From 91c3d97a63aebdd518196a21160c78dc13107008 Mon Sep 17 00:00:00 2001 From: Micheal Falowo Date: Sun, 27 Oct 2024 01:33:03 -0500 Subject: [PATCH 1/5] Added a new MDFC policy definition and assignment to allow users to pass MDFC for server with plan as needed. Issue 'https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/issues/1176' --- ...nment_es_deploy_mdfc_config_h324.tmpl.json | 76 ++++ ...n_es_deploy_mdfc_config_20241027.tmpl.json | 419 ++++++++++++++++++ 2 files changed, 495 insertions(+) create mode 100644 modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_mdfc_config_h324.tmpl.json create mode 100644 modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config_20241027.tmpl.json diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_mdfc_config_h324.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_mdfc_config_h324.tmpl.json new file mode 100644 index 000000000..80b433b0e --- /dev/null +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_mdfc_config_h324.tmpl.json @@ -0,0 +1,76 @@ +{ + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "Deploy-MDFC-Config-H324", + "location": "${default_location}", + "dependsOn": [], + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "Deploy Microsoft Defender for Cloud and Security Contacts", + "displayName": "Deploy Microsoft Defender for Cloud configuration", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config_20241027", + "enforcementMode": "Default", + "nonComplianceMessages": [ + { + "message": "Microsoft Defender for Cloud and Security Contacts {enforcementMode} be deployed." + } + ], + "parameters": { + "emailSecurityContact": { + "value": "security_contact@replace_me" + }, + "logAnalytics": { + "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/${root_scope_id}-mgmt/providers/Microsoft.OperationalInsights/workspaces/${root_scope_id}-la" + }, + "ascExportResourceGroupName": { + "value": "${root_scope_id}-asc-export" + }, + "ascExportResourceGroupLocation": { + "value": "${default_location}" + }, + "enableAscForServers": { + "value": "Disabled" + }, + "subPlan": { + "value": "P2" + }, + "enableAscForServersVulnerabilityAssessments": { + "value": "Disabled" + }, + "enableAscForSql": { + "value": "Disabled" + }, + "enableAscForAppServices": { + "value": "Disabled" + }, + "enableAscForStorage": { + "value": "Disabled" + }, + "enableAscForContainers": { + "value": "Disabled" + }, + "enableAscForKeyVault": { + "value": "Disabled" + }, + "enableAscForSqlOnVm": { + "value": "Disabled" + }, + "enableAscForArm": { + "value": "Disabled" + }, + "enableAscForOssDb": { + "value": "Disabled" + }, + "enableAscForCosmosDbs": { + "value": "Disabled" + }, + "enableAscForCspm": { + "value": "Disabled" + } + }, + "scope": "${current_scope_resource_id}", + "notScopes": [] + } +} diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config_20241027.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config_20241027.tmpl.json new file mode 100644 index 000000000..27924afe2 --- /dev/null +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config_20241027.tmpl.json @@ -0,0 +1,419 @@ +{ + "name": "Deploy-MDFC-Config_20241027", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Deploy Microsoft Defender for Cloud configuration", + "description": "Deploy Microsoft Defender for Cloud configuration", + "metadata": { + "version": "1.0.0", + "category": "Security Center", + "source": "https://github.com/Azure/Enterprise-Scale/", + "replacesPolicy": "Deploy-MDFC-Config and Deploy-MDFC-Config_20240319", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "emailSecurityContact": { + "type": "string", + "metadata": { + "displayName": "Security contacts email address", + "description": "Provide email address for Microsoft Defender for Cloud contact details" + } + }, + "minimalSeverity": { + "type": "string", + "allowedValues": [ + "High", + "Medium", + "Low" + ], + "defaultValue": "High", + "metadata": { + "displayName": "Minimal severity", + "description": "Defines the minimal alert severity which will be sent as email notifications" + } + }, + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Primary Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "ascExportResourceGroupName": { + "type": "String", + "metadata": { + "displayName": "Resource Group name for the export to Log Analytics workspace configuration", + "description": "The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured." + } + }, + "ascExportResourceGroupLocation": { + "type": "String", + "metadata": { + "displayName": "Resource Group location for the export to Log Analytics workspace configuration", + "description": "The location where the resource group and the export to Log Analytics workspace configuration are created." + } + }, + "enableAscForCosmosDbs": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForSql": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForSqlOnVm": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForArm": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForOssDb": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForAppServices": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForKeyVault": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForStorage": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForContainers": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForServers": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "subPlan": { + "type": "String", + "metadata": { + "displayName": "Defender