diff --git a/.pipelines/roles.yml b/.pipelines/roles.yml index 5c648171..1c4cd7d9 100644 --- a/.pipelines/roles.yml +++ b/.pipelines/roles.yml @@ -52,7 +52,7 @@ stages: steps: - template: templates/steps/create-roles.yml parameters: - description: 'Create Custom Roles' + description: 'Custom Role' workingDir: $(System.DefaultWorkingDirectory)/roles - deployTemplates: [la-vminsights-readonly, lz-appowner] + deployTemplates: [lz-netops, lz-secops, lz-subowner, lz-appowner, la-vminsights-readonly] deployOperation: ${{ variables['deployOperation'] }} diff --git a/roles/la-vminsights-readonly.bicep b/roles/la-vminsights-readonly.bicep index 9c0683a1..6eaff549 100644 --- a/roles/la-vminsights-readonly.bicep +++ b/roles/la-vminsights-readonly.bicep @@ -14,6 +14,7 @@ param assignableMgId string var scope = tenantResourceId('Microsoft.Management/managementGroups', assignableMgId) var roleName = 'Custom - Log Analytics - Read Only for VM Insights' +var roleDescription = 'Read only access to Log Analytics for VM Insights.' // Telemetry - Azure customer usage attribution // Reference: https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution @@ -27,7 +28,7 @@ resource roleDefn 'Microsoft.Authorization/roleDefinitions@2018-01-01-preview' = scope: managementGroup() properties: { roleName: roleName - description: '' + description: roleDescription permissions: [ { actions: [ diff --git a/roles/lz-appowner.bicep b/roles/lz-appowner.bicep index 311d927b..793e9570 100644 --- a/roles/lz-appowner.bicep +++ b/roles/lz-appowner.bicep @@ -14,6 +14,7 @@ param assignableMgId string var scope = tenantResourceId('Microsoft.Management/managementGroups', assignableMgId) var roleName = 'Custom - Landing Zone Application Owner' +var roleDescription = 'Contributor role granted for application/operations team at resource group level.' // Telemetry - Azure customer usage attribution // Reference: https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution @@ -22,15 +23,18 @@ module telemetryCustomerUsageAttribution '../azresources/telemetry/customer-usag name: 'pid-${telemetry.customerUsageAttribution.modules.roles}' } +// Reference: https://docs.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access resource roleDefn 'Microsoft.Authorization/roleDefinitions@2018-01-01-preview' = { name: guid(roleName) scope: managementGroup() properties: { roleName: roleName - description: '' + description: roleDescription permissions: [ { - actions: [] + actions: [ + '*' + ] notActions: [ 'Microsoft.Authorization/*/write' 'Microsoft.Network/publicIPAddresses/write' diff --git a/roles/lz-netops.bicep b/roles/lz-netops.bicep new file mode 100644 index 00000000..b1009b36 --- /dev/null +++ b/roles/lz-netops.bicep @@ -0,0 +1,50 @@ +// ---------------------------------------------------------------------------------- +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT license. +// +// THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, +// EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES +// OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. +// ---------------------------------------------------------------------------------- + +targetScope = 'managementGroup' + +@description('Management Group Id for assignable scope.') +param assignableMgId string + +var scope = tenantResourceId('Microsoft.Management/managementGroups', assignableMgId) +var roleName = 'Custom - Network Operations (NetOps)' +var roleDescription = 'Platform-wide global connectivity management: virtual networks, UDRs, NSGs, NVAs, VPN, Azure ExpressRoute, and others.' + +// Telemetry - Azure customer usage attribution +// Reference: https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution +var telemetry = json(loadTextContent('../config/telemetry.json')) +module telemetryCustomerUsageAttribution '../azresources/telemetry/customer-usage-attribution-management-group.bicep' = if (telemetry.customerUsageAttribution.enabled) { + name: 'pid-${telemetry.customerUsageAttribution.modules.roles}' +} + +// Reference: https://docs.