diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 68a24d86e1..f9b42b1327 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -5,6 +5,7 @@ /avm/utilities/ @Azure/avm-core-team-technical-bicep /avm/ptn/authorization/policy-assignment/ @Azure/avm-ptn-authorization-policyassignment-module-owners-bicep @Azure/avm-core-team-technical-bicep /avm/ptn/authorization/role-assignment/ @Azure/avm-ptn-authorization-roleassignment-module-owners-bicep @Azure/avm-core-team-technical-bicep +/avm/ptn/security/security-center/ @Azure/avm-ptn-security-securitycenter-module-owners-bicep @Azure/avm-core-team-technical-bicep /avm/res/aad/domain-service/ @Azure/avm-res-aad-domainservice-module-owners-bicep @Azure/avm-core-team-technical-bicep #/avm/res/aad/domain-service/ @Azure/avm-res-aad-domainservice-module-owners-bicep /avm/res/analysis-services/server/ @Azure/avm-res-analysisservices-server-module-owners-bicep @Azure/avm-core-team-technical-bicep diff --git a/.github/ISSUE_TEMPLATE/avm_module_issue.yml b/.github/ISSUE_TEMPLATE/avm_module_issue.yml index 9a7da432aa..71cecf9779 100644 --- a/.github/ISSUE_TEMPLATE/avm_module_issue.yml +++ b/.github/ISSUE_TEMPLATE/avm_module_issue.yml @@ -44,7 +44,7 @@ body: # - "avm/ptn/avd-lza/management-plane" # - "avm/ptn/avd-lza/networking" # - "avm/ptn/avd-lza/session-hosts" - # - "avm/ptn/security/security-center" + - "avm/ptn/security/security-center" - "avm/res/aad/domain-service" - "avm/res/analysis-services/server" - "avm/res/api-management/service" diff --git a/.github/workflows/avm.ptn.security.security-center.yml b/.github/workflows/avm.ptn.security.security-center.yml new file mode 100644 index 0000000000..3052d3e4bf --- /dev/null +++ b/.github/workflows/avm.ptn.security.security-center.yml @@ -0,0 +1,86 @@ +name: "avm.ptn.security.security-center" + +on: + schedule: + - cron: "0 12 1/15 * *" # Bi-Weekly Test (on 1st & 15th of month) + workflow_dispatch: + inputs: + staticValidation: + type: boolean + description: "Execute static validation" + required: false + default: true + deploymentValidation: + type: boolean + description: "Execute deployment validation" + required: false + default: true + removeDeployment: + type: boolean + description: "Remove deployed module" + required: false + default: true + push: + branches: + - main + paths: + - ".github/actions/templates/avm-**" + - ".github/workflows/avm.template.module.yml" + - ".github/workflows/avm.ptn.security.security-center.yml" + - "avm/ptn/security/security-center/**" + - "avm/utilities/pipelines/**" + - "!avm/utilities/pipelines/platform/**" + - "!*/**/README.md" + +env: + modulePath: "avm/ptn/security/security-center" + workflowPath: ".github/workflows/avm.ptn.security.security-center.yml" + +concurrency: + group: ${{ github.workflow }} + +jobs: + ########################### + # Initialize pipeline # + ########################### + job_initialize_pipeline: + runs-on: ubuntu-latest + name: "Initialize pipeline" + steps: + - name: "Checkout" + uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: "Set input parameters to output variables" + id: get-workflow-param + uses: ./.github/actions/templates/avm-getWorkflowInput + with: + workflowPath: "${{ env.workflowPath}}" + - name: "Get module test file paths" + id: get-module-test-file-paths + uses: ./.github/actions/templates/avm-getModuleTestFiles + with: + modulePath: "${{ env.modulePath }}" + outputs: + workflowInput: ${{ steps.get-workflow-param.outputs.workflowInput }} + moduleTestFilePaths: ${{ steps.get-module-test-file-paths.outputs.moduleTestFilePaths }} + psRuleModuleTestFilePaths: ${{ steps.get-module-test-file-paths.outputs.psRuleModuleTestFilePaths }} + modulePath: "${{ env.modulePath }}" + + ############################## + # Call reusable workflow # + ############################## + call-workflow-passing-data: + name: "Run" + permissions: + id-token: write # For OIDC + contents: write # For release tags + needs: + - job_initialize_pipeline + uses: ./.github/workflows/avm.template.module.yml + with: + workflowInput: "${{ needs.job_initialize_pipeline.outputs.workflowInput }}" + moduleTestFilePaths: "${{ needs.job_initialize_pipeline.outputs.moduleTestFilePaths }}" + psRuleModuleTestFilePaths: "${{ needs.job_initialize_pipeline.outputs.psRuleModuleTestFilePaths }}" + modulePath: "${{ needs.job_initialize_pipeline.outputs.modulePath}}" + secrets: inherit diff --git a/avm/ptn/security/security-center/README.md b/avm/ptn/security/security-center/README.md new file mode 100644 index 0000000000..caaf05d323 --- /dev/null +++ b/avm/ptn/security/security-center/README.md @@ -0,0 +1,527 @@ +# Azure Security Center (Defender for Cloud) `[Microsoft.Security/securitycenter]` + +This module deploys an Azure Security Center (Defender for Cloud) Configuration. + +## Navigation + +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) +- [Parameters](#Parameters) +- [Outputs](#Outputs) +- [Cross-referenced modules](#Cross-referenced-modules) +- [Data Collection](#Data-Collection) + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Security/autoProvisioningSettings` | [2017-08-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Security/2017-08-01-preview/autoProvisioningSettings) | +| `Microsoft.Security/deviceSecurityGroups` | [2019-08-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Security/2019-08-01/deviceSecurityGroups) | +| `Microsoft.Security/iotSecuritySolutions` | [2019-08-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Security/2019-08-01/iotSecuritySolutions) | +| `Microsoft.Security/pricings` | [2018-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Security/2018-06-01/pricings) | +| `Microsoft.Security/securityContacts` | [2017-08-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Security/2017-08-01-preview/securityContacts) | +| `Microsoft.Security/workspaceSettings` | [2017-08-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Security/2017-08-01-preview/workspaceSettings) | + +## Usage