Skip to content

Commit

Permalink
updating AdvWorks (#318)
Browse files Browse the repository at this point in the history
  • Loading branch information
@krnese
krnese authored Nov 23, 2020
1 parent 4a77c3d commit fd68830
Show file tree
Hide file tree
Showing 6 changed files with 17,108 additions and 9,785 deletions.
131 changes: 95 additions & 36 deletions docs/reference/adventureworks/armTemplates/auxiliary/diagnosticsAndSecurity.json
View file

Large diffs are not rendered by default.

132 changes: 132 additions & 0 deletions docs/reference/adventureworks/armTemplates/auxiliary/identity.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,132 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"topLevelManagementGroupPrefix": {
"type": "string",
"maxLength": 5
},
"denyRdpForIdentity": {
"type": "string",
"defaultValue": "No",
"allowedValues": [
"Yes",
"No"
]
},
"denySubnetWithoutNsgForIdentity": {
"type": "string",
"allowedValues": [
"Yes",
"No"
],
"defaultValue": "No"
},
"denyPipForIdentity": {
"type": "string",
"allowedValues": [
"Yes",
"No"
],
"defaultValue": "No"
},
"enableVmBackupForIdentity": {
"type": "string",
"allowedValues": [
"Yes",
"No"
],
"defaultValue": "No"
}
},
"variables": {
"scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '-identity')]",
"policyDefinitions": {
"denySubnetWithoutNsg": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg')]",
"denyPip": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicIP')]",
"denyRdp": "/providers/Microsoft.Authorization/policyDefinitions/e372f825-a257-4fb8-9175-797a8a8627d6",
"deployVmBackup": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-AzureBackup-on-VM')]"
},
"policyAssignmentNames": {
"denySubnetWithoutNsg": "Deny-Subnet-Without-Nsg",
"denyRdp": "Deny-RDP-from-internet",
"denyPip": "Deny-Public-IP",
"deployVmBackup": "Deploy-VM-Backup"
},
"rbacOwner": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
"roleAssignmentNames": {
"deployVmBackup": "[guid(concat(parameters('toplevelManagementGroupPrefix'), 'identity', variables('policyAssignmentNames').deployVmBackup))]"
}
//"blankTemplateEscaped": "{\"$schema\":\"https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{},\"variables\":{},\"resources\":[],\"outputs\":{}}"
},
"resources": [
{
"condition": "[equals(parameters('enableVmBackupForIdentity'), 'Yes')]",
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2018-05-01",
"name": "[variables('policyAssignmentNames').deployVmBackup]",
"location": "[deployment().location]",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"description": "Deploy-VM-Backup",
"displayName": "Deploy-VM-Backup",
"policyDefinitionId": "[variables('policyDefinitions').deployVmBackup]",
"scope": "[variables('scope')]",
"parameters": {}
}
},
{
"condition": "[equals(parameters('enableVmBackupForIdentity'), 'Yes')]",
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2019-04-01-preview",
"name": "[variables('roleAssignmentNames').deployVmBackup]",
"dependsOn": [
"[variables('policyAssignmentNames').deployVmBackup]"
],
"properties": {
"principalType": "ServicePrincipal",
"roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacOwner'))]",
"principalId": "[if(equals(parameters('enableVmBackupForIdentity'), 'Yes'), toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').deployVmBackup), '2018-05-01', 'Full' ).identity.principalId), 'na')]"
}
},
{
"condition": "[equals(parameters('denyPipForIdentity'), 'Yes')]",
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2018-05-01",
"name": "[variables('policyAssignmentNames').denyPip]",
"properties": {
"description": "Deny-Public-IP",
"displayName": "Deny-Public-IP",
"policyDefinitionId": "[variables('policyDefinitions').denyPip]",
"scope": "[variables('scope')]"
}
},
{
"condition": "[equals(parameters('denyRdpForIdentity'), 'Yes')]",
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2018-05-01",
"name": "[variables('policyAssignmentNames').denyRdp]",
"properties": {
"description": "Deny-RDP-from-Internet",
"displayName": "Deny-RDP-from-Internet",
"policyDefinitionId": "[variables('policyDefinitions').denyRdp]",
"scope": "[variables('scope')]"
}
},
{
"condition": "[equals(parameters('denySubnetWithoutNsgForIdentity'), 'Yes')]",
