Defender for Cloud VM plan 1 or 2

[GokhanAltan1]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Is your feature request related to a problem?

I would like to manage the Defender for Cloud VM plan. At this moment there is no option to set plan to 1 or 2.

Describe the solution you'd like

A parameter in the policy to set the plan version to 1 or 2.

Additional context

[falowomi]

@GokhanAltan1 You can deploy your Defender for Cloud policies using custom configuration and then set the enable_defender_for_servers to false. This will give you the opportunity to create and assign a built-in policy in your alz deployment. See configuration in the link below.

Deploy-Management-Resources-With-Custom-Settings

Now, you need to create a custom policy assignment using the built-in policy name Configure Microsoft Defender for Servers plan specifically to MDFC for Server. Follow the instruction provided in the link below to achieve this.

Assign-a-Built-in-Policy

In the meantime, I'm creating a PR for a new MDFC policy initiatives which will have below definition configuration with P2 plan as the default value.

{
        "policyDefinitionReferenceId": "defenderForServer",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5eb6d64a-4086-4d7a-92da-ec51aed0332d",
        "parameters": {
          "effect": {
            "value": "[parameters('enableAscForServers')]"
          },
          "subPlan": {
            "value": "[parameters('subPlan')]"
          }
        },
        "groupNames": []
}

With that being said, once the PR is approved, you would have to create a directory lib in your alz root module and a file archetype_extension_es_landing_zones.tmpl.json under the lib directory and add below code to set the plan as needed to either of the allowed values "P1 or P2".

{
  "extend_es_root": {
    "policy_assignments": ["Deploy-MDFC-Config-H324"],
    "policy_definitions": [],
    "policy_set_definitions": [],
    "role_definitions": [],
    "archetype_config": {
      "parameters": {
        "Deploy-MDFC-Config-H324": {
          "subPlan": "P2" //use either P1 or P2 here
        }
      },
      "access_control": {}
    }
  }
}

Finally, you need to add library_path = "${path.root}/lib" to your module block. See below for example.

  module "enterprise_scale" {
  source  = "Azure/caf-enterprise-scale/azurerm"
  version = "<version>" # change this to your desired version, https://www.terraform.io/language/expressions/version-constraints

  providers = {
    azurerm              = azurerm
    azurerm.connectivity = azurerm
    azurerm.management   = azurerm
  }

  root_parent_id = data.azurerm_client_config.core.tenant_id
  root_id        = "myorg"
  root_name      = "My Organization"
  library_path   = "${path.root}/lib"
}

Hope that helps

[matt-FFFFFF]

This is added in #1201 in the latest policy refresh