-
Notifications
You must be signed in to change notification settings - Fork 91
/
Copy pathDDoS.bicep
75 lines (63 loc) · 3.02 KB
/
DDoS.bicep
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
// ----------------------------------------------------------------------------------
// Copyright (c) Microsoft Corporation.
// Licensed under the MIT license.
//
// THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
// EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES
// OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
// ----------------------------------------------------------------------------------
targetScope = 'managementGroup'
@description('Location for the deployment.')
param location string = deployment().location
@description('Management Group scope for the policy definition.')
param policyDefinitionManagementGroupId string
@description('Management Group scope for the policy assignment.')
param policyAssignmentManagementGroupId string
@allowed([
'Default'
'DoNotEnforce'
])
@description('Policy set assignment enforcement mode. Possible values are { Default, DoNotEnforce }. Default value: Default')
param enforcementMode string = 'Default'
@description('Azure DDOS Standard Plan Resource Id.')
param ddosStandardPlanId string
var policyId = 'Network-Deploy-DDoS-Standard'
var assignmentName = 'Custom - Enable DDoS Standard on Virtual Networks'
var scope = tenantResourceId('Microsoft.Management/managementGroups', policyAssignmentManagementGroupId)
var policyDefinitionScope = tenantResourceId('Microsoft.Management/managementGroups', policyDefinitionManagementGroupId)
var policyScopedId = extensionResourceId(policyDefinitionScope, 'Microsoft.Authorization/policyDefinitions', policyId)
// Telemetry - Azure customer usage attribution
// Reference: https://learn.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
var telemetry = json(loadTextContent('../../../config/telemetry.json'))
module telemetryCustomerUsageAttribution '../../../azresources/telemetry/customer-usage-attribution-management-group.bicep' = if (telemetry.customerUsageAttribution.enabled) {
name: 'pid-${telemetry.customerUsageAttribution.modules.policy}-ddos'
}
resource policySetAssignment 'Microsoft.Authorization/policyAssignments@2020-03-01' = {
name: 'ddos-${uniqueString(policyAssignmentManagementGroupId)}'
properties: {
displayName: assignmentName
policyDefinitionId: policyScopedId
scope: scope
notScopes: []
parameters: {
planId: {
value: ddosStandardPlanId
}
}
enforcementMode: enforcementMode
}
identity: {
type: 'SystemAssigned'
}
location: location
}
// These role assignments are required to allow Policy Assignment to remediate.
resource policySetRoleAssignmentNetworkContributor 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
name: guid(policyAssignmentManagementGroupId, 'ddos-standard', 'Network Contributor')
scope: managementGroup()
properties: {
roleDefinitionId: tenantResourceId('Microsoft.Authorization/roleDefinitions','4d97b98b-1d4f-4787-a291-c67834d212e7')
principalId: policySetAssignment.identity.principalId
principalType: 'ServicePrincipal'
}
}