optional policy assignment module in root deployment (Azure#490)

ARPA-H · Oct 27, 2021 · 07f5678 · 07f5678
1 parent 2dabd21
commit 07f5678
Show file tree

Hide file tree

Showing 5 changed files with 81 additions and 32 deletions.
diff --git a/docs/policies.md b/docs/policies.md
@@ -46,6 +46,7 @@ To include one of the built in Azure policy initiatives for NIST 800-53, CMMC Le
 az deployment sub create \
   --location eastus \
   --template-file mlz.bicep \
+  --parameters deployPolicy=true \
   --parameters policy=<one of 'CMMC', 'IL5', or 'NIST'>
 ```
 
@@ -87,19 +88,19 @@ Example parameters file snippet:
 
 ```arm
 {
-    "listOfMembersToExcludeFromWindowsVMAdministratorsGroup": 
+    "listOfMembersToExcludeFromWindowsVMAdministratorsGroup":
     {
       "value": "admin"
     },
-    "listOfMembersToIncludeInWindowsVMAdministratorsGroup": 
+    "listOfMembersToIncludeInWindowsVMAdministratorsGroup":
     {
       "value": "azureuser"
     },
-    "logAnalyticsWorkspaceIdforVMReporting": 
+    "logAnalyticsWorkspaceIdforVMReporting":
     {
       "value": ${jsonencode(laws_instance_id)}
     },
-    "IncludeArcMachines": 
+    "IncludeArcMachines":
     {
         "value": "true"
     }

diff --git a/src/bicep/README.md b/src/bicep/README.md
@@ -132,16 +132,19 @@ az deployment sub create \
 
 ## Adding Azure Policy
 
-To include one of the built in Azure policy initiatives for NIST 800-53, CMMC Level 3 or DoD IL5 compliance add the `policy` parameter with one of the following, NIST, IL5 or CMMC. For example deploying with MLZ:
+To include one of the built in Azure policy initiatives for NIST 800-53, CMMC Level 3 or DoD IL5 compliance add the `deployPolicy=true` parameter with `policy` assigned to one of the following: `NIST`, `IL5`, or `CMMC`.
+
+For example, deploying with MLZ:
 
 ```plaintext
 az deployment sub create \
   --location eastus \
   --template-file mlz.bicep \
+  --parameters deployPolicy=true \
   --parameters policy=<one of 'CMMC', 'IL5', or 'NIST'>
 ```
 
-Or, apply policy after deploying MLZ:
+Or, apply policy to a resource group after deploying MLZ:
 
 ```plaintext
 az deployment group create \
@@ -161,7 +164,7 @@ Under the [modules/policies](modules/policies) directory are JSON files named fo
 
 By default [Azure Security Center](https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction) offers a free set of monitoring capabilities that are enabled via an Azure policy when your first set up a subscription and view Azure Security Center portal blade.
 
-Azure Security Center offers a standard/defender sku which enables a greater depth of awareness including more reccomendations and threat analytics. You can enable this higher depth level of security in MLZ by setting the parameter `deployASC` during deployment. In addition you can include the `emailSecurityContact` parameter to set a contact email for alerts.  
+Azure Security Center offers a standard/defender sku which enables a greater depth of awareness including more reccomendations and threat analytics. You can enable this higher depth level of security in MLZ by setting the parameter `deployASC` during deployment. In addition you can include the `emailSecurityContact` parameter to set a contact email for alerts.
 
 ```plaintext
 az deployment sub create \

diff --git a/src/bicep/mlz.bicep b/src/bicep/mlz.bicep
@@ -268,7 +268,7 @@ module sharedServicesVirtualNetworkPeering './modules/spokeNetworkPeering.bicep'
 
 //// policy
 
-module hubPolicyAssignment './modules/policyAssignment.bicep' = {
+module hubPolicyAssignment './modules/policyAssignment.bicep' = if(deployPolicy) {
   name: 'assign-policy-hub-${nowUtc}'
   scope: resourceGroup(hubSubscriptionId, hubResourceGroupName)
   params: {
@@ -279,7 +279,7 @@ module hubPolicyAssignment './modules/policyAssignment.bicep' = {
   }
 }
 
-module operationsPolicyAssignment './modules/policyAssignment.bicep' = {
+module operationsPolicyAssignment './modules/policyAssignment.bicep' = if(deployPolicy) {
   name: 'assign-policy-operations-${nowUtc}'
   scope: resourceGroup(operationsSubscriptionId, operationsResourceGroupName)
   params: {
@@ -290,7 +290,7 @@ module operationsPolicyAssignment './modules/policyAssignment.bicep' = {
   }
 }
 
