inherit policy deployment settings in T3

* tier3 deploy policy Azure#727 Tier 3 does not deploy policy. Note: The Scope is dependent on issue Azure#724 as it will reference the the resource group in the tier3 subscription * Updating Tier3 ReadMe Adding optional parameters deployPolicy and policy to the tier 3 readme * Adding new outputs to MLZ Core Readme Adding new outputs to MLZ Core Readme Co-authored-by: lisamurphy-msft <[email protected]>
ARPA-H · Sep 7, 2022 · 42d5fcf · 42d5fcf
1 parent 383a40d
commit 42d5fcf
Show file tree

Hide file tree

Showing 4 changed files with 31 additions and 1 deletion.
diff --git a/src/bicep/README.md b/src/bicep/README.md
@@ -129,5 +129,8 @@ spokes.value[0..2].subnetResourceId
 spokes.value[0..2].subscriptionId
 spokes.value[0..2].virtualNetworkName
 spokes.value[0..2].virtualNetworkResourceId
+deployPolicy.value
+policyName.value
 deployDefender.value
 emailSecurityContact.value
+
diff --git a/src/bicep/add-ons/tier3/README.md b/src/bicep/add-ons/tier3/README.md
@@ -27,6 +27,8 @@ resourcePrefix | mlz | A prefix, 3 to 10 characters in length, to append to reso
 Optional Parameters | Default | Description
 ------------------- | ------- | -----------
 virtualNetworkAddressPrefix | 10.0.125.0/26 | The address prefix for the network spoke vnet.
+deployPolicy | Output from mlz.bicep (false) | When set to "true", deploys the Azure Policy set defined at by the parameter "policy" to the resource groups generated in the deployment. It defaults to "false".
+policy | Output from mlz.bicep (Nist) | [NIST/IL5/CMMC] Built-in policy assignments to assign, it defaults to "NIST". IL5 is only available for AzureUsGovernment and will switch to NIST if tried in AzureCloud.
 
 ### Generate MLZ Variable File
 

diff --git a/src/bicep/add-ons/tier3/tier3.bicep b/src/bicep/add-ons/tier3/tier3.bicep
@@ -42,6 +42,11 @@ param hubVirtualNetworkResourceId string = mlzDeploymentVariables.hub.Value.virt
 param logAnalyticsWorkspaceResourceId string = mlzDeploymentVariables.logAnalyticsWorkspaceResourceId.Value
 param logAnalyticsWorkspaceName string = mlzDeploymentVariables.logAnalyticsWorkspaceName.Value
 param firewallPrivateIPAddress string = mlzDeploymentVariables.firewallPrivateIPAddress.Value
+@description('[NIST/IL5/CMMC] Built-in policy assignments to assign, it defaults to "NIST". IL5 is only available for AzureUsGovernment and will switch to NIST if tried in AzureCloud.')
+param policy string = mlzDeploymentVariables.policyName.Value
+@description('When set to "true", deploys the Azure Policy set defined at by the parameter "policy" to the resource groups generated in the deployment. It defaults to "false".')
+param deployPolicy bool = mlzDeploymentVariables.deployPolicy.Value
+
 
 @description('When set to "true", enables Microsoft Defender for Cloud for the subscriptions used in the deployment. It defaults to "false".')
 param deployDefender bool = mlzDeploymentVariables.deployDefender.Value
@@ -85,7 +90,10 @@ param subnetServiceEndpoints array = []
 param logStorageSkuName string = 'Standard_GRS'
 
 @description('A string dictionary of tags to add to deployed resources. See https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json#arm-templates for valid settings.')
-param tags object = {}
+param tags object = {} 
+
+@description('A suffix to use for naming deployments uniquely. It defaults to the Bicep resolution of the "utcNow()" function.')
+param deploymentNameSuffix string = utcNow()
 
 /*
 
@@ -117,6 +125,7 @@ var workloadLogStorageAccountName = take(workloadLogStorageAccountUniqueName, 23
 var workloadVirtualNetworkName = replace(virtualNetworkNamingConvention, nameToken, workloadName)
 var workloadNetworkSecurityGroupName = replace(networkSecurityGroupNamingConvention, nameToken, workloadName)
 var workloadSubnetName = replace(subnetNamingConvention, nameToken, workloadName)
+var logAnalyticsWorkspaceResourceId_split = split(logAnalyticsWorkspaceResourceId, '/')
 
 var defaultTags = {
   DeploymentType: 'MissionLandingZoneARM'
@@ -199,6 +208,18 @@ module workloadSubscriptionActivityLogging '../../modules/central-logging.bicep'
   ]
 }
 
+module workloadPolicyAssignment '../../modules/policy-assignment.bicep' = if (deployPolicy) {
+  name: 'assign-policy-${workloadName}-${deploymentNameSuffix}'
+  scope:  az.resourceGroup(workloadSubscriptionId, resourceGroup.name)
+  params: {
+    builtInAssignment: policy
+    logAnalyticsWorkspaceName: logAnalyticsWorkspaceResourceId_split[8]
+    logAnalyticsWorkspaceResourceGroupName: logAnalyticsWorkspaceResourceId_split[4]
+    location: location
+    operationsSubscriptionId: logAnalyticsWorkspaceResourceId_split[2]
+   }
+  }
+
 module spokeDefender '../../modules/defender.bicep' = if (deployDefender) {
   name: 'set-${workloadName}-sub-defender'
   scope: subscription(workloadSubscriptionId)

diff --git a/src/bicep/mlz.bicep b/src/bicep/mlz.bicep
@@ -1107,6 +1107,10 @@ output logAnalyticsWorkspaceResourceId string = logAnalyticsWorkspace.outputs.id
 
 output diagnosticStorageAccountName string = operationsLogStorageAccountName
 
+output policyName string = policy
+
+output deployPolicy bool = deployPolicy
+
 output spokes array = [for (spoke, i) in spokes: {
   name: spoke.name
   subscriptionId: spoke.subscriptionId