-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.bicep
99 lines (97 loc) · 3.64 KB
/
main.bicep
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
targetScope = 'managementGroup'
param location string = deployment().location
param Assignment object = {
name: 'MS-Cloud-Sec-Benchmark'
displayname: 'Microsoft Cloud Security Benchmark'
description: 'Microsoft Cloud Security Benchmark policy assignment including Overrides'
definitionID: '/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8'
parameters: {
networkSecurityGroupsOnSubnetsMonitoringEffect: 'AuditIfNotExists'
networkSecurityGroupsOnVirtualMachinesMonitoringEffect: 'AuditIfNotExists'
}
overrides: {
Audit: [
'sqlManagedInstanceADOnlyEnabledMonitoring' // Policy without initiative parameter
'synapseWorkspaceADOnlyEnabledMonitoring' // Policy without initiative parameter
'sqlServerADOnlyEnabledMonitoring' // Policy without initiative parameter
]
AuditIfNotExists: [
'mySqlServerADAdminisMonitoring' // Policy without initiative parameter
'postgreSqlServerADAdminisMonitoring' // Policy without initiative parameter
'mySqlServerADOnlyEnabledMonitoring' // Policy without initiative parameter
]
Disabled: [
'aPIManagementServiceShouldNotHaveAllApisScopedSubscriptions' // Policy without initiative parameter
'aPIManagementServiceShouldNotBypassCertificateValidation' // Policy without initiative parameter
'aPIManagementServiceShouldUseEncryptedProtocols' // Policy without initiative parameter
'aPIManagementServiceShouldUseKeyVaultForSecretNamedValues' // Policy without initiative parameter
'aPIManagementServiceShouldHaveDirectManagementEndpointDisabled' // Policy without initiative parameter
'aPIManagementServiceShouldDisableServiceConfigurationEndpoints' // Policy without initiative parameter
'aPIManagementServiceShouldHaveMinimumAPIVersionSet' // Policy without initiative parameter
'aPIManagementServiceShouldHaveBackendCallsAuthenticated' // Policy without initiative parameter
]
Deny: [
'classicComputeVMsMonitoring' // Policy with initiative parameter but used in policy override
'classicStorageAccountsMonitoring' // Policy with initiative parameter but used in policy override
]
}
}
resource PolicyAssignment 'Microsoft.Authorization/policyAssignments@2022-06-01' = {
name: Assignment.name
location: location
properties: {
displayName: Assignment.displayname
description: Assignment.description
policyDefinitionId: Assignment.definitionID
parameters: {
networkSecurityGroupsOnSubnetsMonitoringEffect: {
value: Assignment.parameters.networkSecurityGroupsOnSubnetsMonitoringEffect
}
networkSecurityGroupsOnVirtualMachinesMonitoringEffect: {
value: Assignment.parameters.networkSecurityGroupsOnVirtualMachinesMonitoringEffect
}
}
overrides: [
{
kind: 'policyEffect'
value: 'Audit'
selectors: [
{
kind: 'policyDefinitionReferenceId'
in: Assignment.overrides.Audit
}
]
}
{
kind: 'policyEffect'
value: 'AuditIfNotExists'
selectors: [
{
kind: 'policyDefinitionReferenceId'
in: Assignment.overrides.AuditIfNotExists
}
]
}
{
kind: 'policyEffect'
value: 'Disabled'
selectors: [
{
kind: 'policyDefinitionReferenceId'
in: Assignment.overrides.Disabled
}
]
}
{
kind: 'policyEffect'
value: 'Deny'
selectors: [
{
kind: 'policyDefinitionReferenceId'
in: Assignment.overrides.Deny
}
]
}
]
}
}