fixed the remaining linter errors in the policy definitions

cds-snc · Feb 11, 2023 · 20e1880 · 20e1880
1 parent 1610a28
commit 20e1880
Show file tree

Hide file tree

Showing 7 changed files with 68 additions and 47 deletions.
diff --git a/bicepconfig.json b/bicepconfig.json
@@ -4,6 +4,9 @@
             "verbose": false,
             "enabled": true,
             "rules": {
+              "use-resource-id-functions": {
+                "level": "warning"
+              },
                 "adminusername-should-not-be-literal": {
                     "level": "error"
                 },

diff --git a/policy/custom/definitions/policyset/AKS.bicep b/policy/custom/definitions/policyset/AKS.bicep
@@ -9,6 +9,11 @@
 
 targetScope = 'managementGroup'
 
+@description('Management Group scope for the policy definition.')
+param policyDefinitionManagementGroupId string
+
+var customPolicyDefinitionMgScope = tenantResourceId('Microsoft.Management/managementGroups', policyDefinitionManagementGroupId)
+
 resource aksPolicySet 'Microsoft.Authorization/policySetDefinitions@2020-03-01' = {
   name: 'custom-aks'
   properties: {
@@ -24,15 +29,15 @@ resource aksPolicySet 'Microsoft.Authorization/policySetDefinitions@2020-03-01'
         groupNames: [
           'AKS'
         ]
-        policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7'
+        policyDefinitionId: extensionResourceId(customPolicyDefinitionMgScope, 'Microsoft.Authorization/policyDefinitions', 'a8eff44f-8c92-45c3-a3fb-9880802d67a7')
         policyDefinitionReferenceId: toLower(replace('Deploy Azure Policy Add-on to Azure Kubernetes Service clusters', ' ', '-'))
         parameters: {}
       }
       {
         groupNames: [
           'AKS'
         ]
-        policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e'
+        policyDefinitionId: extensionResourceId(customPolicyDefinitionMgScope, 'Microsoft.Authorization/policyDefinitions', '3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e')
         policyDefinitionReferenceId: toLower(replace('Kubernetes clusters should use internal load balancers', ' ', '-'))
         parameters: {}
       }

diff --git a/policy/custom/definitions/policyset/AKS.parameters.json b/policy/custom/definitions/policyset/AKS.parameters.json
@@ -1,5 +1,9 @@
 {
     "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
     "contentVersion": "1.0.0.0",
-    "parameters": {}
+    "parameters": {
+        "policyDefinitionManagementGroupId": {
+            "value": "{{var-topLevelManagementGroupName}}"
+        }
+    }
 }
diff --git a/policy/custom/definitions/policyset/DefenderForCloud.bicep b/policy/custom/definitions/policyset/DefenderForCloud.bicep
@@ -9,6 +9,11 @@
 
 targetScope = 'managementGroup'
 