examples + +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. + +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. + +>**Note**: To reference the module, please use the following syntax `br/public:avm/ptn/security/security-center:`. + +- [Using default parameter set](#example-1-using-default-parameter-set) +- [Using default parameter set](#example-2-using-default-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) + +### Example 1: _Using default parameter set_ + +This instance deploys the module with default parameters. + + +
+ +via Bicep module + +```bicep +module securityCenter 'br/public:avm/ptn/security/security-center:' = { + name: 'securityCenterDeployment' + params: { + // Required parameters + scope: '' + workspaceResourceId: '' + // Non-required parameters + location: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "scope": { + "value": "" + }, + "workspaceResourceId": { + "value": "" + }, + // Non-required parameters + "location": { + "value": "" + } + } +} +``` + +
+

+ +### Example 2: _Using default parameter set_ + +This instance deploys the module with default parameters. + + +

+ +via Bicep module + +```bicep +module securityCenter 'br/public:avm/ptn/security/security-center:' = { + name: 'securityCenterDeployment' + params: { + // Required parameters + scope: '' + workspaceResourceId: '' + // Non-required parameters + deviceSecurityGroupProperties: {} + ioTSecuritySolutionProperties: {} + location: '' + securityContactProperties: { + alertNotifications: 'Off' + alertsToAdmins: 'Off' + email: 'foo@contoso.com' + phone: '+12345678' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "scope": { + "value": "" + }, + "workspaceResourceId": { + "value": "" + }, + // Non-required parameters + "deviceSecurityGroupProperties": { + "value": {} + }, + "ioTSecuritySolutionProperties": { + "value": {} + }, + "location": { + "value": "" + }, + "securityContactProperties": { + "value": { + "alertNotifications": "Off", + "alertsToAdmins": "Off", + "email": "foo@contoso.com", + "phone": "+12345678" + } + } + } +} +``` + +
+

+ +### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module securityCenter 'br/public:avm/ptn/security/security-center:' = { + name: 'securityCenterDeployment' + params: { + // Required parameters + scope: '' + workspaceResourceId: '' + // Non-required parameters + location: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "scope": { + "value": "" + }, + "workspaceResourceId": { + "value": "" + }, + // Non-required parameters + "location": { + "value": "" + } + } +} +``` + +
+

+ + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`scope`](#parameter-scope) | string | All the VMs in this scope will send their security data to the mentioned workspace unless overridden by a setting with more specific scope. | +| [`workspaceResourceId`](#parameter-workspaceresourceid) | string | The full resource Id of the Log Analytics workspace to save the data in. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`appServicesPricingTier`](#parameter-appservicespricingtier) | string | The pricing tier value for AppServices. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. | +| [`armPricingTier`](#parameter-armpricingtier) | string | The pricing tier value for ARM. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. | +| [`autoProvision`](#parameter-autoprovision) | string | Describes what kind of security agent provisioning action to take. - On or Off. | +| [`containerRegistryPricingTier`](#parameter-containerregistrypricingtier) | string | The pricing tier value for ContainerRegistry. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. | +| [`containersTier`](#parameter-containerstier) | string | The pricing tier value for containers. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. | +| [`cosmosDbsTier`](#parameter-cosmosdbstier) | string | The pricing tier value for CosmosDbs. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. | +| [`deviceSecurityGroupProperties`](#parameter-devicesecuritygroupproperties) | object | Device Security group data. | +| [`dnsPricingTier`](#parameter-dnspricingtier) | string | The pricing tier value for DNS. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. | +| [`enableTelemetry`](#parameter-enabletelemetry) | bool | Enable/Disable usage telemetry for module. | +| [`ioTSecuritySolutionProperties`](#parameter-iotsecuritysolutionproperties) | object | Security Solution data. | +| [`keyVaultsPricingTier`](#parameter-keyvaultspricingtier) | string | The pricing tier value for KeyVaults. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. | +| [`kubernetesServicePricingTier`](#parameter-kubernetesservicepricingtier) | string | The pricing tier value for KubernetesService. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. | +| [`location`](#parameter-location) | string | Location deployment metadata. | +| [`openSourceRelationalDatabasesTier`](#parameter-opensourcerelationaldatabasestier) | string | The pricing tier value for OpenSourceRelationalDatabases. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. | +| [`securityContactProperties`](#parameter-securitycontactproperties) | object | Security contact data. | +| [`sqlServersPricingTier`](#parameter-sqlserverspricingtier) | string | The pricing tier value for SqlServers. