PBMM & HITRUST/HIPAA policy update (Azure#238)

cds-snc · Apr 8, 2022 · cc5f017 · cc5f017
1 parent 3259994
commit cc5f017
Show file tree

Hide file tree

Showing 3 changed files with 119 additions and 0 deletions.
diff --git a/policy/builtin/assignments/hitrust-hipaa.bicep b/policy/builtin/assignments/hitrust-hipaa.bicep
@@ -34,6 +34,9 @@ param deployDiagnosticSettingsforNetworkSecurityGroupsRgName string
 @description('A semicolon-separated list of certificate thumbprints that should exist under the Trusted Root certificate store (Cert:\\LocalMachine\\Root). e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3')
 param certificateThumbprints string
 
+@description('Log Analytics Workspace Data Retention in days.')
+param requiredRetentionDays string
+
 var policyId = 'a169a624-5599-4385-a696-c8d643089fab' // HITRUST/HIPAA
 var assignmentName = 'HITRUST/HIPAA'
 
@@ -55,6 +58,14 @@ resource policySetAssignment 'Microsoft.Authorization/policyAssignments@2020-03-
     scope: scope
     notScopes: []
     parameters: {
+      'logsEnabled-7f89b1eb-583c-429a-8828-af049802c1d9': {
+        value: true
+      }
+
+      'metricsEnabled-7f89b1eb-583c-429a-8828-af049802c1d9': {
+        value: false
+      }
+
       // A semicolon-separated list of the names of the applications that should be installed.
       // e.g. 'Microsoft SQL Server 2014 (64-bit); Microsoft Visual Studio Code' or 'Microsoft SQL Server 2014*'
       // (to match any application starting with 'Microsoft SQL Server 2014')
@@ -77,6 +88,61 @@ resource policySetAssignment 'Microsoft.Authorization/policyAssignments@2020-03-
       CertificateThumbprints: {
         value: certificateThumbprints
       }
+
+      requiredRetentionDays: {
+        value: requiredRetentionDays
+      }
+
+      listOfResourceTypes: {
+        value: [
+          'Microsoft.AnalysisServices/servers'
+          'Microsoft.ApiManagement/service'
+          'Microsoft.Network/applicationGateways'
+          'Microsoft.Automation/automationAccounts'
+          // 'Microsoft.ContainerInstance/containerGroups'  # Removed since it doesn't have any logs
+          'Microsoft.ContainerRegistry/registries'
+          'Microsoft.ContainerService/managedClusters'
+          'Microsoft.Batch/batchAccounts'
+          'Microsoft.Cdn/profiles/endpoints'
+          'Microsoft.CognitiveServices/accounts'
+          'Microsoft.DocumentDB/databaseAccounts'
+          'Microsoft.DataFactory/factories'
+          'Microsoft.DataLakeAnalytics/accounts'
+          'Microsoft.DataLakeStore/accounts'
+          'Microsoft.EventGrid/eventSubscriptions'
+          'Microsoft.EventGrid/topics'
+          'Microsoft.EventHub/namespaces'
+          'Microsoft.Network/expressRouteCircuits'
+          'Microsoft.Network/azureFirewalls'
+          'Microsoft.HDInsight/clusters'
+          'Microsoft.Devices/IotHubs'
+          'Microsoft.KeyVault/vaults'
+          'Microsoft.Network/loadBalancers'
+          'Microsoft.Logic/integrationAccounts'
+          'Microsoft.Logic/workflows'
+          'Microsoft.DBforMySQL/servers'
+          //'Microsoft.Network/networkInterfaces' # Removed since it doesn't have any logs
+          'Microsoft.Network/networkSecurityGroups'
+          'Microsoft.DBforPostgreSQL/servers'
+          'Microsoft.PowerBIDedicated/capacities'
+          'Microsoft.Network/publicIPAddresses'
+          'Microsoft.RecoveryServices/vaults'
+          'Microsoft.Cache/redis'
+          'Microsoft.Relay/namespaces'
+          'Microsoft.Search/searchServices'
+          'Microsoft.ServiceBus/namespaces'
+          'Microsoft.SignalRService/SignalR'
+          'Microsoft.Sql/servers/databases'
+          //'Microsoft.Sql/servers/elasticPools' # Removed since it doesn't have any logs
+          'Microsoft.StreamAnalytics/streamingjobs'
+          'Microsoft.TimeSeriesInsights/environments'
+          'Microsoft.Network/trafficManagerProfiles'
+          //'Microsoft.Compute/virtualMachines' # Logs are collected through Microsoft Monitoring Agent
+          //'Microsoft.Compute/virtualMachineScaleSets' Removed since it is not supported
+          'Microsoft.Network/virtualNetworks'
+          'Microsoft.Network/virtualNetworkGateways'
+        ]
+      }
     }
     enforcementMode: enforcementMode
   }

