Align custom role definitions to CAF (#138)

* Align custom roles to CAF recommendations * Ensure custom roles are created through roles CI * Add branch config for testing * Update pipeline step name * Add role description * Update role description * Remove branch config
Azure · Jan 16, 2022 · 7ea0e90 · 7ea0e90
1 parent bfbd761
commit 7ea0e90
Show file tree

Hide file tree

Showing 6 changed files with 124 additions and 7 deletions.
diff --git a/.pipelines/roles.yml b/.pipelines/roles.yml
@@ -52,7 +52,7 @@ stages:
     steps:
     - template: templates/steps/create-roles.yml
       parameters:
-        description: 'Create Custom Roles'
+        description: 'Custom Role'
         workingDir: $(System.DefaultWorkingDirectory)/roles
-        deployTemplates: [la-vminsights-readonly, lz-appowner]
+        deployTemplates: [lz-netops, lz-secops, lz-subowner, lz-appowner, la-vminsights-readonly]
         deployOperation: ${{ variables['deployOperation'] }}
diff --git a/roles/la-vminsights-readonly.bicep b/roles/la-vminsights-readonly.bicep
@@ -14,6 +14,7 @@ param assignableMgId string
 
 var scope = tenantResourceId('Microsoft.Management/managementGroups', assignableMgId)
 var roleName = 'Custom - Log Analytics - Read Only for VM Insights'
+var roleDescription = 'Read only access to Log Analytics for VM Insights.'
 
 // Telemetry - Azure customer usage attribution
 // Reference:  https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
@@ -27,7 +28,7 @@ resource roleDefn 'Microsoft.Authorization/roleDefinitions@2018-01-01-preview' =
   scope: managementGroup()
   properties: {
     roleName: roleName
-    description: ''
+    description: roleDescription
     permissions: [
       {
         actions: [

diff --git a/roles/lz-appowner.bicep b/roles/lz-appowner.bicep
@@ -14,6 +14,7 @@ param assignableMgId string
 
 var scope = tenantResourceId('Microsoft.Management/managementGroups', assignableMgId)
 var roleName = 'Custom - Landing Zone Application Owner'
+var roleDescription = 'Contributor role granted for application/operations team at resource group level.'
 
 // Telemetry - Azure customer usage attribution
 // Reference:  https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
@@ -22,15 +23,18 @@ module telemetryCustomerUsageAttribution '../azresources/telemetry/customer-usag
   name: 'pid-${telemetry.customerUsageAttribution.modules.roles}'
 }
 
+// Reference:  https://docs.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access
 resource roleDefn 'Microsoft.Authorization/roleDefinitions@2018-01-01-preview' = {
   name: guid(roleName)
   scope: managementGroup()
   properties: {
     roleName: roleName
-    description: ''
+    description: roleDescription
     permissions: [
       {
-        actions: []
+        actions: [
+          '*'
+        ]
         notActions: [
           'Microsoft.Authorization/*/write'
           'Microsoft.Network/publicIPAddresses/write'