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. | +| [`sqlServerVirtualMachinesPricingTier`](#parameter-sqlservervirtualmachinespricingtier) | string | The pricing tier value for SqlServerVirtualMachines. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. | +| [`storageAccountsPricingTier`](#parameter-storageaccountspricingtier) | string | The pricing tier value for StorageAccounts. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. | +| [`virtualMachinesPricingTier`](#parameter-virtualmachinespricingtier) | string | The pricing tier value for VMs. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. | + +### Parameter: `scope` + +All the VMs in this scope will send their security data to the mentioned workspace unless overridden by a setting with more specific scope. + +- Required: Yes +- Type: string + +### Parameter: `workspaceResourceId` + +The full resource Id of the Log Analytics workspace to save the data in. + +- Required: Yes +- Type: string + +### Parameter: `appServicesPricingTier` + +The pricing tier value for AppServices. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. + +- Required: No +- Type: string +- Default: `'Free'` +- Allowed: + ```Bicep + [ + 'Free' + 'Standard' + ] + ``` + +### Parameter: `armPricingTier` + +The pricing tier value for ARM. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. + +- Required: No +- Type: string +- Default: `'Free'` +- Allowed: + ```Bicep + [ + 'Free' + 'Standard' + ] + ``` + +### Parameter: `autoProvision` + +Describes what kind of security agent provisioning action to take. - On or Off. + +- Required: No +- Type: string +- Default: `'On'` +- Allowed: + ```Bicep + [ + 'Off' + 'On' + ] + ``` + +### Parameter: `containerRegistryPricingTier` + +The pricing tier value for ContainerRegistry. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. + +- Required: No +- Type: string +- Default: `'Free'` +- Allowed: + ```Bicep + [ + 'Free' + 'Standard' + ] + ``` + +### Parameter: `containersTier` + +The pricing tier value for containers. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. + +- Required: No +- Type: string +- Default: `'Free'` +- Allowed: + ```Bicep + [ + 'Free' + 'Standard' + ] + ``` + +### Parameter: `cosmosDbsTier` + +The pricing tier value for CosmosDbs. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. + +- Required: No +- Type: string +- Default: `'Free'` +- Allowed: + ```Bicep + [ + 'Free' + 'Standard' + ] + ``` + +### Parameter: `deviceSecurityGroupProperties` + +Device Security group data. + +- Required: No +- Type: object +- Default: `{}` + +### Parameter: `dnsPricingTier` + +The pricing tier value for DNS. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. + +- Required: No +- Type: string +- Default: `'Free'` +- Allowed: + ```Bicep + [ + 'Free' + 'Standard' + ] + ``` + +### Parameter: `enableTelemetry` + +Enable/Disable usage telemetry for module. + +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `ioTSecuritySolutionProperties` + +Security Solution data. + +- Required: No +- Type: object +- Default: `{}` + +### Parameter: `keyVaultsPricingTier` + +The pricing tier value for KeyVaults. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. + +- Required: No +- Type: string +- Default: `'Free'` +- Allowed: + ```Bicep + [ + 'Free' + 'Standard' + ] + ``` + +### Parameter: `kubernetesServicePricingTier` + +The pricing tier value for KubernetesService. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. + +- Required: No +- Type: string +- Default: `'Free'` +- Allowed: + ```Bicep + [ + 'Free' + 'Standard' + ] + ``` + +### Parameter: `location` + +Location deployment metadata. + +- Required: No +- Type: string +- Default: `[deployment().location]` + +### Parameter: `openSourceRelationalDatabasesTier` + +The pricing tier value for OpenSourceRelationalDatabases. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. + +- Required: No +- Type: string +- Default: `'Free'` +- Allowed: + ```Bicep + [ + 'Free' + 'Standard' + ] + ``` + +### Parameter: `securityContactProperties` + +Security contact data. + +- Required: No +- Type: object +- Default: `{}` + +### Parameter: `sqlServersPricingTier` + +The pricing tier value for SqlServers. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. + +- Required: No +- Type: string +- Default: `'Free'` +- Allowed: + ```Bicep + [ + 'Free' + 'Standard' + ] + ``` + +### Parameter: `sqlServerVirtualMachinesPricingTier` + +The pricing tier value for SqlServerVirtualMachines. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. + +- Required: No +- Type: string +- Default: `'Free'` +- Allowed: + ```Bicep + [ + 'Free' + 'Standard' + ] + ``` + +### Parameter: `storageAccountsPricingTier` + +The pricing tier value for StorageAccounts. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. + +- Required: No +- Type: string +- Default: `'Free'` +- Allowed: + ```Bicep + [ + 'Free' + 'Standard' + ] + ``` + +### Parameter: `virtualMachinesPricingTier` + +The pricing tier value for VMs. