Update securityCenter.bicep module API provider to prevent warnings (#…

…560)
Azure · Jan 26, 2022 · b7e1d7e · b7e1d7e
1 parent 6185022
commit b7e1d7e
Show file tree

Hide file tree

Showing 2 changed files with 47 additions and 99 deletions.
diff --git a/src/bicep/mlz.json b/src/bicep/mlz.json
@@ -5,7 +5,7 @@
  "_generator": {
  "name": "bicep",
  "version": "0.4.1124.51302",
- "templateHash": "10156023147744075921"
+ "templateHash": "1118457920660514703"
  }
  },
  "parameters": {
@@ -4621,7 +4621,7 @@
  "_generator": {
  "name": "bicep",
  "version": "0.4.1124.51302",
- "templateHash": "5910850021434301527"
+ "templateHash": "998933596067649007"
  }
  },
  "parameters": {
@@ -4632,13 +4632,6 @@
  "description": "Turn automatic deployment by ASC of the MMA (OMS VM extension) on or off"
  }
  },
- "enableSecuritySettings": {
- "type": "bool",
- "defaultValue": true,
- "metadata": {
- "description": "Turn security policy settings On or Off."
- }
- },
  "logAnalyticsWorkspaceId": {
  "type": "string",
  "metadata": {
@@ -4650,12 +4643,18 @@
  "metadata": {
  "description": "Email address of the contact, in the form of john@doe.com"
  }
+ },
+ "policySetDescription": {
+ "type": "string",
+ "defaultValue": "The Azure Security Benchmark initiative represents the policies and controls implementing security recommendations defined in Azure Security Benchmark v2, see https://aka.ms/azsecbm. This also serves as the Azure Security Center default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Azure Security Center.",
+ "metadata": {
+ "description": "Policy Initiative description field"
+ }
  }
  },
  "variables": {
  "bundle": "[if(not(equals(environment().name, 'AzureUSGovernment')), createArray('KeyVaults', 'SqlServers', 'VirtualMachines', 'StorageAccounts', 'ContainerRegistry', 'KubernetesService', 'SqlServerVirtualMachines', 'AppServices', 'Dns', 'Arm'), createArray('SqlServers', 'VirtualMachines', 'StorageAccounts', 'ContainerRegistry', 'KubernetesService', 'Dns', 'Arm'))]",
- "autoProvisioning": "[if(parameters('enableAutoProvisioning'), 'On', 'Off')]",
- "securitySettings": "[if(parameters('enableSecuritySettings'), 'On', 'Off')]"
+ "autoProvisioning": "[if(parameters('enableAutoProvisioning'), 'On', 'Off')]"
  },
  "resources": [
  {
@@ -4699,32 +4698,15 @@
  }
  },
  {
- "type": "Microsoft.Security/policies",
- "apiVersion": "2015-06-01-preview",
- "name": "default",
+ "type": "Microsoft.Authorization/policyAssignments",
+ "apiVersion": "2021-06-01",
+ "name": "Azure Security Benchmark",
  "properties": {
- "policyLevel": "Subscription",
- "name": "default",
- "unique": "Off",
- "logCollection": "On",
- "recommendations": {
- "patch": "[variables('securitySettings')]",
- "baseline": "[variables('securitySettings')]",
- "antimalware": "[variables('securitySettings')]",
- "diskEncryption": "[variables('securitySettings')]",
- "acls": "[variables('securitySettings')]",
- "nsgs": "[variables('securitySettings')]",
- "waf": "[variables('securitySettings')]",
- "sqlAuditing": "[variables('securitySettings')]",
- "sqlTde": "[variables('securitySettings')]",
- "ngfw": "[variables('securitySettings')]",
- "vulnerabilityAssessment": "[variables('securitySettings')]",
- "storageEncryption": "[variables('securitySettings')]",
- "jitNetworkAccess": "[variables('securitySettings')]"
- },
- "pricingConfiguration": {
- "selectedPricingTier": "Standard"
- }
+ "displayName": "ASC Default",
+ "description": "[parameters('policySetDescription')]",
+ "enforcementMode": "DoNotEnforce",
+ "parameters": {},
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8"
  }
  }
  ]
@@ -4765,7 +4747,7 @@
  "_generator": {
  "name": "bicep",
  "version": "0.4.1124.51302",
- "templateHash": "5910850021434301527"
+ "templateHash": "998933596067649007"
  }
  },
  "parameters": {
@@ -4776,13 +4758,6 @@
  "description": "Turn automatic deployment by ASC of the MMA (OMS VM extension) on or off"
  }
  },
- "enableSecuritySettings": {
- "type": "bool",
- "defaultValue": true,
- "metadata": {
- "description": "Turn security policy settings On or Off."
- }
- },
  "logAnalyticsWorkspaceId": {
  "type": "string",
  "metadata": {
@@ -4794,12 +4769,18 @@
  "metadata": {
  "description": "Email address of the contact, in the form of john@doe.com"
  }
+ },
+ "policySetDescription": {
+ "type": "string",
+ "defaultValue": "The Azure Security Benchmark initiative represents the policies and controls implementing security recommendations defined in Azure Security Benchmark v2, see https://aka.ms/azsecbm. This also serves as the Azure Security Center default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Azure Security Center.",
+ "metadata": {
+ "description": "Policy Initiative description field"
+ }
  }
  },
  "variables": {
  "bundle": "[if(not(equals(environment().name, 'AzureUSGovernment')), createArray('KeyVaults', 'SqlServers', 'VirtualMachines', 'StorageAccounts', 'ContainerRegistry', 'KubernetesService', 'SqlServerVirtualMachines', 'AppServices', 'Dns', 'Arm'), createArray('SqlServers', 'VirtualMachines', 'StorageAccounts', 'ContainerRegistry', 'KubernetesService', 'Dns', 'Arm'))]",
- "autoProvisioning": "[if(parameters('enableAutoProvisioning'), 'On', 'Off')]",
- "securitySettings": "[if(parameters('enableSecuritySettings'), 'On', 'Off')]"
+ "autoProvisioning": "[if(parameters('enableAutoProvisioning'), 'On', 'Off')]"
  },
  "resources": [
  {
@@ -4843,32 +4824,15 @@
  }
  },
  {
- "type": "Microsoft.Security/policies",
- "apiVersion": "2015-06-01-preview",
- "name": "default",
+ "type": "Microsoft.Authorization/policyAssignments",
+ "apiVersion": "2021-06-01",
+ "name": "Azure Security Benchmark",
  "properties": {
- "policyLevel": "Subscription",
- "name": "default",
- "unique": "Off",
- "logCollection": "On",
- "recommendations": {
- "patch": "[variables('securitySettings')]",
- "baseline": "[variables('securitySettings')]",
- "antimalware": "[variables('securitySettings')]",
- "diskEncryption": "[variables('securitySettings')]",
- "acls": "[variables('securitySettings')]",
- "nsgs": "[variables('securitySettings')]",
- "waf": "[variables('securitySettings')]",
- "sqlAuditing": "[variables('securitySettings')]",
- "sqlTde": "[variables('securitySettings')]",
- "ngfw": "[variables('securitySettings')]",
- "vulnerabilityAssessment": "[variables('securitySettings')]",
- "storageEncryption": "[variables('securitySettings')]",
- "jitNetworkAccess": "[variables('securitySettings')]"
- },
- "pricingConfiguration": {
- "selectedPricingTier": "Standard"
- }
+ "displayName": "ASC Default",
+ "description": "[parameters('policySetDescription')]",
+ "enforcementMode": "DoNotEnforce",
+ "parameters": {},
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8"
  }
  }
  ]