diff --git a/roles/lz-netops.bicep b/roles/lz-netops.bicep
@@ -0,0 +1,50 @@
+// ----------------------------------------------------------------------------------
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+//
+// THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, 
+// EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES 
+// OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
+// ----------------------------------------------------------------------------------
+
+targetScope = 'managementGroup'
+
+@description('Management Group Id for assignable scope.')
+param assignableMgId string
+
+var scope = tenantResourceId('Microsoft.Management/managementGroups', assignableMgId)
+var roleName = 'Custom - Network Operations (NetOps)'
+var roleDescription = 'Platform-wide global connectivity management: virtual networks, UDRs, NSGs, NVAs, VPN, Azure ExpressRoute, and others.'
+
+// Telemetry - Azure customer usage attribution
+// Reference:  https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
+var telemetry = json(loadTextContent('../config/telemetry.json'))
+module telemetryCustomerUsageAttribution '../azresources/telemetry/customer-usage-attribution-management-group.bicep' = if (telemetry.customerUsageAttribution.enabled) {
+  name: 'pid-${telemetry.customerUsageAttribution.modules.roles}'
+}
+
+// Reference:  https://docs.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access
+resource roleDefn 'Microsoft.Authorization/roleDefinitions@2018-01-01-preview' = {
+  name: guid(roleName)
+  scope: managementGroup()
+  properties: {
+    roleName: roleName
+    description: roleDescription
+    permissions: [
+      {
+        actions: [
+          '*/read'
+          'Microsoft.Network/*'
+          'Microsoft.Resources/deployments/*'
+          'Microsoft.Support/*'
+        ]
+        notActions: []
+        dataActions: []
+        notDataActions: []
+      }
+    ]
+    assignableScopes: [
+      scope
+    ]
+  }
+}
diff --git a/roles/lz-secops.bicep b/roles/lz-secops.bicep
@@ -0,0 +1,58 @@
+// ----------------------------------------------------------------------------------
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+//
+// THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, 
+// EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES 
+// OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
+// ----------------------------------------------------------------------------------
+
+targetScope = 'managementGroup'
+
+@description('Management Group Id for assignable scope.')
+param assignableMgId string
+
+var scope = tenantResourceId('Microsoft.Management/managementGroups', assignableMgId)
+var roleName = 'Custom - Security Operations (SecOps)'
+var roleDescription = 'Security Administrator role with a horizontal view across the entire Azure estate and the Azure Key Vault purge policy.'
+
+// Telemetry - Azure customer usage attribution
+// Reference:  https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
+var telemetry = json(loadTextContent('../config/telemetry.json'))
+module telemetryCustomerUsageAttribution '../azresources/telemetry/customer-usage-attribution-management-group.bicep' = if (telemetry.customerUsageAttribution.enabled) {
+  name: 'pid-${telemetry.customerUsageAttribution.modules.roles}'
+}
+
+// Reference:  https://docs.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access
+resource roleDefn 'Microsoft.Authorization/roleDefinitions@2018-01-01-preview' = {
+  name: guid(roleName)
+  scope: managementGroup()
+  properties: {
+    roleName: roleName
+    description: roleDescription
+    permissions: [
+      {
+        actions: [
+          '*/read'
+          '*/register/action'
+          'Microsoft.KeyVault/locations/deletedVaults/purge/action'
+          'Microsoft.PolicyInsights/*'
+          'Microsoft.Authorization/policyAssignments/*'
+          'Microsoft.Authorization/policyDefinitions/*'
+          'Microsoft.Authorization/policyExemptions/*'
+          'Microsoft.Authorization/policySetDefinitions/*'
+          'Microsoft.Insights/alertRules/*'
+          'Microsoft.Resources/deployments/*'
+          'Microsoft.Security/*'
+          'Microsoft.Support/*'
+        ]
+        notActions: []
+        dataActions: []
+        notDataActions: []
+      }
+    ]
+    assignableScopes: [
+      scope
+    ]
+  }
+}
diff --git a/roles/lz-subowner.bicep b/roles/lz-subowner.bicep
@@ -14,6 +14,7 @@ param assignableMgId string
 
 var scope = tenantResourceId('Microsoft.Management/managementGroups', assignableMgId)
 var roleName = 'Custom - Landing Zone Subscription Owner'
+var roleDescription = 'Delegated role for subscription owner generated from subscription Owner role.'
 
 // Telemetry - Azure customer usage attribution
 // Reference:  https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
@@ -22,15 +23,18 @@ module telemetryCustomerUsageAttribution '../azresources/telemetry/customer-usag
   name: 'pid-${telemetry.customerUsageAttribution.modules.roles}'
 }
 
+// Reference:  https://docs.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access
 resource roleDefn 'Microsoft.Authorization/roleDefinitions@2018-01-01-preview' = {
   name: guid(roleName)
   scope: managementGroup()
   properties: {
     roleName: roleName
-    description: ''
+    description: roleDescription
     permissions: [
       {
-        actions: []
+        actions: [
+          '*'
+        ]
         notActions: [
           'Microsoft.Authorization/*/write'
           'Microsoft.Network/vpnGateways/*'