diff --git a/policy/builtin/assignments/hitrust-hipaa.parameters.json b/policy/builtin/assignments/hitrust-hipaa.parameters.json
@@ -19,6 +19,9 @@
         },
         "certificateThumbprints": {
             "value": "__tbd__implementation_specific__"
+        },
+        "requiredRetentionDays": {
+            "value": "{{var-logging-logAnalyticsRetentionInDays}}"
         }
     }
 }
diff --git a/policy/builtin/assignments/pbmm.bicep b/policy/builtin/assignments/pbmm.bicep
@@ -68,6 +68,56 @@ resource policySetAssignment 'Microsoft.Authorization/policyAssignments@2020-03-
        'metricsEnabled-7f89b1eb-583c-429a-8828-af049802c1d9': {
          value: false
        }
+       listOfResourceTypesWithDiagnosticLogsEnabled: {
+         value: [
+          'Microsoft.AnalysisServices/servers'
+          'Microsoft.ApiManagement/service'
+          'Microsoft.Network/applicationGateways'
+          'Microsoft.Automation/automationAccounts'
+          // 'Microsoft.ContainerInstance/containerGroups'  # Removed since it doesn't have any logs
+          'Microsoft.ContainerRegistry/registries'
+          'Microsoft.ContainerService/managedClusters'
+          'Microsoft.Batch/batchAccounts'
+          'Microsoft.Cdn/profiles/endpoints'
+          'Microsoft.CognitiveServices/accounts'
+          'Microsoft.DocumentDB/databaseAccounts'
+          'Microsoft.DataFactory/factories'
+          'Microsoft.DataLakeAnalytics/accounts'
+          'Microsoft.DataLakeStore/accounts'
+          'Microsoft.EventGrid/eventSubscriptions'
+          'Microsoft.EventGrid/topics'
+          'Microsoft.EventHub/namespaces'
+          'Microsoft.Network/expressRouteCircuits'
+          'Microsoft.Network/azureFirewalls'
+          'Microsoft.HDInsight/clusters'
+          'Microsoft.Devices/IotHubs'
+          'Microsoft.KeyVault/vaults'
+          'Microsoft.Network/loadBalancers'
+          'Microsoft.Logic/integrationAccounts'
+          'Microsoft.Logic/workflows'
+          'Microsoft.DBforMySQL/servers'
+          //'Microsoft.Network/networkInterfaces' # Removed since it doesn't have any logs
+          'Microsoft.Network/networkSecurityGroups'
+          'Microsoft.DBforPostgreSQL/servers'
+          'Microsoft.PowerBIDedicated/capacities'
+          'Microsoft.Network/publicIPAddresses'
+          'Microsoft.RecoveryServices/vaults'
+          'Microsoft.Cache/redis'
+          'Microsoft.Relay/namespaces'
+          'Microsoft.Search/searchServices'
+          'Microsoft.ServiceBus/namespaces'
+          'Microsoft.SignalRService/SignalR'
+          'Microsoft.Sql/servers/databases'
+          //'Microsoft.Sql/servers/elasticPools' # Removed since it doesn't have any logs
+          'Microsoft.StreamAnalytics/streamingjobs'
+          'Microsoft.TimeSeriesInsights/environments'
+          'Microsoft.Network/trafficManagerProfiles'
+          //'Microsoft.Compute/virtualMachines' # Logs are collected through Microsoft Monitoring Agent
+          //'Microsoft.Compute/virtualMachineScaleSets' Removed since it is not supported
+          'Microsoft.Network/virtualNetworks'
+          'Microsoft.Network/virtualNetworkGateways'
+         ]
+       }
     }
     enforcementMode: enforcementMode
   }