Update tier3.bicep Adding Defender configuration to Tier 3 (#725)

* Update tier3.bicep * Tier 3 Defender Update Pulling Defender info from the core mlz.bicep deployment Updating Tier 3 Readme * Update Tier3. Removing Duplicate parameters and moving comments up Fixing error with duplicate parameters. Adding Moving description comments to the parameters that pull from mlzDeploymentVariables * Adding New Outputs to the Bicep Core Readme Documentation Adding New Outputs to the Bicep Core Readme Documentation * Removing parameters from the Tier3 Readme that are not needed because they are inherited With the inheritance pattern proposed in this PR, this will not be necessary to explicitly state here. The state of just using the same default configuration in the original MLZ deployment will be sufficient with the added changes of documenting the additional two outputs. Co-authored-by: lisamurphy-msft <[email protected]>
Azure · Sep 1, 2022 · 82ec9f1 · 82ec9f1
1 parent d63fa11
commit 82ec9f1
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 0 deletions.
diff --git a/src/bicep/README.md b/src/bicep/README.md
@@ -129,3 +129,5 @@ spokes.value[0..2].subnetResourceId
 spokes.value[0..2].subscriptionId
 spokes.value[0..2].virtualNetworkName
 spokes.value[0..2].virtualNetworkResourceId
+deployDefender.value
+emailSecurityContact.value
diff --git a/src/bicep/add-ons/tier3/tier3.bicep b/src/bicep/add-ons/tier3/tier3.bicep
@@ -43,6 +43,12 @@ param logAnalyticsWorkspaceResourceId string = mlzDeploymentVariables.logAnalyti
 param logAnalyticsWorkspaceName string = mlzDeploymentVariables.logAnalyticsWorkspaceName.Value
 param firewallPrivateIPAddress string = mlzDeploymentVariables.firewallPrivateIPAddress.Value
 
+@description('When set to "true", enables Microsoft Defender for Cloud for the subscriptions used in the deployment. It defaults to "false".')
+param deployDefender bool = mlzDeploymentVariables.deployDefender.Value
+@description('Email address of the contact, in the form of [email protected]')
+param emailSecurityContact string = mlzDeploymentVariables.emailSecurityContact.Value
+
+
 @description('The address prefix for the network spoke vnet.')
 param virtualNetworkAddressPrefix string = '10.0.125.0/26'
 
@@ -193,6 +199,15 @@ module workloadSubscriptionActivityLogging '../../modules/central-logging.bicep'
   ]
 }
 
+module spokeDefender '../../modules/defender.bicep' = if (deployDefender) {
+  name: 'set-${workloadName}-sub-defender'
+  scope: subscription(workloadSubscriptionId)
+  params: {
+    logAnalyticsWorkspaceId: logAnalyticsWorkspaceResourceId
+    emailSecurityContact: emailSecurityContact
+  }
+}
+
 output resourceGroupName string = resourceGroup.outputs.name
 output location string = resourceGroup.outputs.location
 output tags object = resourceGroup.outputs.tags

diff --git a/src/bicep/mlz.bicep b/src/bicep/mlz.bicep
@@ -1097,6 +1097,10 @@ output hub object = {
   networkSecurityGroupResourceId: hubNetwork.outputs.networkSecurityGroupResourceId
 }
 
+output deployDefender bool = deployDefender
+
+output emailSecurityContact string = emailSecurityContact
+
 output logAnalyticsWorkspaceName string = logAnalyticsWorkspace.outputs.name
 
 output logAnalyticsWorkspaceResourceId string = logAnalyticsWorkspace.outputs.id