From 82ec9f1c4890bb977e76eed99a4bdf876c7d7201 Mon Sep 17 00:00:00 2001 From: LManning-Dev <54150471+LManning-Dev@users.noreply.github.com> Date: Thu, 1 Sep 2022 18:16:55 -0400 Subject: [PATCH] Update tier3.bicep Adding Defender configuration to Tier 3 (#725) * Update tier3.bicep * Tier 3 Defender Update Pulling Defender info from the core mlz.bicep deployment Updating Tier 3 Readme * Update Tier3. Removing Duplicate parameters and moving comments up Fixing error with duplicate parameters. Adding Moving description comments to the parameters that pull from mlzDeploymentVariables * Adding New Outputs to the Bicep Core Readme Documentation Adding New Outputs to the Bicep Core Readme Documentation * Removing parameters from the Tier3 Readme that are not needed because they are inherited With the inheritance pattern proposed in this PR, this will not be necessary to explicitly state here. The state of just using the same default configuration in the original MLZ deployment will be sufficient with the added changes of documenting the additional two outputs. Co-authored-by: lisamurphy-msft <87032539+lisamurphy-msft@users.noreply.github.com> --- src/bicep/README.md | 2 ++ src/bicep/add-ons/tier3/tier3.bicep | 15 +++++++++++++++ src/bicep/mlz.bicep | 4 ++++ 3 files changed, 21 insertions(+) diff --git a/src/bicep/README.md b/src/bicep/README.md index ccbaba049..feb4e4ca2 100644 --- a/src/bicep/README.md +++ b/src/bicep/README.md @@ -129,3 +129,5 @@ spokes.value[0..2].subnetResourceId spokes.value[0..2].subscriptionId spokes.value[0..2].virtualNetworkName spokes.value[0..2].virtualNetworkResourceId +deployDefender.value +emailSecurityContact.value diff --git a/src/bicep/add-ons/tier3/tier3.bicep b/src/bicep/add-ons/tier3/tier3.bicep index 36cf14e32..79b2a9a79 100644 --- a/src/bicep/add-ons/tier3/tier3.bicep +++ b/src/bicep/add-ons/tier3/tier3.bicep @@ -43,6 +43,12 @@ param logAnalyticsWorkspaceResourceId string = mlzDeploymentVariables.logAnalyti param logAnalyticsWorkspaceName string = mlzDeploymentVariables.logAnalyticsWorkspaceName.Value param firewallPrivateIPAddress string = mlzDeploymentVariables.firewallPrivateIPAddress.Value +@description('When set to "true", enables Microsoft Defender for Cloud for the subscriptions used in the deployment. It defaults to "false".') +param deployDefender bool = mlzDeploymentVariables.deployDefender.Value +@description('Email address of the contact, in the form of john@doe.com') +param emailSecurityContact string = mlzDeploymentVariables.emailSecurityContact.Value + + @description('The address prefix for the network spoke vnet.') param virtualNetworkAddressPrefix string = '10.0.125.0/26' @@ -193,6 +199,15 @@ module workloadSubscriptionActivityLogging '../../modules/central-logging.bicep' ] } +module spokeDefender '../../modules/defender.bicep' = if (deployDefender) { + name: 'set-${workloadName}-sub-defender' + scope: subscription(workloadSubscriptionId) + params: { + logAnalyticsWorkspaceId: logAnalyticsWorkspaceResourceId + emailSecurityContact: emailSecurityContact + } +} + output resourceGroupName string = resourceGroup.outputs.name output location string = resourceGroup.outputs.location output tags object = resourceGroup.outputs.tags diff --git a/src/bicep/mlz.bicep b/src/bicep/mlz.bicep index 959f19e1e..e08253a80 100644 --- a/src/bicep/mlz.bicep +++ b/src/bicep/mlz.bicep @@ -1097,6 +1097,10 @@ output hub object = { networkSecurityGroupResourceId: hubNetwork.outputs.networkSecurityGroupResourceId } +output deployDefender bool = deployDefender + +output emailSecurityContact string = emailSecurityContact + output logAnalyticsWorkspaceName string = logAnalyticsWorkspace.outputs.name output logAnalyticsWorkspaceResourceId string = logAnalyticsWorkspace.outputs.id