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access +resource roleDefn 'Microsoft.Authorization/roleDefinitions@2018-01-01-preview' = { + name: guid(roleName) + scope: managementGroup() + properties: { + roleName: roleName + description: roleDescription + permissions: [ + { + actions: [ + '*/read' + 'Microsoft.Network/*' + 'Microsoft.Resources/deployments/*' + 'Microsoft.Support/*' + ] + notActions: [] + dataActions: [] + notDataActions: [] + } + ] + assignableScopes: [ + scope + ] + } +} diff --git a/roles/lz-secops.bicep b/roles/lz-secops.bicep new file mode 100644 index 00000000..368545c4 --- /dev/null +++ b/roles/lz-secops.bicep @@ -0,0 +1,58 @@ +// ---------------------------------------------------------------------------------- +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT license. +// +// THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, +// EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES +// OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. +// ---------------------------------------------------------------------------------- + +targetScope = 'managementGroup' + +@description('Management Group Id for assignable scope.') +param assignableMgId string + +var scope = tenantResourceId('Microsoft.Management/managementGroups', assignableMgId) +var roleName = 'Custom - Security Operations (SecOps)' +var roleDescription = 'Security Administrator role with a horizontal view across the entire Azure estate and the Azure Key Vault purge policy.' + +// Telemetry - Azure customer usage attribution +// Reference: https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution +var telemetry = json(loadTextContent('../config/telemetry.json')) +module telemetryCustomerUsageAttribution '../azresources/telemetry/customer-usage-attribution-management-group.bicep' = if (telemetry.customerUsageAttribution.enabled) { + name: 'pid-${telemetry.customerUsageAttribution.modules.roles}' +} + +// Reference: https://docs.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access +resource roleDefn 'Microsoft.Authorization/roleDefinitions@2018-01-01-preview' = { + name: guid(roleName) + scope: managementGroup() + properties: { + roleName: roleName + description: roleDescription + permissions: [ + { + actions: [ + '*/read' + '*/register/action' + 'Microsoft.KeyVault/locations/deletedVaults/purge/action' + 'Microsoft.PolicyInsights/*' + 'Microsoft.Authorization/policyAssignments/*' + 'Microsoft.Authorization/policyDefinitions/*' + 'Microsoft.Authorization/policyExemptions/*' + 'Microsoft.Authorization/policySetDefinitions/*' + 'Microsoft.Insights/alertRules/*' + 'Microsoft.Resources/deployments/*' + 'Microsoft.Security/*' + 'Microsoft.Support/*' + ] + notActions: [] + dataActions: [] + notDataActions: [] + } + ] + assignableScopes: [ + scope + ] + } +} diff --git a/roles/lz-subowner.bicep b/roles/lz-subowner.bicep index 56518fc5..4334fb81 100644 --- a/roles/lz-subowner.bicep +++ b/roles/lz-subowner.bicep @@ -14,6 +14,7 @@ param assignableMgId string var scope = tenantResourceId('Microsoft.Management/managementGroups', assignableMgId) var roleName = 'Custom - Landing Zone Subscription Owner' +var roleDescription = 'Delegated role for subscription owner generated from subscription Owner role.' // Telemetry - Azure customer usage attribution // Reference: https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution @@ -22,15 +23,18 @@ module telemetryCustomerUsageAttribution '../azresources/telemetry/customer-usag name: 'pid-${telemetry.customerUsageAttribution.modules.roles}' } +// Reference: https://docs.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access resource roleDefn 'Microsoft.Authorization/roleDefinitions@2018-01-01-preview' = { name: guid(roleName) scope: managementGroup() properties: { roleName: roleName - description: '' + description: roleDescription permissions: [ { - actions: [] + actions: [ + '*' + ] notActions: [ 'Microsoft.Authorization/*/write' 'Microsoft.Network/vpnGateways/*'