for Servers plans", + "description": "Select a Defender for Servers plan" + }, + "allowedValues": [ + "P1", + "P2" + ], + "defaultValue": "P2" + }, + "enableAscForServersVulnerabilityAssessments": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "vulnerabilityAssessmentProvider": { + "type": "String", + "allowedValues": [ + "default", + "mdeTvm" + ], + "defaultValue": "mdeTvm", + "metadata": { + "displayName": "Vulnerability assessment provider type", + "description": "Select the vulnerability assessment solution to provision to machines." + } + }, + "enableAscForCspm": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "defenderForOssDb", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a", + "parameters": { + "effect": { + "value": "[parameters('enableAscForOssDb')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForServer", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5eb6d64a-4086-4d7a-92da-ec51aed0332d", + "parameters": { + "effect": { + "value": "[parameters('enableAscForServers')]" + }, + "subPlan": { + "value": "[parameters('subPlan')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForVMVulnerabilityAssessment", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b", + "parameters": { + "effect": { + "value": "[parameters('enableAscForServersVulnerabilityAssessments')]" + }, + "vaType": { + "value": "[parameters('vulnerabilityAssessmentProvider')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForSqlServerVirtualMachines", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3", + "parameters": { + "effect": { + "value": "[parameters('enableAscForSqlOnVm')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForAppServices", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d", + "parameters": { + "effect": { + "value": "[parameters('enableAscForAppServices')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForStorageAccountsV2", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390", + "parameters": { + "effect": { + "value": "[parameters('enableAscForStorage')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderforContainers", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/efd4031d-b232-4595-babf-ae817348e91b", + "parameters": { + "effect": { + "value": "[parameters('enableAscForContainers')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderforKubernetes", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5", + "parameters": { + "effect": { + "value": "[parameters('enableAscForContainers')]" + }, + "logAnalyticsWorkspaceResourceId": { + "value": "[parameters('logAnalytics')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "azurePolicyForKubernetes", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7", + "parameters": { + "effect": { + "value": "[parameters('enableAscForContainers')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForKeyVaults", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7", + "parameters": { + "effect": { + "value": "[parameters('enableAscForKeyVault')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForArm", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9", + "parameters": { + "effect": { + "value": "[parameters('enableAscForArm')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForSqlPaas", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491", + "parameters": { + "effect": { + "value": "[parameters('enableAscForSql')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForCosmosDbs", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542", + "parameters": { + "effect": { + "value": "[parameters('enableAscForCosmosDbs')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForCspm", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/72f8cee7-2937-403d-84a1-a4e3e57f3c21", + "parameters": { + "effect": { + "value": "[parameters('enableAscForCspm')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "securityEmailContact", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts", + "parameters": { + "emailSecurityContact": { + "value": "[parameters('emailSecurityContact')]" + }, + "minimalSeverity": { + "value": "[parameters('minimalSeverity')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "ascExport", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9", + "parameters": { + "resourceGroupName": { + "value": "[parameters('ascExportResourceGroupName')]" + }, + "resourceGroupLocation": { + "value": "[parameters('ascExportResourceGroupLocation')]" + }, + "workspaceResourceId": { + "value": "[parameters('logAnalytics')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "migrateToMdeTvm", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/766e621d-ba95-4e43-a6f2-e945db3d7888", + "parameters": {}, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file From 4fbc0b25118ff6bb668b14f853b6e395165d17e1 Mon Sep 17 00:00:00 2001 From: Micheal Falowo Date: Sun, 27 Oct 2024 14:16:08 -0500 Subject: [PATCH 2/5] Added a new MDFC policy definition and assignment to allow users to pass MDFC for server with plan as needed. Issue 