-
Notifications
You must be signed in to change notification settings - Fork 519
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Policy Baseline Exemption Logic Needs to Live in ALZ Repo and a Flag …
…for Azure Firewall Policy (#762) * Policy Baseline Exemption Logic Needs to Live in ALZ Repo * Policy Baseline Exemption Logic Needs to Live in ALZ Repo * Policy Baseline Exemption Logic Needs to Live in ALZ Repo * Add mmarkdown file. * Update markdown file. * Update Policy Assignment Exemptions. * Add a flag to disable or enable firewall policies deployment. * Add a flag to disable or enable firewall policies deployment. * Update infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep Co-authored-by: Zach Trocinski <30884663+oZakari@users.noreply.github.com> * Update infra-as-code/bicep/modules/policy/exemptions/policyExemptions.bicep Co-authored-by: Zach Trocinski <30884663+oZakari@users.noreply.github.com> * Update infra-as-code/bicep/modules/policy/exemptions/policyExemptions.bicep Co-authored-by: Zach Trocinski <30884663+oZakari@users.noreply.github.com> * Update infra-as-code/bicep/modules/policy/exemptions/policyExemptions.bicep Co-authored-by: Zach Trocinski <30884663+oZakari@users.noreply.github.com> * Update infra-as-code/bicep/modules/policy/exemptions/policyExemptions.bicep Co-authored-by: Zach Trocinski <30884663+oZakari@users.noreply.github.com> * Update infra-as-code/bicep/modules/policy/exemptions/policyExemptions.bicep Co-authored-by: Zach Trocinski <30884663+oZakari@users.noreply.github.com> * Update infra-as-code/bicep/modules/policy/exemptions/policyExemptions.bicep Co-authored-by: Zach Trocinski <30884663+oZakari@users.noreply.github.com> * Update infra-as-code/bicep/modules/policy/exemptions/policyExemptions.bicep Co-authored-by: Zach Trocinski <30884663+oZakari@users.noreply.github.com> * Add Readme. * Update the docs. * Update docs. * Update hubNetworking.bicep.md * Update hubNetworking.bicep.md * Add output for RouteTable and Network Security Group. * Remove extra space. * Remove extra space. * Add policy exemption all and mini parameters json files. * Add condition to policy exemption deployments --------- Co-authored-by: Zach Trocinski <30884663+oZakari@users.noreply.github.com>
- Loading branch information
1 parent
8b94e70
commit ce4f9d7
Showing
11 changed files
with
279 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
# Module: Policy Exemptions | ||
|
||
This module defines a Policy Exemptions. | ||
|
||
Module deploys the following resources: | ||
|
||
- Policy Exemptions | ||
|
||
## Parameters | ||
|
||
- [Link to Parameters](generateddocs/policyExemptions.bicep.md) | ||
|
||
## Outputs | ||
|
||
None | ||
|
||
## Deployment | ||
|
||
Module is intended to be called from other modules as a reusable resource. | ||
|
||
## Bicep Visualizer | ||
|
||
![Bicep Visualizer](media/bicepVisualizer.png "Bicep Visualizer") |
102 changes: 102 additions & 0 deletions
102
...as-code/bicep/modules/policy/exemptions/generateddocs/policyExemptions.bicep.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,102 @@ | ||
# ALZ Bicep - Management Group Policy Exemptions | ||
|
||
Module used to create a policy exemption for a policy assignment in a management group | ||
|
||
## Parameters | ||
|
||
Parameter name | Required | Description | ||
-------------- | -------- | ----------- | ||
parPolicyAssignmentId | Yes | The ID of the policy set assignment for which the exemption will be established. | ||
parExemptionCategory | No | The exemption category to be used. | ||
parDescription | Yes | The description which provides context for the policy exemption. | ||
parAssignmentScopeValidation | No | Sets the scope to permit an exemption to bypass this validation and be created beyond the assignment scope. | ||
parPolicyDefinitionReferenceIds | Yes | List used to specify which policy definition(s) in the initiative the subject resource has an exemption to. | ||
parExemptionName | Yes | The resource name of the policy exemption. | ||
parExemptionDisplayName | Yes | The display name of the exemption. | ||
|
||
### parPolicyAssignmentId | ||
|
||
![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) | ||
|
||
The ID of the policy set assignment for which the exemption will be established. | ||
|
||
### parExemptionCategory | ||
|
||
![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) | ||
|
||
The exemption category to be used. | ||
|
||
- Default value: `Waiver` | ||
|
||
- Allowed values: `Waiver`, `Mitigated` | ||
|
||
### parDescription | ||
|
||
![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) | ||
|
||
The description which provides context for the policy exemption. | ||
|
||
### parAssignmentScopeValidation | ||
|
||
![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) | ||
|
||
Sets the scope to permit an exemption to bypass this validation and be created beyond the assignment scope. | ||
|
||
- Default value: `Default` | ||
|
||
- Allowed values: `Default`, `DoNotValidate` | ||
|
||
### parPolicyDefinitionReferenceIds | ||
|
||
![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) | ||
|
||
List used to specify which policy definition(s) in the initiative the subject resource has an exemption to. | ||
|
||
### parExemptionName | ||
|
||
![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) | ||
|
||
The resource name of the policy exemption. | ||