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2018-05-01",
"name": "[variables('policyAssignmentNames').denySubnetWithoutNsg]",
"properties": {
"description": "Deny-Subnet-Without-Nsg",
"displayName": "Deny-Subnet-Without-Nsg",
"policyDefinitionId": "[variables('policyDefinitions').denySubnetWithoutNsg]",
"scope": "[variables('scope')]"
}
}
],
"outputs": {}
}
51 changes: 46 additions & 5 deletions docs/reference/adventureworks/armTemplates/auxiliary/lz.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,14 @@
"No"
]
},
"enableAksPolicy": {
"type": "string",
"defaultValue": "No",
"allowedValues": [
"Yes",
"No"
]
},
"enableSqlEncryption": {
"type": "string",
"defaultValue": "No",
Expand Down Expand Up @@ -74,7 +82,8 @@
"deploySqlSecurity": "/providers/Microsoft.Authorization/policyDefinitions/f4c68484-132f-41f9-9b6d-3e4b1cb55036",
"deploySqlAuditing": "/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9",
"storageHttps": "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9",
"deployStorageAtp": "/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c"
"deployStorageAtp": "/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c",
"deployAks": "/providers/Microsoft.Authorization/policyDefinitions/0a15ec92-a229-4763-bb14-0ea34a568f8d"
},
"policyAssignmentNames": {
"deployVmBackup": "Deploy-VM-Backup",
Expand All @@ -85,16 +94,18 @@
"deploysqlSecurity": "Deploy-SQL-Security",
"deploySqlAuditing": "Deploy-SQL-DB-Auditing",
"storageHttps": "Deny-Storage-http",
"deployStorageAtp": "Deploy-Storage-ATP"
"deployStorageAtp": "Deploy-Storage-ATP",
"deployAks": "Deploy-AKS-Policy"
},
"rbacOwner": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
"roleAssignmentNames": {
"deployVmBackup": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').deployVmBackup))]",
"deploySqlSecurity": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').deploysqlSecurity))]",
"deploySqlAuditing": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').deploySqlAuditing))]",
"deployStorageAtp": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').deployStorageAtp))]",
"deploySqlEncryption": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').deploySqlEncryption))]"
},
"deploySqlEncryption": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').deploySqlEncryption))]",
"deployAks": "[guid(concat(parameters('topLevelManagementGroupPrefix'), variables('policyAssignmentNames').deployAks))]"
}
//"blankTemplateEscaped": "{\"$schema\":\"https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{},\"variables\":{},\"resources\":[],\"outputs\":{}}"
},
"resources": [
Expand Down Expand Up @@ -219,7 +230,37 @@
"roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacOwner'))]",
"principalId": "[if(equals(parameters('enableSqlEncryption'), 'Yes'), toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').deploySqlEncryption), '2018-05-01', 'Full' ).identity.principalId), 'na')]"
}
},
},
{
"condition": "[equals(parameters('enableAksPolicy'), 'Yes')]",
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2018-05-01",
"name": "[variables('policyAssignmentNames').deployAks]",
"location": "[deployment().location]",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"description": "Deploy-AKS-Policy",
"displayName": "Deploy-AKS-Policy",
"policyDefinitionId": "[variables('policyDefinitions').deployAks]",
"scope": "[variables('scope')]"
}
},
{
"condition": "[equals(parameters('enableAksPolicy'), 'Yes')]",
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2019-04-01-preview",
"name": "[variables('roleAssignmentNames').deployAks]",
"dependsOn": [
"[variables('policyAssignmentNames').deployAks]"
],
"properties": {
"principalType": "ServicePrincipal",
"roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacOwner'))]",
"principalId": "[if(equals(parameters('enableAksPolicy'), 'Yes'), toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').deployAks), '2018-05-01', 'Full' ).identity.principalId), 'na')]"
}
},
{
"condition": "[equals(parameters('enableStorageHttps'), 'Yes')]",
"type": "Microsoft.Authorization/policyAssignments",
Expand Down
Loading

0 comments on commit fd68830

Please sign in to comment.