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard. + +- Required: No +- Type: string +- Default: `'Free'` +- Allowed: + ```Bicep + [ + 'Free' + 'Standard' + ] + ``` + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the security center. | +| `workspaceResourceId` | string | The resource ID of the used log analytics workspace. | + +## Cross-referenced modules + +_None_ + +## Data Collection + +The software may collect information about you and your use of the software and send it to Microsoft. Microsoft may use this information to provide services and improve our products and services. You may turn off the telemetry as described in the [repository](https://aka.ms/avm/telemetry). There are also some features in the software that may enable you and Microsoft to collect data from users of your applications. If you use these features, you must comply with applicable law, including providing appropriate notices to users of your applications together with a copy of Microsoft’s privacy statement. Our privacy statement is located at . You can learn more about data collection and use in the help documentation and our privacy statement. Your use of the software operates as your consent to these practices. diff --git a/avm/ptn/security/security-center/main.bicep b/avm/ptn/security/security-center/main.bicep new file mode 100644 index 0000000000..e7c8461604 --- /dev/null +++ b/avm/ptn/security/security-center/main.bicep @@ -0,0 +1,267 @@ +metadata name = 'Azure Security Center (Defender for Cloud)' +metadata description = 'This module deploys an Azure Security Center (Defender for Cloud) Configuration.' +metadata owner = 'Azure/module-maintainers' + +targetScope = 'subscription' + +@description('Required. The full resource Id of the Log Analytics workspace to save the data in.') +param workspaceResourceId string + +@description('Required. All the VMs in this scope will send their security data to the mentioned workspace unless overridden by a setting with more specific scope.') +param scope string + +@description('Optional. Describes what kind of security agent provisioning action to take. - On or Off.') +@allowed([ + 'On' + 'Off' +]) +param autoProvision string = 'On' + +@description('Optional. Device Security group data.') +param deviceSecurityGroupProperties object = {} + +@description('Optional. Security Solution data.') +param ioTSecuritySolutionProperties object = {} + +@description('Optional. The pricing tier value for VMs. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard.') +@allowed([ + 'Free' + 'Standard' +]) +param virtualMachinesPricingTier string = 'Free' + +@description('Optional. The pricing tier value for SqlServers. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard.') +@allowed([ + 'Free' + 'Standard' +]) +param sqlServersPricingTier string = 'Free' + +@description('Optional. The pricing tier value for AppServices. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard.') +@allowed([ + 'Free' + 'Standard' +]) +param appServicesPricingTier string = 'Free' + +@description('Optional. The pricing tier value for StorageAccounts. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard.') +@allowed([ + 'Free' + 'Standard' +]) +param storageAccountsPricingTier string = 'Free' + +@description('Optional. The pricing tier value for SqlServerVirtualMachines. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard.') +@allowed([ + 'Free' + 'Standard' +]) +param sqlServerVirtualMachinesPricingTier string = 'Free' + +@description('Optional. The pricing tier value for KubernetesService. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard.') +@allowed([ + 'Free' + 'Standard' +]) +param kubernetesServicePricingTier string = 'Free' + +@description('Optional. The pricing tier value for ContainerRegistry. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard.') +@allowed([ + 'Free' + 'Standard' +]) +param containerRegistryPricingTier string = 'Free' + +@description('Optional. The pricing tier value for KeyVaults. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard.') +@allowed([ + 'Free' + 'Standard' +]) +param keyVaultsPricingTier string = 'Free' + +@description('Optional. The pricing tier value for DNS. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard.') +@allowed([ + 'Free' + 'Standard' +]) +param dnsPricingTier string = 'Free' + +@description('Optional. The pricing tier value for ARM. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard.') +@allowed([ + 'Free' + 'Standard' +]) +param armPricingTier string = 'Free' + +@description('Optional. The pricing tier value for OpenSourceRelationalDatabases. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard.') +@allowed([ + 'Free' + 'Standard' +]) +param openSourceRelationalDatabasesTier string = 'Free' + +@description('Optional. The pricing tier value for containers. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard.') +@allowed([ + 'Free' + 'Standard' +]) +param containersTier string = 'Free' + +@description('Optional. The pricing tier value for CosmosDbs. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard.') +@allowed([ + 'Free' + 'Standard' +]) +param cosmosDbsTier string = 'Free' + +@description('Optional. Security contact data.') +param securityContactProperties object = {} + +@description('Optional. Location deployment metadata.') +param location string = deployment().location + +@sys.description('Optional. Enable/Disable usage telemetry for module.') +param enableTelemetry bool = true + +var pricings = [ + { + name: 'VirtualMachines' + pricingTier: virtualMachinesPricingTier + } + { + name: 'SqlServers' + pricingTier: sqlServersPricingTier + } + { + name: 'AppServices' + pricingTier: appServicesPricingTier + } + { + name: 'StorageAccounts' + pricingTier: storageAccountsPricingTier + } + { + name: 'SqlServerVirtualMachines' + pricingTier: sqlServerVirtualMachinesPricingTier + } + { + name: 'KubernetesService' + pricingTier: kubernetesServicePricingTier + } + { + name: 'ContainerRegistry' + pricingTier: containerRegistryPricingTier + } + { + name: 'KeyVaults' + pricingTier: keyVaultsPricingTier + } + { + name: 'Dns' + pricingTier: dnsPricingTier + } + { + name: 'Arm' + pricingTier: armPricingTier + } + { + name: 'OpenSourceRelationalDatabases' + pricingTier: openSourceRelationalDatabasesTier + } + { + name: 'Containers' + pricingTier: containersTier + } + { + name: 'CosmosDbs' + pricingTier: cosmosDbsTier + } +] + +resource avmTelemetry 'Microsoft.Resources/deployments@2023-07-01' = + if (enableTelemetry) { + name: take( + '46d3xbcp.ptn.security-securitycenter.