-module sharedServicesPolicyAssignment './modules/policyAssignment.bicep' = {
+module sharedServicesPolicyAssignment './modules/policyAssignment.bicep' = if(deployPolicy) {
   name: 'assign-policy-sharedServices-${nowUtc}'
   scope: resourceGroup(sharedServicesSubscriptionId, sharedServicesResourceGroupName)
   params: {
@@ -301,7 +301,7 @@ module sharedServicesPolicyAssignment './modules/policyAssignment.bicep' = {
   }
 }
 
-module identityPolicyAssignment './modules/policyAssignment.bicep' = {
+module identityPolicyAssignment './modules/policyAssignment.bicep' = if(deployPolicy) {
   name: 'assign-policy-identity-${nowUtc}'
   scope: resourceGroup(identitySubscriptionId, identityResourceGroupName)
   params: {
@@ -648,12 +648,12 @@ param logAnalyticsWorkspaceSkuName string = 'PerGB2018'
 
 @allowed([
   'NIST'
-  'IL5' // Gov cloud only, trying to deploy IL5 in AzureCloud will switch to NIST
+  'IL5' // AzureUsGoverment only, trying to deploy IL5 in AzureCloud will switch to NIST
   'CMMC'
-  ''
 ])
-@description('Built-in policy assignments to assign, default is none. [NIST/IL5/CMMC] IL5 is only availalbe for GOV cloud and will switch to NIST if tried in AzureCloud.')
-param policy string = ''
+@description('[NIST/IL5/CMMC] Built-in policy assignments to assign, default is NIST. IL5 is only availalbe for AzureUsGovernment and will switch to NIST if tried in AzureCloud.')
+param policy string = 'NIST'
+param deployPolicy bool = false
 
 @description('Email address of the contact, in the form of [email protected]')
 param emailSecurityContact string = ''

diff --git a/src/bicep/mlz.json b/src/bicep/mlz.json
@@ -5,7 +5,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.4.1008.15138",
-      "templateHash": "17543931080454177897"
+      "templateHash": "2567988781251247508"
     }
   },
   "parameters": {
@@ -466,17 +466,20 @@
     },
     "policy": {
       "type": "string",
-      "defaultValue": "",
+      "defaultValue": "NIST",
       "metadata": {
-        "description": "Built-in policy assignments to assign, default is none. [NIST/IL5/CMMC] IL5 is only availalbe for GOV cloud and will switch to NIST if tried in AzureCloud."
+        "description": "[NIST/IL5/CMMC] Built-in policy assignments to assign, default is NIST. IL5 is only availalbe for AzureUsGovernment and will switch to NIST if tried in AzureCloud."
       },
       "allowedValues": [
         "NIST",
         "IL5",
-        "CMMC",
-        ""
+        "CMMC"
       ]
     },
+    "deployPolicy": {
+      "type": "bool",
+      "defaultValue": false
+    },
     "emailSecurityContact": {
       "type": "string",
       "defaultValue": "",
@@ -5243,6 +5246,7 @@
       ]
     },
     {
+      "condition": "[parameters('deployPolicy')]",
       "type": "Microsoft.Resources/deployments",
       "apiVersion": "2020-06-01",
       "name": "[format('assign-policy-hub-{0}', parameters('nowUtc'))]",
@@ -5274,13 +5278,21 @@
             "_generator": {
               "name": "bicep",
               "version": "0.4.1008.15138",
-              "templateHash": "943351948581975691"
+              "templateHash": "15253340858169279894"
             }
           },
           "parameters": {
             "builtInAssignment": {
               "type": "string",
-              "defaultValue": ""
+              "defaultValue": "NIST",
+              "metadata": {
+                "description": "[NIST/IL5/CMMC] Built-in policy assignments to assign, default is NIST. IL5 is only availalbe for AzureUsGovernment and will switch to NIST if tried in AzureCloud."
+              },
+              "allowedValues": [
+                "NIST",
+                "IL5",
+                "CMMC"
+              ]
             },
             "logAnalyticsWorkspaceName": {
               "type": "string"
@@ -5502,6 +5514,7 @@
       ]
     },
     {
+      "condition": "[parameters('deployPolicy')]",
       "type": "Microsoft.Resources/deployments",
       "apiVersion": "2020-06-01",
       "name": "[format('assign-policy-operations-{0}', parameters('nowUtc'))]",
@@ -5533,13 +5546,21 @@
             "_generator": {
               "name": "bicep",
               "version": "0.4.1008.15138",
-              "templateHash": "943351948581975691"
+              "templateHash": "15253340858169279894"
             }
           },
           "parameters": {
             "builtInAssignment": {
               "type": "string",
-              "defaultValue": ""
+              "defaultValue": "NIST",
+              "metadata": {
+                "description": "[NIST/IL5/CMMC] Built-in policy assignments to assign, default is NIST. IL5 is only availalbe for AzureUsGovernment and will switch to NIST if tried in AzureCloud."
+              },
+              "allowedValues": [
+                "NIST",
+                "IL5",
+                "CMMC"
+              ]
             },
             "logAnalyticsWorkspaceName": {
               "type": "string"
@@ -5761,6 +5782,7 @@
       ]
     },
     {
+      "condition": "[parameters('deployPolicy')]",
       "type": "Microsoft.Resources/deployments",
       "apiVersion": "2020-06-01",
       "name": "[format('assign-policy-sharedServices-{0}', parameters('nowUtc'))]",
@@ -5792,13 +5814,21 @@
             "_generator": {
               "name": "bicep",
               "version": "0.4.1008.15138",
-              "templateHash": "943351948581975691"
+              "templateHash": "15253340858169279894"
             }
           },
           "parameters": {
             "builtInAssignment": {
               "type": "string",
-              "defaultValue": ""
+              "defaultValue": "NIST",
+              "metadata": {
+                "description": "[NIST/IL5/CMMC] Built-in policy assignments to assign, default is NIST. IL5 is only availalbe for AzureUsGovernment and will switch to NIST if tried in AzureCloud."
+              },
+              "allowedValues": [
+                "NIST",
+                "IL5",
+                "CMMC"
+              ]
             },
             "logAnalyticsWorkspaceName": {
               "type": "string"
@@ -6020,6 +6050,7 @@
       ]
     },
     {
+      "condition": "[parameters('deployPolicy')]",
       "type": "Microsoft.Resources/deployments",
       "apiVersion": "2020-06-01",
       "name": "[format('assign-policy-identity-{0}', parameters('nowUtc'))]",
@@ -6051,13 +6082,21 @@
             "_generator": {
               "name": "bicep",
               "version": "0.4.1008.15138",
-              "templateHash": "943351948581975691"
+              "templateHash": "15253340858169279894"
             }
           },
           "parameters": {
             "builtInAssignment": {
               "type": "string",
-              "defaultValue": ""
+              "defaultValue": "NIST",
+              "metadata": {
+                "description": "[NIST/IL5/CMMC] Built-in policy assignments to assign, default is NIST. IL5 is only availalbe for AzureUsGovernment and will switch to NIST if tried in AzureCloud."
+              },
+              "allowedValues": [
+                "NIST",
+                "IL5",
+                "CMMC"
+              ]
             },
             "logAnalyticsWorkspaceName": {
               "type": "string"

