From d33ea98946678cbad30b57181d14ecf3fed8aa06 Mon Sep 17 00:00:00 2001 From: LManning-Dev <54150471+LManning-Dev@users.noreply.github.com> Date: Mon, 18 Jul 2022 17:23:33 -0400 Subject: [PATCH 1/5] Update tier3.bicep --- src/bicep/add-ons/tier3/tier3.bicep | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/src/bicep/add-ons/tier3/tier3.bicep b/src/bicep/add-ons/tier3/tier3.bicep index eb31c556f..8950bfaec 100644 --- a/src/bicep/add-ons/tier3/tier3.bicep +++ b/src/bicep/add-ons/tier3/tier3.bicep @@ -81,6 +81,12 @@ param logStorageSkuName string = 'Standard_GRS' @description('A string dictionary of tags to add to deployed resources. See https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json#arm-templates for valid settings.') param tags object = {} +@description('When set to "true", enables Microsoft Defender for Cloud for the subscriptions used in the deployment. It defaults to "false".') +param deployDefender bool = false + +@description('Email address of the contact, in the form of john@doe.com') +param emailSecurityContact string = '' + /* NAMING CONVENTION @@ -190,6 +196,15 @@ module workloadSubscriptionActivityLogging '../../modules/central-logging.bicep' ] } +module spokeDefender '../../modules/defender.bicep' = if (deployDefender) { + name: 'set-${workloadName}-sub-defender' + scope: subscription(workloadSubscriptionId) + params: { + logAnalyticsWorkspaceId: logAnalyticsWorkspaceResourceId + emailSecurityContact: emailSecurityContact + } +} + output resourceGroupName string = resourceGroup.outputs.name output location string = resourceGroup.outputs.location output tags object = resourceGroup.outputs.tags From 1ff3a9be26b247b97b801773b1a5f1373653fb19 Mon Sep 17 00:00:00 2001 From: LManning-Dev <54150471+LManning-Dev@users.noreply.github.com> Date: Wed, 27 Jul 2022 13:16:38 -0400 Subject: [PATCH 2/5] Tier 3 Defender Update Pulling Defender info from the core mlz.bicep deployment Updating Tier 3 Readme --- src/bicep/add-ons/tier3/README.md | 2 ++ src/bicep/add-ons/tier3/tier3.bicep | 3 +++ src/bicep/mlz.bicep | 4 ++++ 3 files changed, 9 insertions(+) diff --git a/src/bicep/add-ons/tier3/README.md b/src/bicep/add-ons/tier3/README.md index 30ab414fe..49d4cb69a 100644 --- a/src/bicep/add-ons/tier3/README.md +++ b/src/bicep/add-ons/tier3/README.md @@ -27,6 +27,8 @@ resourcePrefix | mlz | A prefix, 3 to 10 characters in length, to append to reso Optional Parameters | Default | Description ------------------- | ------- | ----------- virtualNetworkAddressPrefix | 10.0.125.0/26 | The address prefix for the network spoke vnet. +deployDefender | Output from mlz.bicep (false) | When set to "true", enables Microsoft Defender for Cloud for the subscriptions used in the deployment. It defaults to "false". +emailSecurityContact | Output from mlz.bicep (empty '') | Email address of the contact, in the form of john@doe.com ### Generate MLZ Variable File diff --git a/src/bicep/add-ons/tier3/tier3.bicep b/src/bicep/add-ons/tier3/tier3.bicep index 8950bfaec..da1b844ae 100644 --- a/src/bicep/add-ons/tier3/tier3.bicep +++ b/src/bicep/add-ons/tier3/tier3.bicep @@ -42,6 +42,9 @@ param hubVirtualNetworkResourceId string = mlzDeploymentVariables.hub.Value.virt param logAnalyticsWorkspaceResourceId string = mlzDeploymentVariables.logAnalyticsWorkspaceResourceId.Value param logAnalyticsWorkspaceName string = mlzDeploymentVariables.logAnalyticsWorkspaceName.Value param firewallPrivateIPAddress string = mlzDeploymentVariables.firewallPrivateIPAddress.Value +param deployDefender bool = mlzDeploymentVariables.deployDefender.Value +param emailSecurityContact string = mlzDeploymentVariables.emailSecurityContact.Value + @description('The address prefix for the network spoke vnet.') param virtualNetworkAddressPrefix string = '10.0.125.0/26' diff --git a/src/bicep/mlz.bicep b/src/bicep/mlz.bicep index c8f87605d..413b1d561 100644 --- a/src/bicep/mlz.bicep +++ b/src/bicep/mlz.bicep @@ -1048,6 +1048,10 @@ output hub object = { networkSecurityGroupResourceId: hubNetwork.outputs.networkSecurityGroupResourceId } +output deployDefender bool = deployDefender + +output emailSecurityContact string = emailSecurityContact + output logAnalyticsWorkspaceName string = logAnalyticsWorkspace.outputs.name output logAnalyticsWorkspaceResourceId