${replace('-..--..-', '.', '-')}.${substring(uniqueString(deployment().name, location), 0, 4)}', + 64 + ) + location: location + properties: { + mode: 'Incremental' + template: { + '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' + contentVersion: '1.0.0.0' + resources: [] + outputs: { + telemetry: { + type: 'String' + value: 'For more information, see https://aka.ms/avm/TelemetryInfo' + } + } + } + } + } + +@batchSize(1) +resource pricingTiers 'Microsoft.Security/pricings@2018-06-01' = [ + for (pricing, index) in pricings: { + name: pricing.name + properties: { + pricingTier: pricing.pricingTier + } + } +] + +resource autoProvisioningSettings 'Microsoft.Security/autoProvisioningSettings@2017-08-01-preview' = { + name: 'default' + properties: { + autoProvision: autoProvision + } +} + +resource deviceSecurityGroups 'Microsoft.Security/deviceSecurityGroups@2019-08-01' = + if (!empty(deviceSecurityGroupProperties)) { + name: 'deviceSecurityGroups' + properties: { + thresholdRules: deviceSecurityGroupProperties.thresholdRules + timeWindowRules: deviceSecurityGroupProperties.timeWindowRules + allowlistRules: deviceSecurityGroupProperties.allowlistRules + denylistRules: deviceSecurityGroupProperties.denylistRules + } + } + +module iotSecuritySolutions 'modules/iotSecuritySolutions.bicep' = + if (!empty(ioTSecuritySolutionProperties)) { + name: '${uniqueString(deployment().name)}-ASC-IotSecuritySolutions' + scope: resourceGroup(empty(ioTSecuritySolutionProperties) ? 'dummy' : ioTSecuritySolutionProperties.resourceGroup) + params: { + ioTSecuritySolutionProperties: ioTSecuritySolutionProperties + } + } + +resource securityContacts 'Microsoft.Security/securityContacts@2017-08-01-preview' = + if (!empty(securityContactProperties)) { + name: 'default' + properties: { + email: securityContactProperties.email + phone: securityContactProperties.phone + alertNotifications: securityContactProperties.alertNotifications + alertsToAdmins: securityContactProperties.alertsToAdmins + } + } + +resource workspaceSettings 'Microsoft.Security/workspaceSettings@2017-08-01-preview' = { + name: 'default' + properties: { + workspaceId: workspaceResourceId + scope: scope + } + dependsOn: [ + autoProvisioningSettings + ] +} + +@description('The resource ID of the used log analytics workspace.') +output workspaceResourceId string = workspaceResourceId + +@description('The name of the security center.') +output name string = 'Security' diff --git a/avm/ptn/security/security-center/main.json b/avm/ptn/security/security-center/main.json new file mode 100644 index 0000000000..9216e95469 --- /dev/null +++ b/avm/ptn/security/security-center/main.json @@ -0,0 +1,426 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.26.54.24096", + "templateHash": "5215368682061207752" + }, + "name": "Azure Security Center (Defender for Cloud)", + "description": "This module deploys an Azure Security Center (Defender for Cloud) Configuration.", + "owner": "Azure/module-maintainers" + }, + "parameters": { + "workspaceResourceId": { + "type": "string", + "metadata": { + "description": "Required. The full resource Id of the Log Analytics workspace to save the data in." + } + }, + "scope": { + "type": "string", + "metadata": { + "description": "Required. All the VMs in this scope will send their security data to the mentioned workspace unless overridden by a setting with more specific scope." + } + }, + "autoProvision": { + "type": "string", + "defaultValue": "On", + "allowedValues": [ + "On", + "Off" + ], + "metadata": { + "description": "Optional. Describes what kind of security agent provisioning action to take. - On or Off." + } + }, + "deviceSecurityGroupProperties": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. Device Security group data." + } + }, + "ioTSecuritySolutionProperties": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. Security Solution data." + } + }, + "virtualMachinesPricingTier": { + "type": "string", + "defaultValue": "Free", + "allowedValues": [ + "Free", + "Standard" + ], + "metadata": { + "description": "Optional. The pricing tier value for VMs. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard." + } + }, + "sqlServersPricingTier": { + "type": "string", + "defaultValue": "Free", + "allowedValues": [ + "Free", + "Standard" + ], + "metadata": { + "description": "Optional. The pricing tier value for SqlServers. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard." + } + }, + "appServicesPricingTier": { + "type": "string", + "defaultValue": "Free", + "allowedValues": [ + "Free", + "Standard" + ], + "metadata": { + "description": "Optional. The pricing tier value for AppServices. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard." + } + }, + "storageAccountsPricingTier": { + "type": "string", + "defaultValue": "Free", + "allowedValues": [ + "Free", + "Standard" + ], + "metadata": { + "description": "Optional. The pricing tier value for StorageAccounts. