Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update securityCenter.bicep module API provider to prevent warnings #560

Merged
merged 11 commits into from
Jan 26, 2022
Merged

Update securityCenter.bicep module API provider to prevent warnings #560

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
59175d3
Updated securityCenter.bicep
lisamurphy-msft Dec 7, 2021
2cab35c
GitHub Action: Build Bicep to JSON
invalid-email-address Dec 7, 2021
7661490
Merge branch 'main' into issue-485-temp
lisamurphy-msft Dec 7, 2021
1e55046
Merge branch 'main' into issue-485-temp
lisamurphy-msft Jan 6, 2022
92b43f1
GitHub Action: Build Bicep to JSON
invalid-email-address Jan 6, 2022
2dfee52
Merge branch 'main' into issue-485-temp
lisamurphy-msft Jan 26, 2022
97b0468
GitHub Action: Build Bicep to JSON
invalid-email-address Jan 26, 2022
5513310
Updated policyAssignment for ASC Default
lisamurphy-msft Jan 26, 2022
e956228
GitHub Action: Build Bicep to JSON
invalid-email-address Jan 26, 2022
5122aa3
Updated symbolicName to securityPoliciesDefault
lisamurphy-msft Jan 26, 2022
ba0d20b
Merge branch 'issue-485-temp' of https://github.com/Azure/missionlz i…
lisamurphy-msft Jan 26, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
106 changes: 35 additions & 71 deletions src/bicep/mlz.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
"_generator": {
"name": "bicep",
"version": "0.4.1124.51302",
"templateHash": "10156023147744075921"
"templateHash": "1118457920660514703"
}
},
"parameters": {
Expand Down Expand Up @@ -4621,7 +4621,7 @@
"_generator": {
"name": "bicep",
"version": "0.4.1124.51302",
"templateHash": "5910850021434301527"
"templateHash": "998933596067649007"
}
},
"parameters": {
Expand All @@ -4632,13 +4632,6 @@
"description": "Turn automatic deployment by ASC of the MMA (OMS VM extension) on or off"
}
},
"enableSecuritySettings": {
"type": "bool",
"defaultValue": true,
"metadata": {
"description": "Turn security policy settings On or Off."
}
},
"logAnalyticsWorkspaceId": {
"type": "string",
"metadata": {
Expand All @@ -4650,12 +4643,18 @@
"metadata": {
"description": "Email address of the contact, in the form of john@doe.com"
}
},
"policySetDescription": {
"type": "string",
"defaultValue": "The Azure Security Benchmark initiative represents the policies and controls implementing security recommendations defined in Azure Security Benchmark v2, see https://aka.ms/azsecbm. This also serves as the Azure Security Center default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Azure Security Center.",
"metadata": {
"description": "Policy Initiative description field"
}
}
},
"variables": {
"bundle": "[if(not(equals(environment().name, 'AzureUSGovernment')), createArray('KeyVaults', 'SqlServers', 'VirtualMachines', 'StorageAccounts', 'ContainerRegistry', 'KubernetesService', 'SqlServerVirtualMachines', 'AppServices', 'Dns', 'Arm'), createArray('SqlServers', 'VirtualMachines', 'StorageAccounts', 'ContainerRegistry', 'KubernetesService', 'Dns', 'Arm'))]",
"autoProvisioning": "[if(parameters('enableAutoProvisioning'), 'On', 'Off')]",
"securitySettings": "[if(parameters('enableSecuritySettings'), 'On', 'Off')]"
"autoProvisioning": "[if(parameters('enableAutoProvisioning'), 'On', 'Off')]"
},
"resources": [
{
Expand Down Expand Up @@ -4699,32 +4698,15 @@
}
},
{
"type": "Microsoft.Security/policies",
"apiVersion": "2015-06-01-preview",
"name": "default",
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2021-06-01",
"name": "Azure Security Benchmark",
"properties": {
"policyLevel": "Subscription",
"name": "default",
"unique": "Off",
"logCollection": "On",
"recommendations": {
"patch": "[variables('securitySettings')]",
"baseline": "[variables('securitySettings')]",
"antimalware": "[variables('securitySettings')]",
"diskEncryption": "[variables('securitySettings')]",
"acls": "[variables('securitySettings')]",
"nsgs": "[variables('securitySettings')]",
"waf": "[variables('securitySettings')]",
"sqlAuditing": "[variables('securitySettings')]",
"sqlTde": "[variables('securitySettings')]",
"ngfw": "[variables('securitySettings')]",
"vulnerabilityAssessment": "[variables('securitySettings')]",
"storageEncryption": "[variables('securitySettings')]",
"jitNetworkAccess": "[variables('securitySettings')]"
},
"pricingConfiguration": {
"selectedPricingTier": "Standard"
}
"displayName": "ASC Default",
"description": "[parameters('policySetDescription')]",
"enforcementMode": "DoNotEnforce",
"parameters": {},
"policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8"
}
}
]
Expand Down Expand Up @@ -4765,7 +4747,7 @@
"_generator": {
"name": "bicep",
"version": "0.4.1124.51302",
"templateHash": "5910850021434301527"
"templateHash": "998933596067649007"
}
},
"parameters": {
Expand All @@ -4776,13 +4758,6 @@
"description": "Turn automatic deployment by ASC of the MMA (OMS VM extension) on or off"
}
},
"enableSecuritySettings": {
"type": "bool",
"defaultValue": true,
"metadata": {
"description": "Turn security policy settings On or Off."
}
},
"logAnalyticsWorkspaceId": {
"type": "string",
"metadata": {
Expand All @@ -4794,12 +4769,18 @@
"metadata": {
"description": "Email address of the contact, in the form of john@doe.com"
}
},
"policySetDescription": {
"type": "string",
"defaultValue": "The Azure Security Benchmark initiative represents the policies and controls implementing security recommendations defined in Azure Security Benchmark v2, see https://aka.ms/azsecbm. This also serves as the Azure Security Center default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Azure Security Center.",
"metadata": {
"description": "Policy Initiative description field"
}
}
},
"variables": {
"bundle": "[if(not(equals(environment().name, 'AzureUSGovernment')), createArray('KeyVaults', 'SqlServers', 'VirtualMachines', 'StorageAccounts', 'ContainerRegistry', 'KubernetesService', 'SqlServerVirtualMachines', 'AppServices', 'Dns', 'Arm'), createArray('SqlServers', 'VirtualMachines', 'StorageAccounts', 'ContainerRegistry', 'KubernetesService', 'Dns', 'Arm'))]",
"autoProvisioning": "[if(parameters('enableAutoProvisioning'), 'On', 'Off')]",
"securitySettings": "[if(parameters('enableSecuritySettings'), 'On', 'Off')]"
"autoProvisioning": "[if(parameters('enableAutoProvisioning'), 'On', 'Off')]"
},
"resources": [
{
Expand Down Expand Up @@ -4843,32 +4824,15 @@
}
},
{
"type": "Microsoft.Security/policies",
"apiVersion": "2015-06-01-preview",
"name": "default",
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2021-06-01",
"name": "Azure Security Benchmark",
"properties": {
"policyLevel": "Subscription",
"name": "default",
"unique": "Off",
"logCollection": "On",
"recommendations": {
"patch": "[variables('securitySettings')]",
"baseline": "[variables('securitySettings')]",
"antimalware": "[variables('securitySettings')]",
"diskEncryption": "[variables('securitySettings')]",
"acls": "[variables('securitySettings')]",
"nsgs": "[variables('securitySettings')]",
"waf": "[variables('securitySettings')]",
"sqlAuditing": "[variables('securitySettings')]",
"sqlTde": "[variables('securitySettings')]",
"ngfw": "[variables('securitySettings')]",
"vulnerabilityAssessment": "[variables('securitySettings')]",
"storageEncryption": "[variables('securitySettings')]",
"jitNetworkAccess": "[variables('securitySettings')]"
},
"pricingConfiguration": {
"selectedPricingTier": "Standard"
}
"displayName": "ASC Default",
"description": "[parameters('policySetDescription')]",
"enforcementMode": "DoNotEnforce",
"parameters": {},
"policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8"
}
}
]
Expand Down
40 changes: 12 additions & 28 deletions src/bicep/modules/securityCenter.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,16 +25,16 @@ var bundle = (environment().name != 'AzureUSGovernment' ? [
param enableAutoProvisioning bool = true
var autoProvisioning = enableAutoProvisioning ? 'On' : 'Off'

