Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Policy Baseline Exemption Logic Needs to Live in ALZ Repo and a Flag for Azure Firewall Policy #762

Merged
merged 33 commits into from
May 31, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
33 commits
Select commit Hold shift + click to select a range
39d2699
Policy Baseline Exemption Logic Needs to Live in ALZ Repo
VeronicaSea Apr 16, 2024
a307a65
Merge branch 'main' into main
oZakari Apr 16, 2024
1f75743
Policy Baseline Exemption Logic Needs to Live in ALZ Repo
VeronicaSea Apr 19, 2024
87d958b
Merge branch 'main' of https://github.com/VeronicaSea/ALZ-Bicep
VeronicaSea Apr 19, 2024
19de7d6
Policy Baseline Exemption Logic Needs to Live in ALZ Repo
VeronicaSea Apr 19, 2024
57649a2
Add mmarkdown file.
VeronicaSea Apr 19, 2024
e3d2ba2
Merge branch 'Azure:main' into main
VeronicaSea Apr 30, 2024
ab3f46e
Update markdown file.
VeronicaSea Apr 30, 2024
5874c4a
Merge branch 'Azure:main' into main
VeronicaSea May 1, 2024
55613ef
Update Policy Assignment Exemptions.
VeronicaSea May 1, 2024
713ef25
:erge branch 'main' of https://github.com/VeronicaSea/ALZ-Bicep
VeronicaSea May 1, 2024
e0de718
Add a flag to disable or enable firewall policies deployment.
VeronicaSea May 6, 2024
1bded93
Add a flag to disable or enable firewall policies deployment.
VeronicaSea May 6, 2024
720f47a
Update infra-as-code/bicep/modules/policy/assignments/alzDefaults/alz…
VeronicaSea May 7, 2024
2cdba43
Update infra-as-code/bicep/modules/policy/exemptions/policyExemptions…
VeronicaSea May 7, 2024
971cde7
Update infra-as-code/bicep/modules/policy/exemptions/policyExemptions…
VeronicaSea May 7, 2024
a5193e4
Update infra-as-code/bicep/modules/policy/exemptions/policyExemptions…
VeronicaSea May 7, 2024
72459da
Update infra-as-code/bicep/modules/policy/exemptions/policyExemptions…
VeronicaSea May 7, 2024
c60717e
Update infra-as-code/bicep/modules/policy/exemptions/policyExemptions…
VeronicaSea May 7, 2024
3dbed79
Update infra-as-code/bicep/modules/policy/exemptions/policyExemptions…
VeronicaSea May 7, 2024
12d6a85
Update infra-as-code/bicep/modules/policy/exemptions/policyExemptions…
VeronicaSea May 7, 2024
043a245
Add Readme.
VeronicaSea May 28, 2024
f6d1bdf
Update the docs.
VeronicaSea May 28, 2024
55f36a7
Update docs.
VeronicaSea May 28, 2024
90e2423
Merge branch 'Azure:main' into main
VeronicaSea May 28, 2024
ed9470c
Update hubNetworking.bicep.md
VeronicaSea May 28, 2024
e08da2a
Update hubNetworking.bicep.md
VeronicaSea May 28, 2024
0fdccc1
Add output for RouteTable and Network Security Group.
VeronicaSea May 28, 2024
dfc242f
Merge branch 'main' of https://github.com/VeronicaSea/ALZ-Bicep
VeronicaSea May 28, 2024
97d3b32
Remove extra space.
VeronicaSea May 28, 2024
86aebf9
Remove extra space.
VeronicaSea May 29, 2024
aa67230
Add policy exemption all and mini parameters json files.
VeronicaSea May 29, 2024
3624fe0
Add condition to policy exemption deployments
oZakari May 31, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ parDdosPlanName | No | DDoS Plan Name.
parDdosLock | No | Resource Lock Configuration for DDoS Plan. - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock.
parAzFirewallEnabled | No | Switch to enable/disable Azure Firewall deployment.
parAzFirewallName | No | Azure Firewall Name.
parAzFirewallPoliciesEnabled | No | Switch to enable/disable Azure Firewall Policies deployment.
parAzFirewallPoliciesName | No | Azure Firewall Policies Name.
parAzFirewallTier | No | Azure Firewall Tier associated with the Firewall to deploy.
parAzFirewallIntelMode | No | The Azure Firewall Threat Intelligence Mode. If not set, the default value is Alert.
Expand Down Expand Up @@ -252,6 +253,14 @@ Azure Firewall Name.

