Update securityCenter.bicep module API provider to prevent warnings (A…

…zure#560)
ARPA-H · Jan 26, 2022 · b7841ca · b7841ca
1 parent 2d5249f
commit b7841ca
Show file tree

Hide file tree

Showing 2 changed files with 47 additions and 99 deletions.
diff --git a/src/bicep/mlz.json b/src/bicep/mlz.json
@@ -5,7 +5,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.4.1124.51302",
-      "templateHash": "10156023147744075921"
+      "templateHash": "1118457920660514703"
     }
   },
   "parameters": {
@@ -4621,7 +4621,7 @@
             "_generator": {
               "name": "bicep",
               "version": "0.4.1124.51302",
-              "templateHash": "5910850021434301527"
+              "templateHash": "998933596067649007"
             }
           },
           "parameters": {
@@ -4632,13 +4632,6 @@
                 "description": "Turn automatic deployment by ASC of the MMA (OMS VM extension) on or off"
               }
             },
-            "enableSecuritySettings": {
-              "type": "bool",
-              "defaultValue": true,
-              "metadata": {
-                "description": "Turn security policy settings On or Off."
-              }
-            },
             "logAnalyticsWorkspaceId": {
               "type": "string",
               "metadata": {
@@ -4650,12 +4643,18 @@
               "metadata": {
                 "description": "Email address of the contact, in the form of [email protected]"
               }
+            },
+            "policySetDescription": {
+              "type": "string",
+              "defaultValue": "The Azure Security Benchmark initiative represents the policies and controls implementing security recommendations defined in Azure Security Benchmark v2, see https://aka.ms/azsecbm. This also serves as the Azure Security Center default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Azure Security Center.",
+              "metadata": {
+                "description": "Policy Initiative description field"
+              }
             }
           },
           "variables": {
             "bundle": "[if(not(equals(environment().name, 'AzureUSGovernment')), createArray('KeyVaults', 'SqlServers', 'VirtualMachines', 'StorageAccounts', 'ContainerRegistry', 'KubernetesService', 'SqlServerVirtualMachines', 'AppServices', 'Dns', 'Arm'), createArray('SqlServers', 'VirtualMachines', 'StorageAccounts', 'ContainerRegistry', 'KubernetesService', 'Dns', 'Arm'))]",
-            "autoProvisioning": "[if(parameters('enableAutoProvisioning'), 'On', 'Off')]",
-            "securitySettings": "[if(parameters('enableSecuritySettings'), 'On', 'Off')]"
+            "autoProvisioning": "[if(parameters('enableAutoProvisioning'), 'On', 'Off')]"
           },
           "resources": [
             {
@@ -4699,32 +4698,15 @@
               }
             },
             {
-              "type": "Microsoft.Security/policies",
-              "apiVersion": "2015-06-01-preview",
-              "name": "default",
+              "type": "Microsoft.Authorization/policyAssignments",
+              "apiVersion": "2021-06-01",
+              "name": "Azure Security Benchmark",
               "properties": {
-                "policyLevel": "Subscription",
-                "name": "default",
-                "unique": "Off",
-                "logCollection": "On",
-                "recommendations": {
-                  "patch": "[variables('securitySettings')]",
-                  "baseline": "[variables('securitySettings')]",
-                  "antimalware": "[variables('securitySettings')]",
-                  "diskEncryption": "[variables('securitySettings')]",
-                  "acls": "[variables('securitySettings')]",
-                  "nsgs": "[variables('securitySettings')]",
-                  "waf": "[variables('securitySettings')]",
-                  "sqlAuditing": "[variables('securitySettings')]",
-                  "sqlTde": "[variables('securitySettings')]",
-                  "ngfw": "[variables('securitySettings')]",
-                  "vulnerabilityAssessment": "[variables('securitySettings')]",
-                  "storageEncryption": "[variables('securitySettings')]",
-                  "jitNetworkAccess": "[variables('securitySettings')]"
-                },
-                "pricingConfiguration": {
-                  "selectedPricingTier": "Standard"
-                }
+                "displayName": "ASC Default",
+                "description": "[parameters('policySetDescription')]",
+                "enforcementMode": "DoNotEnforce",
+                "parameters": {},
+                "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8"
               }
             }
           ]
@@ -4765,7 +4747,7 @@
             "_generator": {
               "name": "bicep",
               "version": "0.4.1124.51302",
-              "templateHash": "5910850021434301527"
+              "templateHash": "998933596067649007"
             }
           },
           "parameters": {
@@ -4776,13 +4758,6 @@
                 "description": "Turn automatic deployment by ASC of the MMA (OMS VM extension) on or off"
               }
             },
-            "enableSecuritySettings": {
-              "type": "bool",
-              "defaultValue": true,
-              "metadata": {
-                "description": "Turn security policy settings On or Off."
-              }
-            },
             "logAnalyticsWorkspaceId": {
               "type": "string",
               "metadata": {
@@ -4794,12 +4769,18 @@
               "metadata": {
                 "description": "Email address of the contact, in the form of [email protected]"
               }
+            },
+            "policySetDescription": {
+              "type": "string",
+              "defaultValue": "The Azure Security Benchmark initiative represents the policies and controls implementing security recommendations defined in Azure Security Benchmark v2, see https://aka.ms/azsecbm. This also serves as the Azure Security Center default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Azure Security Center.",
+              "metadata": {
+                "description": "Policy Initiative description field"
+              }
             }
           },
           "variables": {
             "bundle": "[if(not(equals(environment().name, 'AzureUSGovernment')), createArray('KeyVaults', 'SqlServers', 'VirtualMachines', 'StorageAccounts', 'ContainerRegistry', 'KubernetesService', 'SqlServerVirtualMachines', 'AppServices', 'Dns', 'Arm'), createArray('SqlServers', 'VirtualMachines', 'StorageAccounts', 'ContainerRegistry', 'KubernetesService', 'Dns', 'Arm'))]",
-            "autoProvisioning": "[if(parameters('enableAutoProvisioning'), 'On', 'Off')]",
-            "securitySettings": "[if(parameters('enableSecuritySettings'), 'On', 'Off')]"
+            "autoProvisioning": "[if(parameters('enableAutoProvisioning'), 'On', 'Off')]"
           },
           "resources": [
             {
@@ -4843,32 +4824,15 @@
               }
             },
             {
-              "type": "Microsoft.Security/policies",
-              "apiVersion": "2015-06-01-preview",
-              "name": "default",
+              "type": "Microsoft.Authorization/policyAssignments",
+              "apiVersion": "2021-06-01",
+              "name": "Azure Security Benchmark",
               "properties": {
-                "policyLevel": "Subscription",
-                "name": "default",
-                "unique": "Off",
-                "logCollection": "On",
-                "recommendations": {
-                  "patch": "[variables('securitySettings')]",
-                  "baseline": "[variables('securitySettings')]",
-                  "antimalware": "[variables('securitySettings')]",
-                  "diskEncryption": "[variables('securitySettings')]",
-                  "acls": "[variables('securitySettings')]",
-                  "nsgs": "[variables('securitySettings')]",
-                  "waf": "[variables('securitySettings')]",
-                  "sqlAuditing": "[variables('securitySettings')]",
-                  "sqlTde": "[variables('securitySettings')]",
-                  "ngfw": "[variables('securitySettings')]",
-                  "vulnerabilityAssessment": "[variables('securitySettings')]",
-                  "storageEncryption": "[variables('securitySettings')]",
-                  "jitNetworkAccess": "[variables('securitySettings')]"
-                },
-                "pricingConfiguration": {
-                  "selectedPricingTier": "Standard"
-                }
+                "displayName": "ASC Default",
+                "description": "[parameters('policySetDescription')]",
+                "enforcementMode": "DoNotEnforce",
+                "parameters": {},
+                "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8"
               }
             }
           ]

