-
Notifications
You must be signed in to change notification settings - Fork 91
/
Copy pathfedramp-moderate.bicep
71 lines (61 loc) · 2.8 KB
/
fedramp-moderate.bicep
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
// ----------------------------------------------------------------------------------
// Copyright (c) Microsoft Corporation.
// Licensed under the MIT license.
//
// THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
// EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES
// OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
// ----------------------------------------------------------------------------------
targetScope = 'managementGroup'
@description('Location for the deployment.')
param location string = deployment().location
@description('Management Group scope for the policy assignment.')
param policyAssignmentManagementGroupId string
@allowed([
'Default'
'DoNotEnforce'
])
@description('Policy set assignment enforcement mode. Possible values are { Default, DoNotEnforce }. Default value: Default')
param enforcementMode string = 'Default'
@description('Log Analytics Workspace Data Retention in days.')
param requiredRetentionDays string
var policyId = 'e95f5a9f-57ad-4d03-bb0b-b1d16db93693' // FedRAMP Moderate
var assignmentName = 'FedRAMP Moderate'
var scope = tenantResourceId('Microsoft.Management/managementGroups', policyAssignmentManagementGroupId)
var policyScopedId = resourceId('Microsoft.Authorization/policySetDefinitions', policyId)
// Telemetry - Azure customer usage attribution
// Reference: https://learn.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
var telemetry = json(loadTextContent('../../../config/telemetry.json'))
module telemetryCustomerUsageAttribution '../../../azresources/telemetry/customer-usage-attribution-management-group.bicep' = if (telemetry.customerUsageAttribution.enabled) {
name: 'pid-${telemetry.customerUsageAttribution.modules.policy}-fedramp-m'
}
resource policySetAssignment 'Microsoft.Authorization/policyAssignments@2020-03-01' = {
name: 'fedramp-m-${uniqueString('fedramp-moderate-',policyAssignmentManagementGroupId)}'
properties: {
displayName: assignmentName
policyDefinitionId: policyScopedId
scope: scope
notScopes: [
]
parameters: {
requiredRetentionDays: {
value: requiredRetentionDays
}
}
enforcementMode: enforcementMode
}
identity: {
type: 'SystemAssigned'
}
location: location
}
// These role assignments are required to allow Policy Assignment to remediate.
resource policySetRoleAssignmentContributor 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
name: guid(policyAssignmentManagementGroupId, 'fedramp-moderate-Contributor')
scope: managementGroup()
properties: {
roleDefinitionId: resourceId('Microsoft.Authorization/roleDefinitions','b24988ac-6180-42a0-ab88-20f7382dd24c')
principalId: policySetAssignment.identity.principalId
principalType: 'ServicePrincipal'
}
}