-
Notifications
You must be signed in to change notification settings - Fork 91
/
Copy pathpbmm.bicep
139 lines (127 loc) · 6.03 KB
/
pbmm.bicep
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
// ----------------------------------------------------------------------------------
// Copyright (c) Microsoft Corporation.
// Licensed under the MIT license.
//
// THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
// EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES
// OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
// ----------------------------------------------------------------------------------
targetScope = 'managementGroup'
@description('Location for the deployment.')
param location string = deployment().location
@description('Management Group scope for the policy assignment.')
param policyAssignmentManagementGroupId string
@allowed([
'Default'
'DoNotEnforce'
])
@description('Policy set assignment enforcement mode. Possible values are { Default, DoNotEnforce }. Default value: Default')
param enforcementMode string = 'Default'
@description('Log Analytics Resource Id to integrate Microsoft Defender for Cloud.')
param logAnalyticsWorkspaceId string
@description('List of members that should be excluded from Windows VM Administrator Group.')
param listOfMembersToExcludeFromWindowsVMAdministratorsGroup string
@description('List of members that should be included in Windows VM Administrator Group.')
param listOfMembersToIncludeInWindowsVMAdministratorsGroup string
var policyId = '4c4a5f27-de81-430b-b4e5-9cbd50595a87' // Canada Federal PBMM
var assignmentName = 'Canada Federal PBMM'
var scope = tenantResourceId('Microsoft.Management/managementGroups', policyAssignmentManagementGroupId)
var policyScopedId = resourceId('Microsoft.Authorization/policySetDefinitions', policyId)
// Telemetry - Azure customer usage attribution
// Reference: https://learn.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
var telemetry = json(loadTextContent('../../../config/telemetry.json'))
module telemetryCustomerUsageAttribution '../../../azresources/telemetry/customer-usage-attribution-management-group.bicep' = if (telemetry.customerUsageAttribution.enabled) {
name: 'pid-${telemetry.customerUsageAttribution.modules.policy}-pbmm'
}
resource policySetAssignment 'Microsoft.Authorization/policyAssignments@2020-03-01' = {
name: 'pbmm-${uniqueString('pbmm-',policyAssignmentManagementGroupId)}'
properties: {
displayName: assignmentName
policyDefinitionId: policyScopedId
scope: scope
notScopes: [
]
parameters: {
logAnalyticsWorkspaceIdforVMReporting: {
value: logAnalyticsWorkspaceId
}
listOfMembersToExcludeFromWindowsVMAdministratorsGroup: {
value: listOfMembersToExcludeFromWindowsVMAdministratorsGroup
}
listOfMembersToIncludeInWindowsVMAdministratorsGroup: {
value: listOfMembersToIncludeInWindowsVMAdministratorsGroup
}
'logsEnabled-7f89b1eb-583c-429a-8828-af049802c1d9': {
value: true
}
'metricsEnabled-7f89b1eb-583c-429a-8828-af049802c1d9': {
value: false
}
listOfResourceTypesWithDiagnosticLogsEnabled: {
value: [
'Microsoft.AnalysisServices/servers'
'Microsoft.ApiManagement/service'
'Microsoft.Network/applicationGateways'
'Microsoft.Automation/automationAccounts'
// 'Microsoft.ContainerInstance/containerGroups' # Removed since it doesn't have any logs
'Microsoft.ContainerRegistry/registries'
'Microsoft.ContainerService/managedClusters'
'Microsoft.Batch/batchAccounts'
'Microsoft.Cdn/profiles/endpoints'
'Microsoft.CognitiveServices/accounts'
'Microsoft.DocumentDB/databaseAccounts'
'Microsoft.DataFactory/factories'
'Microsoft.DataLakeAnalytics/accounts'
'Microsoft.DataLakeStore/accounts'
// 'Microsoft.EventGrid/eventSubscriptions' # Removed since it doesn't have any logs
'Microsoft.EventGrid/topics'
'Microsoft.EventHub/namespaces'
'Microsoft.Network/expressRouteCircuits'
'Microsoft.Network/azureFirewalls'
'Microsoft.HDInsight/clusters'
'Microsoft.Devices/IotHubs'
'Microsoft.KeyVault/vaults'
'Microsoft.Network/loadBalancers'
'Microsoft.Logic/integrationAccounts'
'Microsoft.Logic/workflows'
'Microsoft.DBforMySQL/servers'
//'Microsoft.Network/networkInterfaces' # Removed since it doesn't have any logs
'Microsoft.Network/networkSecurityGroups'
'Microsoft.DBforPostgreSQL/servers'
'Microsoft.PowerBIDedicated/capacities'
'Microsoft.Network/publicIPAddresses'
'Microsoft.RecoveryServices/vaults'
'Microsoft.Cache/redis'
'Microsoft.Relay/namespaces'
'Microsoft.Search/searchServices'
'Microsoft.ServiceBus/namespaces'
'Microsoft.SignalRService/SignalR'
'Microsoft.Sql/servers/databases'
//'Microsoft.Sql/servers/elasticPools' # Removed since it doesn't have any logs
'Microsoft.StreamAnalytics/streamingjobs'
'Microsoft.TimeSeriesInsights/environments'
'Microsoft.Network/trafficManagerProfiles'
//'Microsoft.Compute/virtualMachines' # Logs are collected through Microsoft Monitoring Agent
//'Microsoft.Compute/virtualMachineScaleSets' Removed since it is not supported
'Microsoft.Network/virtualNetworks'
'Microsoft.Network/virtualNetworkGateways'
]
}
}
enforcementMode: enforcementMode
}
identity: {
type: 'SystemAssigned'
}
location: location
}
// These role assignments are required to allow Policy Assignment to remediate.
resource policySetRoleAssignmentContributor 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
name: guid(policyAssignmentManagementGroupId, 'pbmm-Contributor')
scope: managementGroup()
properties: {
roleDefinitionId: resourceId('Microsoft.Authorization/roleDefinitions','b24988ac-6180-42a0-ab88-20f7382dd24c')
principalId: policySetAssignment.identity.principalId
principalType: 'ServicePrincipal'
}
}