diff --git a/src/bicep/modules/securityCenter.bicep b/src/bicep/modules/securityCenter.bicep
@@ -25,16 +25,16 @@ var bundle = (environment().name != 'AzureUSGovernment' ? [
 param enableAutoProvisioning bool = true
 var autoProvisioning = enableAutoProvisioning ? 'On' : 'Off'
 
-@description('Turn security policy settings On or Off.')
-param enableSecuritySettings bool = true
-var securitySettings = enableSecuritySettings ? 'On' : 'Off'
-
 @description('Specify the ID of your custom Log Analytics workspace to collect ASC data.')
 param logAnalyticsWorkspaceId string
 
 @description('Email address of the contact, in the form of [email protected]')
 param emailSecurityContact string
 
+@description('Policy Initiative description field')
+param policySetDescription string = 'The Azure Security Benchmark initiative represents the policies and controls implementing security recommendations defined in Azure Security Benchmark v2, see https://aka.ms/azsecbm. This also serves as the Azure Security Center default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Azure Security Center.'
+
+
 // security center
 
 resource securityCenterPricing 'Microsoft.Security/pricings@2018-06-01' = [for name in bundle: {
@@ -70,30 +70,14 @@ resource securityNotifications 'Microsoft.Security/securityContacts@2017-08-01-p
   }
 }
 
-resource securityPoliciesDefault 'Microsoft.Security/policies@2015-06-01-preview' = {
-  name: 'default'
+resource securityPoliciesDefault 'Microsoft.Authorization/policyAssignments@2021-06-01' = {
+  name: 'Azure Security Benchmark'
+  scope: subscription()
   properties: {
-    policyLevel: 'Subscription'
-    name: 'default'
-    unique: 'Off'
-    logCollection: 'On'
-    recommendations: {
-      patch: securitySettings
-      baseline: securitySettings
-      antimalware: securitySettings
-      diskEncryption: securitySettings
-      acls: securitySettings
-      nsgs: securitySettings
-      waf: securitySettings
-      sqlAuditing: securitySettings
-      sqlTde: securitySettings
-      ngfw: securitySettings
-      vulnerabilityAssessment: securitySettings
-      storageEncryption: securitySettings
-      jitNetworkAccess: securitySettings
-    }
-    pricingConfiguration: {
-      selectedPricingTier: 'Standard'
-    }
+    displayName: 'ASC Default'
+    description: policySetDescription
+    enforcementMode: 'DoNotEnforce'
+    parameters: {}
+    policyDefinitionId: '/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8'
   }
 }