- Default value: `[format('{0}-azfw-{1}', parameters('parCompanyPrefix'), parameters('parLocation'))]`

### parAzFirewallPoliciesEnabled

![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)

Switch to enable/disable Azure Firewall Policies deployment.

- Default value: `True`

### parAzFirewallPoliciesName

![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
Expand Down Expand Up @@ -495,6 +504,10 @@ outPrivateDnsZonesNames | array |
outDdosPlanResourceId | string |
outHubVirtualNetworkName | string |
outHubVirtualNetworkId | string |
outHubRouteTableId | string |
outHubRouteTableName | string |
outBastionNsgId | string |
outBastionNsgName | string |

## Snippets

Expand Down Expand Up @@ -611,6 +624,9 @@ outHubVirtualNetworkId | string |
"parAzFirewallName": {
"value": "[format('{0}-azfw-{1}', parameters('parCompanyPrefix'), parameters('parLocation'))]"
},
"parAzFirewallPoliciesEnabled": {
"value": true
},
"parAzFirewallPoliciesName": {
"value": "[format('{0}-azfwpolicy-{1}', parameters('parCompanyPrefix'), parameters('parLocation'))]"
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -160,6 +160,9 @@ param parAzFirewallEnabled bool = true
@sys.description('Azure Firewall Name.')
param parAzFirewallName string = '${parCompanyPrefix}-azfw-${parLocation}'

@sys.description('Switch to enable/disable Azure Firewall Policies deployment.')
param parAzFirewallPoliciesEnabled bool = true

@sys.description('Azure Firewall Policies Name.')
param parAzFirewallPoliciesName string = '${parCompanyPrefix}-azfwpolicy-${parLocation}'

Expand Down Expand Up @@ -853,7 +856,7 @@ module modAzureFirewallMgmtPublicIp '../publicIp/publicIp.bicep' = if (parAzFire
}
}

resource resFirewallPolicies 'Microsoft.Network/firewallPolicies@2023-02-01' = if (parAzFirewallEnabled) {
resource resFirewallPolicies 'Microsoft.Network/firewallPolicies@2023-02-01' = if (parAzFirewallEnabled && parAzFirewallPoliciesEnabled) {
name: parAzFirewallPoliciesName
location: parLocation
tags: parTags
Expand Down Expand Up @@ -1068,3 +1071,7 @@ output outPrivateDnsZonesNames array = (parPrivateDnsZonesEnabled ? modPrivateDn
output outDdosPlanResourceId string = resDdosProtectionPlan.id
output outHubVirtualNetworkName string = resHubVnet.name
output outHubVirtualNetworkId string = resHubVnet.id
output outHubRouteTableId string = parAzFirewallEnabled ? resHubRouteTable.id : ''
output outHubRouteTableName string = parAzFirewallEnabled ? resHubRouteTable.name : ''
output outBastionNsgId string = parAzBastionEnabled ? resBastionNsg.id : ''
output outBastionNsgName string = parAzBastionEnabled ? resBastionNsg.name : ''
Original file line number Diff line number Diff line change
Expand Up @@ -1655,3 +1655,31 @@ module modPolicyAssignmentSandboxEnforceAlz '../../../policy/assignments/policyA
parTelemetryOptOut: parTelemetryOptOut
}
}