|
||
### parExemptionDisplayName | ||
|
||
![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) | ||
|
||
The display name of the exemption. | ||
|
||
## Snippets | ||
|
||
### Parameter file | ||
|
||
```json | ||
{ | ||
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", | ||
"contentVersion": "1.0.0.0", | ||
"metadata": { | ||
"template": "infra-as-code/bicep/modules/policy/exemptions/policyExemptions.json" | ||
}, | ||
"parameters": { | ||
"parPolicyAssignmentId": { | ||
"value": "" | ||
}, | ||
"parExemptionCategory": { | ||
"value": "Waiver" | ||
}, | ||
"parDescription": { | ||
"value": "" | ||
}, | ||
"parAssignmentScopeValidation": { | ||
"value": "Default" | ||
}, | ||
"parPolicyDefinitionReferenceIds": { | ||
"value": [] | ||
}, | ||
"parExemptionName": { | ||
"value": "" | ||
}, | ||
"parExemptionDisplayName": { | ||
"value": "" | ||
} | ||
} | ||
} | ||
``` |
Binary file added
BIN
+5.44 KB
infra-as-code/bicep/modules/policy/exemptions/media/bicepVisualizer.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
27 changes: 27 additions & 0 deletions
27
...a-as-code/bicep/modules/policy/exemptions/parameters/policyExemptions.parameters.all.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
{ | ||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", | ||
"contentVersion": "1.0.0.0", | ||
"parameters": { | ||
"parPolicyAssignmentId": { | ||
"value": "/providers/microsoft.management/managementgroups/policyAssignmentScopeName/providers/microsoft.authorization/policyassignments/policyAssignmentName" | ||
}, | ||
"parExemptionCategory": { | ||
"value": "Waiver" | ||
}, | ||
"parDescription": { | ||
"value": "Exempt the confidential corp management group from the SLZ Global Policies location policies. The confidential management groups have their own location restrictions and this may result in a conflict if both sets are included." | ||
}, | ||
"parAssignmentScopeValidation": { | ||
"value": "Default" | ||
}, | ||
"parPolicyDefinitionReferenceIds": { | ||
"value": ["AllowedLocationsForResourceGroups", "AllowedLocations"] | ||
}, | ||
"parExemptionName": { | ||
"value": "Confidential-Corp-Location-Exemption" | ||
}, | ||
"parExemptionDisplayName": { | ||
"value": "Confidential Corp Location Exemption" | ||
} | ||
} | ||
} |
21 changes: 21 additions & 0 deletions
21
...a-as-code/bicep/modules/policy/exemptions/parameters/policyExemptions.parameters.min.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
{ | ||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", | ||
"contentVersion": "1.0.0.0", | ||
"parameters": { | ||
"parPolicyAssignmentId": { | ||
"value": "/providers/microsoft.management/managementgroups/policyAssignmentScopeName/providers/microsoft.authorization/policyassignments/policyAssignmentName" | ||
}, | ||
"parDescription": { | ||
"value": "Exempt the confidential corp management group from the SLZ Global Policies location policies. The confidential management groups have their own location restrictions and this may result in a conflict if both sets are included." | ||
}, | ||
"parPolicyDefinitionReferenceIds": { | ||
"value": ["AllowedLocationsForResourceGroups", "AllowedLocations"] | ||
}, | ||
"parExemptionName": { | ||
"value": "Confidential-Corp-Location-Exemption" | ||
}, | ||
"parExemptionDisplayName": { | ||
"value": "Confidential Corp Location Exemption" | ||
} | ||
} | ||
} |
46 changes: 46 additions & 0 deletions
46
infra-as-code/bicep/modules/policy/exemptions/policyExemptions.bicep
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
targetScope = 'managementGroup' | ||
|
||
metadata name = 'ALZ Bicep - Management Group Policy Exemptions' | ||
metadata description = 'Module used to create a policy exemption for a policy assignment in a management group' | ||
|
||
@sys.description('The ID of the policy set assignment for which the exemption will be established.') | ||
param parPolicyAssignmentId string | ||
|
||
@allowed([ | ||
'Waiver' | ||
'Mitigated' | ||
]) | ||
@sys.description('The exemption category to be used.') | ||
param parExemptionCategory string = 'Waiver' | ||
|
||
@sys.description('The description which provides context for the policy exemption.') | ||
param parDescription string | ||
|
||
@allowed([ | ||
'Default' | ||
'DoNotValidate' | ||
]) | ||
@sys.description('Sets the scope to permit an exemption to bypass this validation and be created beyond the assignment scope.') | ||
param parAssignmentScopeValidation string = 'Default' | ||
|
||
@sys.description('List used to specify which policy definition(s) in the initiative the subject resource has an exemption to.') | ||
param parPolicyDefinitionReferenceIds array | ||
|
||
@sys.description('The resource name of the policy exemption.') | ||
param parExemptionName string | ||
|
||
@sys.description('The display name of the exemption.') | ||
param parExemptionDisplayName string | ||
|
||
// Create Policy Exemption | ||
resource resPolicyExemption 'Microsoft.Authorization/policyExemptions@2022-07-01-preview' = { | ||
name: parExemptionName | ||
properties: { | ||
assignmentScopeValidation: parAssignmentScopeValidation | ||
description: parDescription | ||
displayName: parExemptionDisplayName | ||
exemptionCategory: parExemptionCategory | ||
policyAssignmentId: parPolicyAssignmentId | ||
policyDefinitionReferenceIds: parPolicyDefinitionReferenceIds | ||
} | ||
} |