'https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/issues/1176' --- .../archetype_definition_es_root.tmpl.json | 2 ++ 1 file changed, 2 insertions(+) diff --git a/modules/archetypes/lib/archetype_definitions/archetype_definition_es_root.tmpl.json b/modules/archetypes/lib/archetype_definitions/archetype_definition_es_root.tmpl.json index 888927d5a..baab2befb 100644 --- a/modules/archetypes/lib/archetype_definitions/archetype_definition_es_root.tmpl.json +++ b/modules/archetypes/lib/archetype_definitions/archetype_definition_es_root.tmpl.json @@ -13,6 +13,7 @@ "Deploy-MDEndpoints", "Deploy-MDEndpointsAMA", "Deploy-MDFC-Config-H224", + "Deploy-MDFC-Config-H324", "Deploy-MDFC-OssDb", "Deploy-MDFC-SqlAtp", "Enforce-ACSB" @@ -184,6 +185,7 @@ "DenyAction-DeleteProtection", "Deploy-AUM-CheckUpdates", "Deploy-Diagnostics-LogAnalytics", + "Deploy-MDFC-Config_20241027", "Deploy-MDFC-Config_20240319", "Deploy-MDFC-Config", "Deploy-MDFC-DefenderSQL-AMA", From eb4a120b65699a5db69144deecc03b8439da219a Mon Sep 17 00:00:00 2001 From: Micheal Falowo Date: Sun, 27 Oct 2024 21:50:30 -0500 Subject: [PATCH 3/5] Added a new MDFC policy definition and assignment to allow users to pass MDFC for server and APIs with plan as needed. Issue '1176, and 1167' --- ...nment_es_deploy_mdfc_config_h324.tmpl.json | 8 +- .../policy_definition_es_deploy_asc_apis.json | 112 ++++++++++++++++++ ...n_es_deploy_mdfc_config_20241027.tmpl.json | 44 ++++++- 3 files changed, 161 insertions(+), 3 deletions(-) create mode 100644 modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_asc_apis.json diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_mdfc_config_h324.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_mdfc_config_h324.tmpl.json index 80b433b0e..13fa918f2 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_mdfc_config_h324.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_mdfc_config_h324.tmpl.json @@ -30,10 +30,16 @@ "ascExportResourceGroupLocation": { "value": "${default_location}" }, + "enableAscForAPIs": { + "value": "Disabled" + }, + "enableAscForAPIsSubPlan": { + "value": "P1" + }, "enableAscForServers": { "value": "Disabled" }, - "subPlan": { + "enableAscForServersSubPlan": { "value": "P2" }, "enableAscForServersVulnerabilityAssessments": { diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_asc_apis.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_asc_apis.json new file mode 100644 index 000000000..f7bed14fe --- /dev/null +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_asc_apis.json @@ -0,0 +1,112 @@ +{ + "name": "Deploy-ASC-APIs", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "displayName": "Configure Microsoft Defender for APIs plan", + "policyType": "Custom", + "mode": "All", + "description": "New capabilities are continuously being added to Defender for APIs, which may require the user's explicit enablement. Use this policy to make sure all new capabilities will be enabled.", + "metadata": { + "version": "2.0.0", + "category": "Security Center", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "subPlan": { + "type": "String", + "metadata": { + "displayName": "Defender for APIs plans", + "description": "Select a Defender for APIs plan" + }, + "allowedValues": [ + "P1", + "P2", + "P3", + "P4", + "P5" + ], + "defaultValue": "P1" + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Resources/subscriptions" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Security/pricings", + "name": "Api", + "deploymentScope": "subscription", + "existenceScope": "subscription", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635" + ], + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Security/pricings/pricingTier", + "equals": "Standard" + }, + { + "field": "Microsoft.Security/pricings/subPlan", + "equals": "[parameters('subPlan')]" + } + ] + }, + "deployment": { + "location": "westeurope", + "properties": { + "mode": "incremental", + "parameters": { + "subPlan": { + "value": "[parameters('subPlan')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "subPlan": { + "type": "String" + } + }, + "resources": [ + { + "type": "Microsoft.Security/pricings", + "apiVersion": "2023-01-01", + "name": "Api", + "properties": { + "pricingTier": "Standard", + "subPlan": "[parameters('subPlan')]" + } + } + ] + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config_20241027.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config_20241027.tmpl.json index 27924afe2..925afede5 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config_20241027.