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard." + } + }, + "sqlServerVirtualMachinesPricingTier": { + "type": "string", + "defaultValue": "Free", + "allowedValues": [ + "Free", + "Standard" + ], + "metadata": { + "description": "Optional. The pricing tier value for SqlServerVirtualMachines. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard." + } + }, + "kubernetesServicePricingTier": { + "type": "string", + "defaultValue": "Free", + "allowedValues": [ + "Free", + "Standard" + ], + "metadata": { + "description": "Optional. The pricing tier value for KubernetesService. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard." + } + }, + "containerRegistryPricingTier": { + "type": "string", + "defaultValue": "Free", + "allowedValues": [ + "Free", + "Standard" + ], + "metadata": { + "description": "Optional. The pricing tier value for ContainerRegistry. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard." + } + }, + "keyVaultsPricingTier": { + "type": "string", + "defaultValue": "Free", + "allowedValues": [ + "Free", + "Standard" + ], + "metadata": { + "description": "Optional. The pricing tier value for KeyVaults. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard." + } + }, + "dnsPricingTier": { + "type": "string", + "defaultValue": "Free", + "allowedValues": [ + "Free", + "Standard" + ], + "metadata": { + "description": "Optional. The pricing tier value for DNS. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard." + } + }, + "armPricingTier": { + "type": "string", + "defaultValue": "Free", + "allowedValues": [ + "Free", + "Standard" + ], + "metadata": { + "description": "Optional. The pricing tier value for ARM. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard." + } + }, + "openSourceRelationalDatabasesTier": { + "type": "string", + "defaultValue": "Free", + "allowedValues": [ + "Free", + "Standard" + ], + "metadata": { + "description": "Optional. The pricing tier value for OpenSourceRelationalDatabases. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard." + } + }, + "containersTier": { + "type": "string", + "defaultValue": "Free", + "allowedValues": [ + "Free", + "Standard" + ], + "metadata": { + "description": "Optional. The pricing tier value for containers. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard." + } + }, + "cosmosDbsTier": { + "type": "string", + "defaultValue": "Free", + "allowedValues": [ + "Free", + "Standard" + ], + "metadata": { + "description": "Optional. The pricing tier value for CosmosDbs. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features. - Free or Standard." + } + }, + "securityContactProperties": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. Security contact data." + } + }, + "location": { + "type": "string", + "defaultValue": "[deployment().location]", + "metadata": { + "description": "Optional. Location deployment metadata." + } + }, + "enableTelemetry": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Enable/Disable usage telemetry for module." + } + } + }, + "variables": { + "pricings": [ + { + "name": "VirtualMachines", + "pricingTier": "[parameters('virtualMachinesPricingTier')]" + }, + { + "name": "SqlServers", + "pricingTier": "[parameters('sqlServersPricingTier')]" + }, + { + "name": "AppServices", + "pricingTier": "[parameters('appServicesPricingTier')]" + }, + { + "name": "StorageAccounts", + "pricingTier": "[parameters('storageAccountsPricingTier')]" + }, + { + "name": "SqlServerVirtualMachines", + "pricingTier": "[parameters('sqlServerVirtualMachinesPricingTier')]" + }, + { + "name": "KubernetesService", + "pricingTier": "[parameters('kubernetesServicePricingTier')]" + }, + { + "name": "ContainerRegistry", + "pricingTier": "[parameters('containerRegistryPricingTier')]" + }, + { + "name": "KeyVaults", + "pricingTier": "[parameters('keyVaultsPricingTier')]" + }, + { + "name": "Dns", + "pricingTier": "[parameters('dnsPricingTier')]" + }, + { + "name": "Arm", + "pricingTier": "[parameters('armPricingTier')]" + }, + { + "name": "OpenSourceRelationalDatabases", + "pricingTier": "[parameters('openSourceRelationalDatabasesTier')]" + }, + { + "name": "Containers", + "pricingTier": "[parameters('containersTier')]" + }, + { + "name": "CosmosDbs", + "pricingTier": "[parameters('cosmosDbsTier')]" + } + ] + }, + "resources": [ + { + "condition": "[parameters('enableTelemetry')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2023-07-01", + "name": "[take(format('46d3xbcp.ptn.security-securitycenter.{0}.{1}', replace('-..--..-', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4)), 64)]", + "location": "[parameters('location')]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [], + "outputs": { + "telemetry": { + "type": "String", + "value": "For more information, see https://aka.ms/avm/TelemetryInfo" + } + } + } + } + }, + { + "copy": { + "name": "pricingTiers", + "count": "[length(variables('pricings'))]", + "mode": "serial", + "batchSize": 1 + }, + "type": "Microsoft.Security/pricings", + "apiVersion": "2018-06-01", + "name": "[variables('pricings')[copyIndex()].name]", + "properties": { + "pricingTier": "[variables('pricings')[copyIndex()].pricingTier]" + } + }, + { + "type": "Microsoft.Security/autoProvisioningSettings", + "apiVersion": "2017-08-01-preview", + "name": "default", + "properties": { + "autoProvision": "[parameters('autoProvision')]" + } + }, + { + "condition": "[not(empty(parameters('deviceSecurityGroupProperties')))]", + "type": "Microsoft.Security/deviceSecurityGroups", + "apiVersion": "2019-08-01", + "name": "deviceSecurityGroups", + "properties": { + "thresholdRules": "[parameters('deviceSecurityGroupProperties').thresholdRules]", + "timeWindowRules": "[parameters('deviceSecurityGroupProperties').timeWindowRules]", + "allowlistRules": "[parameters('deviceSecurityGroupProperties').allowlistRules]", + "denylistRules": "[parameters('deviceSecurityGroupProperties').denylistRules]" + } + }, + { + "condition": "[not(empty(parameters('securityContactProperties')))]", + "type": "Microsoft.Security/securityContacts", + "apiVersion": "2017-08-01-preview", + "name": "default", + "properties": { + "email": "[parameters('securityContactProperties').email]", + "phone": "[parameters('securityContactProperties').phone]", + "alertNotifications": "[parameters('securityContactProperties').alertNotifications]", + "alertsToAdmins": "[parameters('securityContactProperties').alertsToAdmins]" + } + }, + { + "type": "Microsoft.Security/workspaceSettings", + "apiVersion": "2017-08-01-preview", + "name": "default", + "properties": { + "workspaceId": "[parameters('workspaceResourceId')]", + "scope": "[parameters('scope')]" + }, + "dependsOn": [ + "[subscriptionResourceId('Microsoft.Security/autoProvisioningSettings', 'default')]" + ] + }, + { + "condition": "[not(empty(parameters('ioTSecuritySolutionProperties')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-ASC-IotSecuritySolutions', uniqueString(deployment().name))]", + "resourceGroup": "[if(empty(parameters('ioTSecuritySolutionProperties')), 'dummy', parameters('ioTSecuritySolutionProperties').resourceGroup)]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "ioTSecuritySolutionProperties": { + "value": "[parameters('ioTSecuritySolutionProperties')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.26.54.24096", + "templateHash": "11694037879563074763" + } + }, + "parameters": { + "ioTSecuritySolutionProperties": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. Security Solution data." + } + } + }, + "resources": [ + { + "condition": "[not(empty(parameters('ioTSecuritySolutionProperties')))]", + "type": "Microsoft.Security/iotSecuritySolutions", + "apiVersion": "2019-08-01", + "name": "iotSecuritySolutions", + "properties": { + "workspace": "[parameters('ioTSecuritySolutionProperties').workspace]", + "displayName": "[parameters('ioTSecuritySolutionProperties').displayName]", + "status": "[parameters('ioTSecuritySolutionProperties').status]", + "export": "[parameters('ioTSecuritySolutionProperties').export]", + "disabledDataSources": "[parameters('ioTSecuritySolutionProperties').disabledDataSources]", + "iotHubs": "[parameters('ioTSecuritySolutionProperties').iotHubs]", + "userDefinedResources": "[parameters('ioTSecuritySolutionProperties').userDefinedResources]", + "recommendationsConfiguration": "[parameters('ioTSecuritySolutionProperties').recommendationsConfiguration]" + } + } + ] + } + } + } + ], + "outputs": { + "workspaceResourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the used log analytics workspace." + }, + "value": "[parameters('workspaceResourceId')]" + }, + "name": { + "type": "string", + "metadata": { + "description": "The name of the security center." + }, + "value": "Security" + } + } +} diff --git a/avm/ptn/security/security-center/modules/iotSecuritySolutions.bicep b/avm/ptn/security/security-center/modules/iotSecuritySolutions.bicep new file mode 100644 index 0000000000..4bc23f86b8 --- /dev/null +++ b/avm/ptn/security/security-center/modules/iotSecuritySolutions.bicep @@ -0,0 +1,17 @@ +@description('Optional. Security Solution data.') +param ioTSecuritySolutionProperties object = {} + +resource iotSecuritySolutions 'Microsoft.Security/iotSecuritySolutions@2019-08-01' = + if (!empty(ioTSecuritySolutionProperties)) { + name: 'iotSecuritySolutions' + properties: { + workspace: ioTSecuritySolutionProperties.workspace + displayName: ioTSecuritySolutionProperties.displayName + status: ioTSecuritySolutionProperties.status + export: ioTSecuritySolutionProperties.export + disabledDataSources: ioTSecuritySolutionProperties.disabledDataSources + iotHubs: ioTSecuritySolutionProperties.iotHubs + userDefinedResources: ioTSecuritySolutionProperties.userDefinedResources + recommendationsConfiguration: ioTSecuritySolutionProperties.recommendationsConfiguration + } + } diff --git a/avm/ptn/security/security-center/tests/e2e/defaults/dependencies.bicep b/avm/ptn/security/security-center/tests/e2e/defaults/dependencies.bicep new file mode 100644 index 0000000000..35d61edfa2 --- /dev/null +++ b/avm/ptn/security/security-center/tests/e2e/defaults/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Optional. The location to deploy to.') +param location string + +@description('Required. The name of the Log Analytics Workspace to create.') +param logAnalyticsWorkspaceName string + +resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2021-06-01' = { + name: logAnalyticsWorkspaceName + location: location +} + +@description('The resource ID of the created Log Analytics Workspace.') +output logAnalyticsWorkspaceResourceId string = logAnalyticsWorkspace.id diff --git a/avm/ptn/security/security-center/tests/e2e/defaults/main.test.bicep b/avm/ptn/security/security-center/tests/e2e/defaults/main.test.bicep new file mode 100644 index 0000000000..9963c582e7 --- /dev/null +++ b/avm/ptn/security/security-center/tests/e2e/defaults/main.test.bicep @@ -0,0 +1,57 @@ +targetScope = 'subscription' + +metadata name = 'Using default parameter set' +metadata description = 'This instance deploys the module with default parameters.