AzureSecurityCenter.json - Missing effects from list of allowedValues in assignment parameters for multiple definitions

Details of the scenario you tried and the problem that is occurring

The following policies included in this initiative support "Deny" effects, however can't be used in the Microsoft Cloud Security Benchmark as the assignment parameters only support "Audit" and "Disabled".

Container registries should not allow unrestricted network access -https://www.azadvertizer.net/azpolicyadvertizer/d0793b48-0edc-4296-a390-4c75d1bdfd71.html
Public network access should be disabled for PostgreSQL servers - https://www.azadvertizer.net/azpolicyadvertizer/b52376f7-9612-48a1-81cd-1ffe4b61032c.html
Public network access should be disabled for MySQL servers - https://www.azadvertizer.net/azpolicyadvertizer/d9844e8a-1437-4aeb-a32c-0c992f056095.html
Public network access should be disabled for MariaDB servers - https://www.azadvertizer.net/azpolicyadvertizer/fdccbe47-f3e3-4213-ad5d-ea459b2fa077.html
Azure Key Vault should have firewall enabled - https://www.azadvertizer.net/azpolicyadvertizer/55615ac9-af46-4a59-874e-391cc3dfb490.html

Verbose logs showing the problem

The value 'Deny' | is not allowed for policy parameter | 'firewallShouldBeEnabledOnKeyVaultMonitoringEffect' in policy definition | '1f3afdf9-d0c9-4c3d-847f-89da613e70a8'. The allowed values are 'Audit, | Disabled'.

New-AzManagementGroupDeployment: /home/vsts/work/1/s/pipeline-scripts/Deploy-ALZPolicyAssignments.ps1:29 Line | 29 | New-AzManagementGroupDeployment @inputObject | ~~~~~~~~~~~~ | 11:11:23 - The deployment | 'alz-PolicyAssignmentsDeployment-20231207T1112568206Z' failed with | error(s). Showing 2 out of 2 error(s). Status Message: The value 'Deny' | is not allowed for policy parameter | 'containerRegistriesShouldNotAllowUnrestrictedNetworkAccessMonitoringEffect' in policy definition '1f3afdf9-d0c9-4c3d-847f-89da613e70a8'. The allowed values are 'Audit, Disabled'. (Code:PolicyParameterValueNotAllowed) Status Message: At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details. (Code: DeploymentFailed) - The value 'Deny' is not allowed for policy parameter 'containerRegistriesShouldNotAllowUnrestrictedNetworkAccessMonitoringEffect' in policy definition '1f3afdf9-d0c9-4c3d-847f-89da613e70a8'. The allowed values are 'Audit, Disabled'. (Code:PolicyParameterValueNotAllowed) CorrelationId: ca910fe7-1b99-4e90-9700-c2ee10f5d266

[error]PowerShell exited with code '1'.

New-AzManagementGroupDeployment: /home/vsts/work/1/s/pipeline-scripts/Deploy-ALZPolicyAssignments.ps1:29 Line | 29 | New-AzManagementGroupDeployment @inputObject | ~~~~~~~~~~~~ | 13:26:20 - The deployment | 'alz-PolicyAssignmentsDeployment-20231207T1312599552Z' failed with | error(s). Showing 2 out of 2 error(s). Status Message: The value 'Deny' | is not allowed for policy parameter | 'publicNetworkAccessShouldBeDisabledForMySqlServersMonitoringEffect' in | policy definition '1f3afdf9-d0c9-4c3d-847f-89da613e70a8'. The allowed | values are 'Audit, Disabled'. (Code:PolicyParameterValueNotAllowed) | Status Message: At least one resource deployment operation failed. | Please list deployment operations for details. Please see | https://aka.ms/arm-deployment-operations for usage details. (Code: | DeploymentFailed) - The value 'Deny' is not allowed for policy | parameter | 'publicNetworkAccessShouldBeDisabledForMySqlServersMonitoringEffect' in | policy definition '1f3afdf9-d0c9-4c3d-847f-89da613e70a8'. The allowed | values are 'Audit, Disabled'. (Code:PolicyParameterValueNotAllowed) | CorrelationId: c079c8d6-6899-4119-90bd-064b765ed42c

New-AzManagementGroupDeployment: /home/vsts/work/1/s/pipeline-scripts/Deploy-ALZPolicyAssignments.ps1:29 Line | 29 | New-AzManagementGroupDeployment @inputObject | ~~~~~~~~~~~~ | 13:08:31 - The deployment | 'alz-PolicyAssignmentsDeployment-20231207T1312092717Z' failed with | error(s). Showing 2 out of 2 error(s). Status Message: The value 'Deny' | is not allowed for policy parameter | 'publicNetworkAccessShouldBeDisabledForMariaDbServersMonitoringEffect' | in policy definition '1f3afdf9-d0c9-4c3d-847f-89da613e70a8'. The allowed | values are 'Audit, Disabled'. (Code:PolicyParameterValueNotAllowed) | Status Message: At least one resource deployment operation failed. | Please list deployment operations for details. Please see | https://aka.ms/arm-deployment-operations for usage details. (Code: | DeploymentFailed) - The value 'Deny' is not allowed for policy | parameter | 'publicNetworkAccessShouldBeDisabledForMariaDbServersMonitoringEffect' | in policy definition '1f3afdf9-d0c9-4c3d-847f-89da613e70a8'. The allowed | values are 'Audit, Disabled'. (Code:PolicyParameterValueNotAllowed) | CorrelationId: 9e16204a-ad06-4aae-bba8-c6c13e6d719a

New-AzManagementGroupDeployment: /home/vsts/work/1/s/pipeline-scripts/Deploy-ALZPolicyAssignments.ps1:29 Line | 29 | New-AzManagementGroupDeployment @inputObject | ~~~~~~~~~~~~ | 15:04:19 - The deployment | 'alz-PolicyAssignmentsDeployment-20231207T1512540731Z' failed with | error(s). Showing 2 out of 2 error(s). Status Message: The value 'Deny' | is not allowed for policy parameter | 'publicNetworkAccessShouldBeDisabledForPostgreSqlServersMonitoringEffect' in policy definition '1f3afdf9-d0c9-4c3d-847f-89da613e70a8'. The allowed values are 'Audit, Disabled'. (Code:PolicyParameterValueNotAllowed) Status Message: At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details. (Code: DeploymentFailed) - The value 'Deny' is not allowed for policy parameter 'publicNetworkAccessShouldBeDisabledForPostgreSqlServersMonitoringEffect' in policy definition '1f3afdf9-d0c9-4c3d-847f-89da613e70a8'. The allowed values are 'Audit, Disabled'. (Code:PolicyParameterValueNotAllowed) CorrelationId: 6a5ac4fc-dae3-415b-a14b-cdd5b0b10858

If policy is Guest Configuration - details about target node

N/A

Azure / azure-policy