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config_20241027.tmpl.json @@ -59,6 +59,33 @@ "description": "The location where the resource group and the export to Log Analytics workspace configuration are created." } }, + "enableAscForAPIs": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForAPIsSubPlan": { + "type": "String", + "metadata": { + "displayName": "Defender for APIs plans", + "description": "Select a Defender for APIs plan" + }, + "allowedValues": [ + "P1", + "P2", + "P3", + "P4", + "P5" + ], + "defaultValue": "P1" + }, "enableAscForCosmosDbs": { "type": "String", "allowedValues": [ @@ -179,7 +206,7 @@ "description": "Enable or disable the execution of the policy" } }, - "subPlan": { + "enableAscForServersSubPlan": { "type": "String", "metadata": { "displayName": "Defender for Servers plans", @@ -229,6 +256,19 @@ } }, "policyDefinitions": [ + { + "policyDefinitionReferenceId": "defenderForAPIs", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-APIs", + "parameters": { + "effect": { + "value": "[parameters('enableAscForAPIs')]" + }, + "subPlan": { + "value": "[parameters('enableAscForAPIsSubPlan')]" + } + }, + "groupNames": [] + }, { "policyDefinitionReferenceId": "defenderForOssDb", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a", @@ -247,7 +287,7 @@ "value": "[parameters('enableAscForServers')]" }, "subPlan": { - "value": "[parameters('subPlan')]" + "value": "[parameters('enableAscForServersSubPlan')]" } }, "groupNames": [] From d0514be91b6cfae71181c7b36d9f594521ccf818 Mon Sep 17 00:00:00 2001 From: Micheal Falowo Date: Sun, 27 Oct 2024 22:17:21 -0500 Subject: [PATCH 4/5] Added a new MDFC policy definition and assignment to allow users to pass MDFC for server and APIs with plan as needed. Issue '1176, and 1167' --- modules/management/locals.tf | 3 +++ modules/management/variables.tf | 1 + variables.tf | 1 + 3 files changed, 5 insertions(+) diff --git a/modules/management/locals.tf b/modules/management/locals.tf index d4028e5d7..4f76e74e8 100644 --- a/modules/management/locals.tf +++ b/modules/management/locals.tf @@ -60,6 +60,7 @@ locals { SecurityInsights = local.deploy_monitoring_resources && local.settings.log_analytics.config.enable_sentinel } deploy_security_settings = local.settings.security_center.enabled + deploy_defender_for_apis = local.settings.security_center.config.enable_defender_for_apis deploy_defender_for_app_services = local.settings.security_center.config.enable_defender_for_app_services deploy_defender_for_arm = local.settings.security_center.config.enable_defender_for_arm deploy_defender_for_containers = local.settings.security_center.config.enable_defender_for_containers @@ -600,6 +601,7 @@ locals { logAnalytics = local.log_analytics_workspace_resource_id ascExportResourceGroupName = local.asc_export_resource_group_name ascExportResourceGroupLocation = local.location + enableAscForAPIs = local.deploy_defender_for_apis ? "DeployIfNotExists" : "Disabled" enableAscForAppServices = local.deploy_defender_for_app_services ? "DeployIfNotExists" : "Disabled" enableAscForArm = local.deploy_defender_for_arm ? "DeployIfNotExists" : "Disabled" enableAscForContainers = local.deploy_defender_for_containers ? "DeployIfNotExists" : "Disabled" @@ -608,6 +610,7 @@ locals { enableAscForKeyVault = local.deploy_defender_for_key_vault ? "DeployIfNotExists" : "Disabled" enableAscForOssDb = local.deploy_defender_for_oss_databases ? "DeployIfNotExists" : "Disabled" enableAscForServers = local.deploy_defender_for_servers ? "DeployIfNotExists" : "Disabled" + enableAscForServers = local.deploy_defender_for_servers ? "DeployIfNotExists" : "Disabled" enableAscForServersVulnerabilityAssessments = local.deploy_defender_for_servers_vulnerability_assessments ? "DeployIfNotExists" : "Disabled" enableAscForSql = local.deploy_defender_for_sql_servers ? "DeployIfNotExists" : "Disabled" enableAscForSqlOnVm = local.deploy_defender_for_sql_server_vms ? "DeployIfNotExists" : "Disabled" diff --git a/modules/management/variables.tf b/modules/management/variables.tf index 2f982b168..96aeb4080 100644 --- a/modules/management/variables.tf +++ b/modules/management/variables.tf @@ -67,6 +67,7 @@ variable "settings" { enabled = optional(bool, true) config = optional(object({ email_security_contact = optional(string, "security_contact@replace_me") + enable_defender_for_apis = optional(bool, true) enable_defender_for_app_services = optional(bool, true) enable_defender_for_arm = optional(bool, true) enable_defender_for_containers = optional(bool, true) diff --git a/variables.tf b/variables.tf index e8a9a402c..7272f20ad 100644 --- a/variables.tf +++ b/variables.tf @@ -99,6 +99,7 @@ variable "configure_management_resources" { enabled = optional(bool, true) config = optional(object({ email_security_contact = optional(string, "security_contact@replace_me") + enable_defender_for_apis = optional(bool, true) enable_defender_for_app_services = optional(bool, true) enable_defender_for_arm = optional(bool, true) enable_defender_for_containers = optional(bool, true) From 383359df00d1cb485427ede58eb0e1ba00fcda67 Mon Sep 17 00:00:00 2001 From: Micheal Falowo Date: Sun, 27 Oct 2024 22:27:24 -0500 Subject: [PATCH 5/5] Added a new MDFC policy definition and assignment to allow users to pass MDFC for server and APIs with plan as needed. Issue '1176, and 1167' --- .../archetype_definitions/archetype_definition_es_root.tmpl.json | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/archetypes/lib/archetype_definitions/archetype_definition_es_root.tmpl.json b/modules/archetypes/lib/archetype_definitions/archetype_definition_es_root.tmpl.json index baab2befb..114489fb9 100644 --- a/modules/archetypes/lib/archetype_definitions/archetype_definition_es_root.tmpl.json +++ b/modules/archetypes/lib/archetype_definitions/archetype_definition_es_root.tmpl.json @@ -94,6 +94,7 @@ "DenyAction-ActivityLogs", "DenyAction-DeleteResources", "DenyAction-DiagnosticLogs", + "Deploy-ASC-APIs", "Deploy-ASC-SecurityContacts", "Deploy-Budget", "Deploy-Custom-Route-Table",