal implementation only. Terraform and Bicep will adopt these policies in the near future.
 

docs/wiki/Whats-new.md

@@ -45,6 +45,12 @@ This article will be updated as and when changes are made to the above and anyth
 
 Here's what's changed in Enterprise Scale/Azure Landing Zones:
 
+### June 2024
+
+#### Policy
+
+- Added new custom policy [Do not allow deletion of specified resource and resource type](https://www.azadvertizer.net/azpolicyadvertizer/DenyAction-DeleteResources.html) that provides a safeguard against accidental removal of the User Assigned Managed Identity used by AMA. Assigned at the Platform Management Group, it blocks delete calls using the deny action effect.
+
 ### 🆕 AMA Updates
 
 The ALZ Portal Accelerator has been enhanced with the latest AMA updates, ensuring a seamless and efficient management experience. 🚀

eslzArm/eslzArm.json

@@ -1509,7 +1509,7 @@
             "wsStoragePolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsStoragePolicyAssignment.json')]",
             "wsSynapsePolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsSynapsePolicyAssignment.json')]",
             "wsVirtualDesktopPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsVirtualDesktopPolicyAssignment.json')]",
-            "denyResourceDeletionPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENYACTION-ResourceDeletionPolicyAssignment.json')]"
+            "denyActionDeleteUAMIAMAPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENYACTION-DeleteUAMIAMAPolicyAssignment.json')]"
         },
         // Declaring deterministic deployment names
         "deploymentSuffix": "[concat('-', deployment().location, '-', guid(parameters('enterpriseScaleCompanyPrefix'), parameters('currentDateTimeUtcNow')))]",
@@ -1618,7 +1618,7 @@
             "pidCuaDeploymentNameNetworkingNone": "[take(concat('pid-', variables('cuaidNetworkingNone'), '-' , uniqueString(deployment().location, parameters('enterpriseScaleCompanyPrefix'), parameters('currentDateTimeUtcNow'))), 64)]",
             "pidCuaDeploymentNameNetworkingHubSpoke": "[take(concat('pid-', variables('cuaidNetworkingHubSpoke'), '-' , uniqueString(deployment().location, parameters('enterpriseScaleCompanyPrefix'), parameters('currentDateTimeUtcNow'))), 64)]",
             "pidCuaDeploymentNameNetworkingVirtualWan": "[take(concat('pid-', variables('cuaidNetworkingVirtualWan'), '-' , uniqueString(deployment().location, parameters('enterpriseScaleCompanyPrefix'), parameters('currentDateTimeUtcNow'))), 64)]",
-            "denyResourceDeletionPolicyDeploymentName": "[take(concat('alz-DenyResourceDeletion', variables('deploymentSuffix')), 64)]",
+            "denyActionDeleteUAMIAMAPolicyDeploymentName": "[take(concat('alz-DenyActionDeleteUAMI', variables('deploymentSuffix')), 64)]",
             // Workload Specific Compliance Initiatives
             "wsCMKDeploymentName": "[take(concat('alz-wsCMK', variables('deploymentSuffix')), 35)]",
             "wsAPIMDeploymentName": "[take(concat('alz-wsAPIM', variables('deploymentSuffix')), 35)]",
@@ -4374,7 +4374,7 @@
             "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableLogAnalytics'), 'Yes'))]",
             "type": "Microsoft.Resources/deployments",
             "apiVersion": "2020-10-01",
-            "name": "[variables('deploymentNames').denyResourceDeletionPolicyDeploymentName]",
+            "name": "[variables('deploymentNames').denyActionDeleteUAMIAMAPolicyDeploymentName]",
             "scope": "[variables('scopes').platformManagementGroup]",
             "location": "[deployment().location]",
             "dependsOn": [
@@ -4384,11 +4384,17 @@
                 "mode": "Incremental",
                 "templateLink": {
                     "contentVersion": "1.0.0.0",
-                    "uri": "[variables('deploymentUris').denyResourceDeletionPolicyAssignment]"
+                    "uri": "[variables('deploymentUris').denyActionDeleteUAMIAMAPolicyAssignment]"
                 },
                 "parameters": {
-                    "listOfResourceTypesDisallowedForDeletion": {
-                        "value": "[parameters('listOfResourceTypesDisallowedForDeletion')]"
+                    "topLevelManagementGroupPrefix": {
+                        "value": "[parameters('enterpriseScaleCompanyPrefix')]"
+                    },
+                    "resourceName": {
+                        "value": "[variables('platformResourceNames').userAssignedIdentity]"
+                    },
+                    "resourceType": {
+                        "value": "Microsoft.ManagedIdentity/userAssignedIdentities"
                     }
                 }
             }

eslzArm/managementGroupTemplates/policyAssignments/DENYACTION-ResourceDeletionPolicyAssignment.json → eslzArm/managementGroupTemplates/policyAssignments/DENYACTION-DeleteUAMIAMAPolicyAssignment.json

@@ -2,6 +2,12 @@
     "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
     "contentVersion": "1.0.0.0",
     "parameters": {
+        "topLevelManagementGroupPrefix": {
+            "type": "string",
+            "metadata": {
+                "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions."
+            }
+        },
         "enforcementMode": {
             "type": "string",
             "allowedValues": [
@@ -18,22 +24,27 @@
             ],
             "defaultValue": "DenyAction"
         },
-        "listOfResourceTypesDisallowedForDeletion": {
-            "type": "Array",
+        "resourceName": {
+            "type": "string",
+            "metadata": {
+                "description": "Provide the name of the resource that you want to protect from accidental deletion."
+            }
+        },
+        "resourceType": {
+            "type": "string",
             "metadata": {
-                "displayName": "Resource types that cannot be deleted",
-                "description": "The list of resource types that cannot be deleted."
+                "description": "Provide the resource type that you want to protect from accidental deletion."
             }
         }
     },
     "variables": {
         "policyDefinitions": {
-            "denyActionResourceDeletion": "/providers/Microsoft.Authorization/policyDefinitions/78460a36-508a-49a4-b2b2-2f5ec564f4bb"
+            "denyActionResourceDeletion": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policyDefinitions/DenyAction-DeleteResources')]"
         },
         "policyAssignmentNames": {
-            "denyActionResourceDeletion": "DenyAction-Resource-Del",
-            "description": "This policy enables you to specify the resource types that your organization can protect from accidentals deletion by blocking delete calls using deny action effect.",
-            "displayName": "Do not allow deletion of resource types"
+            "denyActionResourceDeletion": "DenyAction-DeleteUAMIAMA",
+            "description": "This policy provides a safeguard against accidental removal of the User Assigned Managed Identity used by AMA by blocking delete calls using deny action effect.",
+            "displayName": "Do not allow deletion of the User Assigned Managed Identity used by AMA"
         }
     },
     "resources": [
@@ -50,8 +61,11 @@
                     "effect": {
                         "value": "[parameters('effect')]"
                     },
-                    "listOfResourceTypesDisallowedForDeletion": {
-                        "value": "[parameters('listOfResourceTypesDisallowedForDeletion')]"
+                    "resourceName": {
+                        "value": "[parameters('resourceName')]"
+                    },
+                    "resourceType": {
+                        "value": "[parameters('resourceType')]"
                     }
                 }
             }