+@description('Management Group scope for the policy definition.')
+param policyDefinitionManagementGroupId string
+
+var customPolicyDefinitionMgScope = tenantResourceId('Microsoft.Management/managementGroups', policyDefinitionManagementGroupId)
+
 resource ascAzureDefender 'Microsoft.Authorization/policySetDefinitions@2020-03-01' = {
   name: 'custom-enable-azure-defender'
   properties: {
@@ -24,151 +29,151 @@ resource ascAzureDefender 'Microsoft.Authorization/policySetDefinitions@2020-03-
         groupNames: [
           'EXTRA'
         ]
-        policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c'
+        policyDefinitionId: extensionResourceId(customPolicyDefinitionMgScope, 'Microsoft.Authorization/policyDefinitions', '361c2074-3595-4e5d-8cab-4f21dffc835c')
         policyDefinitionReferenceId: toLower(replace('Deploy Advanced Threat Protection on Storage Accounts', ' ', '-'))
         parameters: {}
       }
       {
         groupNames: [
           'EXTRA'
         ]
-        policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5'
+        policyDefinitionId: extensionResourceId(customPolicyDefinitionMgScope, 'Microsoft.Authorization/policyDefinitions', '36d49e87-48c4-4f2e-beed-ba4ed02b71f5')
         policyDefinitionReferenceId: toLower(replace('Deploy Threat Detection on SQL servers', ' ', '-'))
         parameters: {}
       }
       {
         groupNames: [
           'EXTRA'
         ]
-        policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc'
+        policyDefinitionId: extensionResourceId(customPolicyDefinitionMgScope, 'Microsoft.Authorization/policyDefinitions', 'feedbf84-6b99-488c-acc2-71c829aa5ffc')
         policyDefinitionReferenceId: toLower(replace('Vulnerabilities on your SQL databases should be remediated', ' ', '-'))
         parameters: {}
       }
       {
         groupNames: [
           'EXTRA'
         ]
-        policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/6134c3db-786f-471e-87bc-8f479dc890f6'
+        policyDefinitionId: extensionResourceId(customPolicyDefinitionMgScope, 'Microsoft.Authorization/policyDefinitions', '6134c3db-786f-471e-87bc-8f479dc890f6')
         policyDefinitionReferenceId: toLower(replace('Deploy Advanced Data Security on SQL servers', ' ', '-'))
         parameters: {}
       }
       {
         groupNames: [
           'EXTRA'
         ]
-        policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4'
+        policyDefinitionId: extensionResourceId(customPolicyDefinitionMgScope, 'Microsoft.Authorization/policyDefinitions', '3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4')
         policyDefinitionReferenceId: toLower(replace('Vulnerabilities in security configuration on your virtual machine scale sets should be remediated', ' ', '-'))
         parameters: {}
       }
       {
         groupNames: [
           'EXTRA'
         ]
-        policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15'
+        policyDefinitionId: extensionResourceId(customPolicyDefinitionMgScope, 'Microsoft.Authorization/policyDefinitions', 'e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15')
         policyDefinitionReferenceId: toLower(replace('Vulnerabilities in security configuration on your machines should be remediated', ' ', '-'))
         parameters: {}
       }
       {
         groupNames: [
           'EXTRA'
         ]
-        policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9'
+        policyDefinitionId: extensionResourceId(customPolicyDefinitionMgScope, 'Microsoft.Authorization/policyDefinitions', '501541f7-f7e7-4cd6-868c-4190fdad3ac9')
         policyDefinitionReferenceId: toLower(replace('vulnerability assessment solution should be enabled on your virtual machines', ' ', '-'))
         parameters: {}
       }
       {
         groupNames: [
           'EXTRA'
         ]
-        policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b'
+        policyDefinitionId: extensionResourceId(customPolicyDefinitionMgScope, 'Microsoft.Authorization/policyDefinitions', '13ce0167-8ca6-4048-8e6b-f996402e3c1b')
         policyDefinitionReferenceId: toLower(replace('Configure machines to receive the Qualys vulnerability assessment agent', ' ', '-'))
         parameters: {}
       }
       {
         groupNames: [
           'EXTRA'
         ]
-        policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7'
+        policyDefinitionId: extensionResourceId(customPolicyDefinitionMgScope, 'Microsoft.Authorization/policyDefinitions', '1f725891-01c0-420a-9059-4fa46cb770b7')
         policyDefinitionReferenceId: toLower(replace('Configure Azure Defender for Key Vaults to be enabled', ' ', '-'))
         parameters: {}
       }
       {
         groupNames: [
           'EXTRA'
         ]
-        policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d'