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-security.azureSecurityCenter-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param resourceLocation string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'sascmin' + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '#_namePrefix_#' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: resourceLocation +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, resourceLocation)}-nestedDependencies' + params: { + location: resourceLocation + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +@batchSize(1) +module testDeployment '../../../main.bicep' = [ + for iteration in ['init', 'idem']: { + name: '${uniqueString(deployment().name, resourceLocation)}-test-${serviceShort}-${iteration}' + params: { + scope: '/subscriptions/${subscription().subscriptionId}' + workspaceResourceId: nestedDependencies.outputs.logAnalyticsWorkspaceResourceId + location: resourceLocation + } + } +] diff --git a/avm/ptn/security/security-center/tests/e2e/max/dependencies.bicep b/avm/ptn/security/security-center/tests/e2e/max/dependencies.bicep new file mode 100644 index 0000000000..35d61edfa2 --- /dev/null +++ b/avm/ptn/security/security-center/tests/e2e/max/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Optional. The location to deploy to.') +param location string + +@description('Required. The name of the Log Analytics Workspace to create.') +param logAnalyticsWorkspaceName string + +resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2021-06-01' = { + name: logAnalyticsWorkspaceName + location: location +} + +@description('The resource ID of the created Log Analytics Workspace.') +output logAnalyticsWorkspaceResourceId string = logAnalyticsWorkspace.id diff --git a/avm/ptn/security/security-center/tests/e2e/max/main.test.bicep b/avm/ptn/security/security-center/tests/e2e/max/main.test.bicep new file mode 100644 index 0000000000..8a50544e99 --- /dev/null +++ b/avm/ptn/security/security-center/tests/e2e/max/main.test.bicep @@ -0,0 +1,65 @@ +targetScope = 'subscription' + +metadata name = 'Using default parameter set' +metadata description = 'This instance deploys the module with default parameters.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-security.azureSecurityCenter-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param resourceLocation string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'sascmax' + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '#_namePrefix_#' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: resourceLocation +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, resourceLocation)}-nestedDependencies' + params: { + location: resourceLocation + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +@batchSize(1) +module testDeployment '../../../main.bicep' = [ + for iteration in ['init', 'idem']: { + name: '${uniqueString(deployment().name, resourceLocation)}-test-${serviceShort}-${iteration}' + params: { + scope: subscription().id + workspaceResourceId: nestedDependencies.outputs.logAnalyticsWorkspaceResourceId + location: resourceLocation + securityContactProperties: { + alertNotifications: 'Off' + alertsToAdmins: 'Off' + email: 'foo@contoso.com' + phone: '+12345678' + } + deviceSecurityGroupProperties: {} + ioTSecuritySolutionProperties: {} + } + } +] diff --git a/avm/ptn/security/security-center/tests/e2e/waf-aligned/dependencies.bicep b/avm/ptn/security/security-center/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..35d61edfa2 --- /dev/null +++ b/avm/ptn/security/security-center/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Optional. The location to deploy to.') +param location string + +@description('Required. The name of the Log Analytics Workspace to create.') +param logAnalyticsWorkspaceName string + +resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2021-06-01' = { + name: logAnalyticsWorkspaceName + location: location +} + +@description('The resource ID of the created Log Analytics Workspace.') +output logAnalyticsWorkspaceResourceId string = logAnalyticsWorkspace.id diff --git a/avm/ptn/security/security-center/tests/e2e/waf-aligned/main.test.bicep b/avm/ptn/security/security-center/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..26c7520fb2 --- /dev/null +++ b/avm/ptn/security/security-center/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,57 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-security.azureSecurityCenter-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param resourceLocation string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'sascwaf' + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '#_namePrefix_#' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: resourceLocation +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, resourceLocation)}-nestedDependencies' + params: { + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + location: resourceLocation + } +} + +// ============== // +// Test Execution // +// ============== // + +@batchSize(1) +module testDeployment '../../../main.bicep' = [ + for iteration in ['init', 'idem']: { + name: '${uniqueString(deployment().name, resourceLocation)}-test-${serviceShort}-${iteration}' + params: { + scope: '/subscriptions/${subscription().subscriptionId}' + workspaceResourceId: nestedDependencies.outputs.logAnalyticsWorkspaceResourceId + location: resourceLocation + } + } +] diff --git a/avm/ptn/security/security-center/version.json b/avm/ptn/security/security-center/version.json new file mode 100644 index 0000000000..7fa401bdf7 --- /dev/null +++ b/avm/ptn/security/security-center/version.json @@ -0,0 +1,7 @@ +{ + "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", + "version": "0.1", + "pathFilters": [ + "./main.json" + ] +}