// The following module is used to deploy the policy exemptions
module modPolicyExemptionsConfidentialOnline '../../exemptions/policyExemptions.bicep' = if (parLandingZoneMgConfidentialEnable) {
scope: managementGroup(varManagementGroupIds.landingZonesConfidentialOnline)
name: take('${parTopLevelManagementGroupPrefix}-deploy-policy-exemptions${parTopLevelManagementGroupSuffix}', 64)
params: {
parPolicyAssignmentId: modPolicyAssignmentIntRootEnforceSovereigntyGlobal.outputs.outPolicyAssignmentId
parPolicyDefinitionReferenceIds: ['AllowedLocationsForResourceGroups', 'AllowedLocations']
parExemptionName: 'Confidential-Online-Location-Exemption'
parExemptionDisplayName: 'Confidential Online Location Exemption'
parDescription: 'Exempt the confidential online management group from the SLZ Global location policies. The confidential management groups have their own location restrictions and this may result in a conflict if both sets are included.'
}
dependsOn: [modPolicyAssignmentLzsConfidentialOnlineEnforceSovereigntyConf]
}

// The following module is used to deploy the policy exemptions
module modPolicyExemptionsConfidentialCorp '../../exemptions/policyExemptions.bicep' = if (parLandingZoneMgConfidentialEnable) {
scope: managementGroup(varManagementGroupIds.landingZonesConfidentialCorp)
name: take('${parTopLevelManagementGroupPrefix}-deploy-policy-exemptions${parTopLevelManagementGroupSuffix}', 64)
params: {
parPolicyAssignmentId: modPolicyAssignmentIntRootEnforceSovereigntyGlobal.outputs.outPolicyAssignmentId
parPolicyDefinitionReferenceIds: ['AllowedLocationsForResourceGroups', 'AllowedLocations']
parExemptionName: 'Confidential-Corp-Location-Exemption'
parExemptionDisplayName: 'Confidential Corp Location Exemption'
parDescription: 'Exempt the confidential corp management group from the SLZ Global Policies location policies. The confidential management groups have their own location restrictions and this may result in a conflict if both sets are included.'
}
dependsOn: [modPolicyAssignmentLzsConfidentialCorpEnforceSovereigntyConf]
}
Original file line number Diff line number Diff line change
Expand Up @@ -136,6 +136,12 @@ Set Parameter to true to Opt-out of deployment telemetry

- Default value: `False`

## Outputs

Name | Type | Description
---- | ---- | -----------
outPolicyAssignmentId | string |

## Snippets

### Parameter file
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -143,3 +143,5 @@ module modCustomerUsageAttribution '../../../CRML/customerUsageAttribution/cuaId
name: 'pid-${varCuaid}-${uniqueString(deployment().location, parPolicyAssignmentName)}'
params: {}
}

output outPolicyAssignmentId string = resPolicyAssignment.id
23 changes: 23 additions & 0 deletions infra-as-code/bicep/modules/policy/exemptions/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
# Module: Policy Exemptions

This module defines a Policy Exemptions.

Module deploys the following resources:

- Policy Exemptions

## Parameters

- [Link to Parameters](generateddocs/policyExemptions.bicep.md)

## Outputs

None

## Deployment

Module is intended to be called from other modules as a reusable resource.

## Bicep Visualizer

![Bicep Visualizer](media/bicepVisualizer.png "Bicep Visualizer")
Original file line number Diff line number Diff line change
@@ -0,0 +1,102 @@
# ALZ Bicep - Management Group Policy Exemptions

Module used to create a policy exemption for a policy assignment in a management group

## Parameters

Parameter name | Required | Description
-------------- | -------- | -----------
parPolicyAssignmentId | Yes | The ID of the policy set assignment for which the exemption will be established.
parExemptionCategory | No | The exemption category to be used.
parDescription | Yes | The description which provides context for the policy exemption.
parAssignmentScopeValidation | No | Sets the scope to permit an exemption to bypass this validation and be created beyond the assignment scope.
parPolicyDefinitionReferenceIds | Yes | List used to specify which policy definition(s) in the initiative the subject resource has an exemption to.
parExemptionName | Yes | The resource name of the policy exemption.
parExemptionDisplayName | Yes | The display name of the exemption.

### parPolicyAssignmentId

![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square)

The ID of the policy set assignment for which the exemption will be established.

### parExemptionCategory

![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)

The exemption category to be used.

- Default value: `Waiver`

- Allowed values: `Waiver`, `Mitigated`

### parDescription

![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square)

The description which provides context for the policy exemption.