+        policyDefinitionId: extensionResourceId(customPolicyDefinitionMgScope, 'Microsoft.Authorization/policyDefinitions', 'b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d')
         policyDefinitionReferenceId: toLower(replace('Configure Azure Defender for App Service to be enabled', ' ', '-'))
         parameters: {}
       }
       {
         groupNames: [
           'EXTRA'
         ]
-        policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9'
+        policyDefinitionId: extensionResourceId(customPolicyDefinitionMgScope, 'Microsoft.Authorization/policyDefinitions', 'b7021b2b-08fd-4dc0-9de7-3c6ece09faf9')
         policyDefinitionReferenceId: toLower(replace('Configure Azure Defender for Resource Manager to be enabled', ' ', '-'))
         parameters: {}
       }
       {
         groupNames: [
           'EXTRA'
         ]
-        policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f'
+        policyDefinitionId: extensionResourceId(customPolicyDefinitionMgScope, 'Microsoft.Authorization/policyDefinitions', '2370a3c1-4a25-4283-a91a-c9c1a145fb2f')
         policyDefinitionReferenceId: toLower(replace('Configure Azure Defender for DNS to be enabled', ' ', '-'))
         parameters: {}
       }
       {
         groupNames: [
           'EXTRA'
         ]
-        policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a'
+        policyDefinitionId: extensionResourceId(customPolicyDefinitionMgScope, 'Microsoft.Authorization/policyDefinitions', '44433aa3-7ec2-4002-93ea-65c65ff0310a')
         policyDefinitionReferenceId: toLower(replace('Configure Azure Defender for open-source relational databases to be enabled', ' ', '-'))
         parameters: {}
       }
       {
         groupNames: [
           'EXTRA'
         ]
-        policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491'
+        policyDefinitionId: extensionResourceId(customPolicyDefinitionMgScope, 'Microsoft.Authorization/policyDefinitions', 'b99b73e7-074b-4089-9395-b7236f094491')
         policyDefinitionReferenceId: toLower(replace('Configure Azure Defender for Azure SQL database to be enabled', ' ', '-'))
         parameters: {}
       }
       {
         groupNames: [
           'EXTRA'
         ]
-        policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3'
+        policyDefinitionId: extensionResourceId(customPolicyDefinitionMgScope, 'Microsoft.Authorization/policyDefinitions', '50ea7265-7d8c-429e-9a7d-ca1f410191c3')
         policyDefinitionReferenceId: toLower(replace('Configure Azure Defender for SQL servers on machines to be enabled', ' ', '-'))
         parameters: {}
       }
       {
         groupNames: [
           'EXTRA'
         ]
-        policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/74c30959-af11-47b3-9ed2-a26e03f427a3'
+        policyDefinitionId: extensionResourceId(customPolicyDefinitionMgScope, 'Microsoft.Authorization/policyDefinitions', '74c30959-af11-47b3-9ed2-a26e03f427a3')
         policyDefinitionReferenceId: toLower(replace('Configure Azure Defender for Storage to be enabled', ' ', '-'))
         parameters: {}
       }
       {
         groupNames: [
           'EXTRA'
         ]
-        policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222'
+        policyDefinitionId: extensionResourceId(customPolicyDefinitionMgScope, 'Microsoft.Authorization/policyDefinitions', '8e86a5b6-b9bd-49d1-8e21-4bb8a0862222')
         policyDefinitionReferenceId: toLower(replace('Configure Azure Defender for servers to be enabled', ' ', '-'))
         parameters: {}
       }
       {
         groupNames: [
           'EXTRA'
         ]
-        policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f'
+        policyDefinitionId: extensionResourceId(customPolicyDefinitionMgScope, 'Microsoft.Authorization/policyDefinitions', 'c9ddb292-b203-4738-aead-18e2716e858f')
         policyDefinitionReferenceId: toLower(replace('Configure Microsoft Defender for Containers to be enabled', ' ', '-'))
         parameters: {}
       }
       {
         groupNames: [
           'EXTRA'
         ]
-        policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542'
+        policyDefinitionId: extensionResourceId(customPolicyDefinitionMgScope, 'Microsoft.Authorization/policyDefinitions', '82bf5b87-728b-4a74-ba4d-6123845cf542')
         policyDefinitionReferenceId: toLower(replace('Configure Microsoft Defender for Azure Cosmos DB to be enabled', ' ', '-'))
         parameters: {}
       }

diff --git a/policy/custom/definitions/policyset/DefenderForCloud.parameters.json b/policy/custom/definitions/policyset/DefenderForCloud.parameters.json
@@ -1,5 +1,9 @@
 {
     "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
     "contentVersion": "1.0.0.0",
-    "parameters": {}
+    "parameters": {
+        "policyDefinitionManagementGroupId": {
+            "value": "{{var-topLevelManagementGroupName}}"
+        }
+    }
 }