diff --git a/src/bicep/modules/policyAssignment.bicep b/src/bicep/modules/policyAssignment.bicep
@@ -1,4 +1,10 @@
-param builtInAssignment string = ''
+@allowed([
+  'NIST'
+  'IL5' // AzureUsGoverment only, trying to deploy IL5 in AzureCloud will switch to NIST
+  'CMMC'
+])
+@description('[NIST/IL5/CMMC] Built-in policy assignments to assign, default is NIST. IL5 is only availalbe for AzureUsGovernment and will switch to NIST if tried in AzureCloud.')
+param builtInAssignment string = 'NIST'
 param logAnalyticsWorkspaceName string
 param logAnalyticsWorkspaceResourceGroupName string
 param operationsSubscriptionId string
@@ -16,15 +22,15 @@ var policyDefinitionID = {
   NIST: {
     id: '/providers/Microsoft.Authorization/policySetDefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f'
     parameters: json(replace(loadTextContent('policies/NIST-policyAssignmentParameters.json'),'<LAWORKSPACE>', logAnalyticsWorkspace.id))
-  }  
+  }
   IL5: {
     id: '/providers/Microsoft.Authorization/policySetDefinitions/f9a961fa-3241-4b20-adc4-bbf8ad9d7197'
     parameters: json(replace(loadTextContent('policies/IL5-policyAssignmentParameters.json'),'<LAWORKSPACE>', logAnalyticsWorkspace.id))
   }
   CMMC: {
     id: '/providers/Microsoft.Authorization/policySetDefinitions/b5629c75-5c77-4422-87b9-2509e680f8de'
     parameters: json(replace(loadTextContent('policies/CMMC-policyAssignmentParameters.json'),'<LAWORKSPACE>', logAnalyticsWorkspace.properties.customerId))
-  }  
+  }
 }
 
 var modifiedAssignment = ( environment().name =~ 'AzureCloud' && builtInAssignment =~ 'IL5' ? 'NIST' : builtInAssignment )
@@ -34,7 +40,7 @@ var agentVmAssignmentName = 'Deploy VM Agents ${resourceGroup().name}'
 var contributorRoleDefinitionId = resourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')
 var lawsReaderRoleDefinitionId = resourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')
 
-// assign policy to resource group 
+// assign policy to resource group
 
 resource assignment 'Microsoft.Authorization/policyAssignments@2020-09-01' = if (!empty(modifiedAssignment)){
   name: assignmentName