### parAssignmentScopeValidation

![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)

Sets the scope to permit an exemption to bypass this validation and be created beyond the assignment scope.

- Default value: `Default`

- Allowed values: `Default`, `DoNotValidate`

### parPolicyDefinitionReferenceIds

![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square)

List used to specify which policy definition(s) in the initiative the subject resource has an exemption to.

### parExemptionName

![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square)

The resource name of the policy exemption.

### parExemptionDisplayName

![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square)

The display name of the exemption.

## Snippets

### Parameter file

```json
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"template": "infra-as-code/bicep/modules/policy/exemptions/policyExemptions.json"
},
"parameters": {
"parPolicyAssignmentId": {
"value": ""
},
"parExemptionCategory": {
"value": "Waiver"
},
"parDescription": {
"value": ""
},
"parAssignmentScopeValidation": {
"value": "Default"
},
"parPolicyDefinitionReferenceIds": {
"value": []
},
"parExemptionName": {
"value": ""
},
"parExemptionDisplayName": {
"value": ""
}
}
}
```
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"parPolicyAssignmentId": {
"value": "/providers/microsoft.management/managementgroups/policyAssignmentScopeName/providers/microsoft.authorization/policyassignments/policyAssignmentName"
},
"parExemptionCategory": {
"value": "Waiver"
},
"parDescription": {
"value": "Exempt the confidential corp management group from the SLZ Global Policies location policies. The confidential management groups have their own location restrictions and this may result in a conflict if both sets are included."
},
"parAssignmentScopeValidation": {
"value": "Default"
},
"parPolicyDefinitionReferenceIds": {
"value": ["AllowedLocationsForResourceGroups", "AllowedLocations"]
},
"parExemptionName": {
"value": "Confidential-Corp-Location-Exemption"
},
"parExemptionDisplayName": {
"value": "Confidential Corp Location Exemption"
}
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"parPolicyAssignmentId": {
"value": "/providers/microsoft.management/managementgroups/policyAssignmentScopeName/providers/microsoft.authorization/policyassignments/policyAssignmentName"
},
"parDescription": {
"value": "Exempt the confidential corp management group from the SLZ Global Policies location policies. The confidential management groups have their own location restrictions and this may result in a conflict if both sets are included."
},
"parPolicyDefinitionReferenceIds": {
"value": ["AllowedLocationsForResourceGroups", "AllowedLocations"]
},
"parExemptionName": {
"value": "Confidential-Corp-Location-Exemption"
},
"parExemptionDisplayName": {
"value": "Confidential Corp Location Exemption"
}
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
targetScope = 'managementGroup'

metadata name = 'ALZ Bicep - Management Group Policy Exemptions'
metadata description = 'Module used to create a policy exemption for a policy assignment in a management group'

@sys.description('The ID of the policy set assignment for which the exemption will be established.')
param parPolicyAssignmentId string

@allowed([
'Waiver'
'Mitigated'
])
@sys.description('The exemption category to be used.')
param parExemptionCategory string = 'Waiver'

@sys.description('The description which provides context for the policy exemption.')
param parDescription string

@allowed([
'Default'
'DoNotValidate'
])
@sys.description('Sets the scope to permit an exemption to bypass this validation and be created beyond the assignment scope.')
param parAssignmentScopeValidation string = 'Default'

@sys.description('List used to specify which policy definition(s) in the initiative the subject resource has an exemption to.')
param parPolicyDefinitionReferenceIds array

@sys.description('The resource name of the policy exemption.')
param parExemptionName string

@sys.description('The display name of the exemption.')
param parExemptionDisplayName string

// Create Policy Exemption
resource resPolicyExemption 'Microsoft.Authorization/policyExemptions@2022-07-01-preview' = {
name: parExemptionName
properties: {
assignmentScopeValidation: parAssignmentScopeValidation
description: parDescription
displayName: parExemptionDisplayName
exemptionCategory: parExemptionCategory
policyAssignmentId: parPolicyAssignmentId
policyDefinitionReferenceIds: parPolicyDefinitionReferenceIds
}
}
Loading