@description('Turn security policy settings On or Off.')
param enableSecuritySettings bool = true
var securitySettings = enableSecuritySettings ? 'On' : 'Off'

@description('Specify the ID of your custom Log Analytics workspace to collect ASC data.')
param logAnalyticsWorkspaceId string

@description('Email address of the contact, in the form of john@doe.com')
param emailSecurityContact string

@description('Policy Initiative description field')
param policySetDescription string = 'The Azure Security Benchmark initiative represents the policies and controls implementing security recommendations defined in Azure Security Benchmark v2, see https://aka.ms/azsecbm. This also serves as the Azure Security Center default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Azure Security Center.'


// security center

resource securityCenterPricing 'Microsoft.Security/pricings@2018-06-01' = [for name in bundle: {
Expand Down Expand Up @@ -70,30 +70,14 @@ resource securityNotifications 'Microsoft.Security/securityContacts@2017-08-01-p
}
}

resource securityPoliciesDefault 'Microsoft.Security/policies@2015-06-01-preview' = {
name: 'default'
resource securityPoliciesDefault 'Microsoft.Authorization/policyAssignments@2021-06-01' = {
name: 'Azure Security Benchmark'
scope: subscription()
properties: {
policyLevel: 'Subscription'
name: 'default'
unique: 'Off'
logCollection: 'On'
recommendations: {
patch: securitySettings
baseline: securitySettings
antimalware: securitySettings
diskEncryption: securitySettings
acls: securitySettings
nsgs: securitySettings
waf: securitySettings
sqlAuditing: securitySettings
sqlTde: securitySettings
ngfw: securitySettings
vulnerabilityAssessment: securitySettings
storageEncryption: securitySettings
jitNetworkAccess: securitySettings
}
pricingConfiguration: {
selectedPricingTier: 'Standard'
}
displayName: 'ASC Default'
description: policySetDescription
enforcementMode: 'DoNotEnforce'
parameters: {}
policyDefinitionId: '/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8'
}
}