From 3ce2cf875b5d6c9464a0262f183a37f40399f8dd Mon Sep 17 00:00:00 2001 From: Senthuran Sivananthan Date: Fri, 1 Apr 2022 22:49:44 -0400 Subject: [PATCH] Use built-in policy for Cosmos DB for Defender Plan (#232) * Use built-in policy for Cosmos DB for Defender Plan * Add branch config * Remove branch config --- .../azurepolicy.config.json | 4 -- .../azurepolicy.parameters.json | 26 ------- .../azurepolicy.rules.json | 69 ------------------- .../policyset/DefenderForCloud.bicep | 9 +-- .../DefenderForCloud.parameters.json | 6 +- 5 files changed, 3 insertions(+), 111 deletions(-) delete mode 100644 policy/custom/definitions/policy/DefenderForCloud-Deploy-DefenderPlan-CosmosDB/azurepolicy.config.json delete mode 100644 policy/custom/definitions/policy/DefenderForCloud-Deploy-DefenderPlan-CosmosDB/azurepolicy.parameters.json delete mode 100644 policy/custom/definitions/policy/DefenderForCloud-Deploy-DefenderPlan-CosmosDB/azurepolicy.rules.json diff --git a/policy/custom/definitions/policy/DefenderForCloud-Deploy-DefenderPlan-CosmosDB/azurepolicy.config.json b/policy/custom/definitions/policy/DefenderForCloud-Deploy-DefenderPlan-CosmosDB/azurepolicy.config.json deleted file mode 100644 index 8ec9513c..00000000 --- a/policy/custom/definitions/policy/DefenderForCloud-Deploy-DefenderPlan-CosmosDB/azurepolicy.config.json +++ /dev/null @@ -1,4 +0,0 @@ -{ - "name": "Configure Microsoft Defender for Cosmos DB to be enabled", - "mode": "all" -} \ No newline at end of file diff --git a/policy/custom/definitions/policy/DefenderForCloud-Deploy-DefenderPlan-CosmosDB/azurepolicy.parameters.json b/policy/custom/definitions/policy/DefenderForCloud-Deploy-DefenderPlan-CosmosDB/azurepolicy.parameters.json deleted file mode 100644 index e26bb99e..00000000 --- a/policy/custom/definitions/policy/DefenderForCloud-Deploy-DefenderPlan-CosmosDB/azurepolicy.parameters.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "pricingTier": { - "type": "string", - "metadata": { - "displayName": "Azure Defender pricing tier", - "description": "Azure Defender pricing tier" - }, - "allowedValues": [ - "Standard", - "Free" - ], - "defaultValue": "Standard" - }, - "effect": { - "type": "string", - "metadata": { - "displayName": "Effect", - "description": "Enable or disable the execution of the policy" - }, - "allowedValues": [ - "DeployIfNotExists", - "Disabled" - ], - "defaultValue": "DeployIfNotExists" - } -} \ No newline at end of file diff --git a/policy/custom/definitions/policy/DefenderForCloud-Deploy-DefenderPlan-CosmosDB/azurepolicy.rules.json b/policy/custom/definitions/policy/DefenderForCloud-Deploy-DefenderPlan-CosmosDB/azurepolicy.rules.json deleted file mode 100644 index 673ab77c..00000000 --- a/policy/custom/definitions/policy/DefenderForCloud-Deploy-DefenderPlan-CosmosDB/azurepolicy.rules.json +++ /dev/null @@ -1,69 +0,0 @@ -{ - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.Resources/subscriptions" - } - ] - }, - "then": { - "effect": "[parameters('effect')]", - "details": { - "type": "Microsoft.Security/pricings", - "name": "CosmosDbs", - "deploymentScope": "Subscription", - "existenceScope": "Subscription", - "roleDefinitionIds": [ - "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd" - ], - "existenceCondition": { - "allOf": [ - { - "field": "Microsoft.Security/pricings/pricingTier", - "equals": "[parameters('pricingTier')]" - }, - { - "field": "type", - "equals": "Microsoft.Security/pricings" - } - ] - }, - "deployment": { - "location": "canadacentral", - "properties": { - "mode": "incremental", - "parameters": { - "pricingTier": { - "value": "[parameters('pricingTier')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "pricingTier": { - "type": "string", - "metadata": { - "description": "Azure Defender pricing tier" - } - } - }, - "variables": {}, - "resources": [ - { - "type": "Microsoft.Security/pricings", - "apiVersion": "2018-06-01", - "name": "CosmosDbs", - "properties": { - "pricingTier": "[parameters('pricingTier')]" - } - } - ], - "outputs": {} - } - } - } - } - } -} \ No newline at end of file diff --git a/policy/custom/definitions/policyset/DefenderForCloud.bicep b/policy/custom/definitions/policyset/DefenderForCloud.bicep index 182a7514..853dbee4 100644 --- a/policy/custom/definitions/policyset/DefenderForCloud.bicep +++ b/policy/custom/definitions/policyset/DefenderForCloud.bicep @@ -9,11 +9,6 @@ targetScope = 'managementGroup' -@description('Management Group scope for the policy definition.') -param policyDefinitionManagementGroupId string - -var customPolicyDefinitionMgScope = tenantResourceId('Microsoft.Management/managementGroups', policyDefinitionManagementGroupId) - resource ascAzureDefender 'Microsoft.Authorization/policySetDefinitions@2020-03-01' = { name: 'custom-enable-azure-defender' properties: { @@ -173,8 +168,8 @@ resource ascAzureDefender 'Microsoft.Authorization/policySetDefinitions@2020-03- groupNames: [ 'EXTRA' ] - policyDefinitionId: extensionResourceId(customPolicyDefinitionMgScope, 'Microsoft.Authorization/policyDefinitions', 'DefenderForCloud-Deploy-DefenderPlan-CosmosDB') - policyDefinitionReferenceId: toLower(replace('Configure Microsoft Defender for Cosmos DB to be enabled', ' ', '-')) + policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542' + policyDefinitionReferenceId: toLower(replace('Configure Microsoft Defender for Azure Cosmos DB to be enabled', ' ', '-')) parameters: {} } ] diff --git a/policy/custom/definitions/policyset/DefenderForCloud.parameters.json b/policy/custom/definitions/policyset/DefenderForCloud.parameters.json index 434f8920..1be78a2d 100644 --- a/policy/custom/definitions/policyset/DefenderForCloud.parameters.json +++ b/policy/custom/definitions/policyset/DefenderForCloud.parameters.json @@ -1,9 +1,5 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", "contentVersion": "1.0.0.0", - "parameters": { - "policyDefinitionManagementGroupId": { - "value": "{{var-topLevelManagementGroupName}}" - } - } + "parameters": {} } \ No newline at end of file