diff --git a/src/bicep/modules/securityCenter.bicep b/src/bicep/modules/securityCenter.bicep
@@ -25,16 +25,16 @@ var bundle = (environment().name != 'AzureUSGovernment' ? [
 param enableAutoProvisioning bool = true
 var autoProvisioning = enableAutoProvisioning ? 'On' : 'Off'
 
-@description('Turn security policy settings On or Off.')
-param enableSecuritySettings bool = true
-var securitySettings = enableSecuritySettings ? 'On' : 'Off'
-
 @description('Specify the ID of your custom Log Analytics workspace to collect ASC data.')
 param logAnalyticsWorkspaceId string
 
 @description('Email address of the contact, in the form of john@doe.com')
 param emailSecurityContact string
 
+@description('Policy Initiative description field')
+param policySetDescription string = 'The Azure Security Benchmark initiative represents the policies and controls implementing security recommendations defined in Azure Security Benchmark v2, see https://aka.ms/azsecbm. This also serves as the Azure Security Center default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Azure Security Center.'
+
+
 // security center
 
 resource securityCenterPricing 'Microsoft.Security/pricings@2018-06-01' = [for name in bundle: {
@@ -70,30 +70,14 @@ resource securityNotifications 'Microsoft.Security/securityContacts@2017-08-01-p
  }
 }
 
-resource securityPoliciesDefault 'Microsoft.Security/policies@2015-06-01-preview' = {
- name: 'default'
+resource securityPoliciesDefault 'Microsoft.Authorization/policyAssignments@2021-06-01' = {
+ name: 'Azure Security Benchmark'
+ scope: subscription()
  properties: {
- policyLevel: 'Subscription'
- name: 'default'
- unique: 'Off'
- logCollection: 'On'
- recommendations: {
- patch: securitySettings
- baseline: securitySettings
- antimalware: securitySettings
- diskEncryption: securitySettings
- acls: securitySettings
- nsgs: securitySettings
- waf: securitySettings
- sqlAuditing: securitySettings
- sqlTde: securitySettings
- ngfw: securitySettings
- vulnerabilityAssessment: securitySettings
- storageEncryption: securitySettings
- jitNetworkAccess: securitySettings
- }
- pricingConfiguration: {
- selectedPricingTier: 'Standard'
- }
+ displayName: 'ASC Default'
+ description: policySetDescription
+ enforcementMode: 'DoNotEnforce'
+ parameters: {}
+ policyDefinitionId: '/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8'
  }
 }