string = logAnalyticsWorkspace.outputs.id From e845594de232ab7701a146f66decdb9dfd24d9e5 Mon Sep 17 00:00:00 2001 From: LManning-Dev <54150471+LManning-Dev@users.noreply.github.com> Date: Wed, 27 Jul 2022 14:52:32 -0400 Subject: [PATCH 3/5] Update Tier3. Removing Duplicate parameters and moving comments up Fixing error with duplicate parameters. Adding Moving description comments to the parameters that pull from mlzDeploymentVariables --- src/bicep/add-ons/tier3/tier3.bicep | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/src/bicep/add-ons/tier3/tier3.bicep b/src/bicep/add-ons/tier3/tier3.bicep index da1b844ae..ff5ebc546 100644 --- a/src/bicep/add-ons/tier3/tier3.bicep +++ b/src/bicep/add-ons/tier3/tier3.bicep @@ -42,7 +42,10 @@ param hubVirtualNetworkResourceId string = mlzDeploymentVariables.hub.Value.virt param logAnalyticsWorkspaceResourceId string = mlzDeploymentVariables.logAnalyticsWorkspaceResourceId.Value param logAnalyticsWorkspaceName string = mlzDeploymentVariables.logAnalyticsWorkspaceName.Value param firewallPrivateIPAddress string = mlzDeploymentVariables.firewallPrivateIPAddress.Value + +@description('When set to "true", enables Microsoft Defender for Cloud for the subscriptions used in the deployment. It defaults to "false".') param deployDefender bool = mlzDeploymentVariables.deployDefender.Value +@description('Email address of the contact, in the form of john@doe.com') param emailSecurityContact string = mlzDeploymentVariables.emailSecurityContact.Value @@ -84,12 +87,6 @@ param logStorageSkuName string = 'Standard_GRS' @description('A string dictionary of tags to add to deployed resources. See https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json#arm-templates for valid settings.') param tags object = {} -@description('When set to "true", enables Microsoft Defender for Cloud for the subscriptions used in the deployment. It defaults to "false".') -param deployDefender bool = false - -@description('Email address of the contact, in the form of john@doe.com') -param emailSecurityContact string = '' - /* NAMING CONVENTION From 6c42098273bdbd918e5c7ab6c466dfbae66fb63c Mon Sep 17 00:00:00 2001 From: LManning-Dev <54150471+LManning-Dev@users.noreply.github.com> Date: Mon, 15 Aug 2022 11:23:59 -0400 Subject: [PATCH 4/5] Adding New Outputs to the Bicep Core Readme Documentation Adding New Outputs to the Bicep Core Readme Documentation --- src/bicep/README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/bicep/README.md b/src/bicep/README.md index ccbaba049..feb4e4ca2 100644 --- a/src/bicep/README.md +++ b/src/bicep/README.md @@ -129,3 +129,5 @@ spokes.value[0..2].subnetResourceId spokes.value[0..2].subscriptionId spokes.value[0..2].virtualNetworkName spokes.value[0..2].virtualNetworkResourceId +deployDefender.value +emailSecurityContact.value From f1eef042f980c0a196946332c7b2ea4ecdcd56b6 Mon Sep 17 00:00:00 2001 From: LManning-Dev <54150471+LManning-Dev@users.noreply.github.com> Date: Thu, 1 Sep 2022 16:10:00 -0400 Subject: [PATCH 5/5] Removing parameters from the Tier3 Readme that are not needed because they are inherited With the inheritance pattern proposed in this PR, this will not be necessary to explicitly state here. The state of just using the same default configuration in the original MLZ deployment will be sufficient with the added changes of documenting the additional two outputs. --- src/bicep/add-ons/tier3/README.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/bicep/add-ons/tier3/README.md b/src/bicep/add-ons/tier3/README.md index 49d4cb69a..30ab414fe 100644 --- a/src/bicep/add-ons/tier3/README.md +++ b/src/bicep/add-ons/tier3/README.md @@ -27,8 +27,6 @@ resourcePrefix | mlz | A prefix, 3 to 10 characters in length, to append to reso Optional Parameters | Default | Description ------------------- | ------- | ----------- virtualNetworkAddressPrefix | 10.0.125.0/26 | The address prefix for the network spoke vnet. -deployDefender | Output from mlz.bicep (false) | When set to "true", enables Microsoft Defender for Cloud for the subscriptions used in the deployment. It defaults to "false". -emailSecurityContact | Output from mlz.bicep (empty '') | Email address of the contact, in the form of john@doe.com ### Generate MLZ Variable File