Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AKS Baseline regultated RA - convert subscription deployment to Bicep #62

Merged
merged 17 commits into from
Apr 22, 2022
Merged

AKS Baseline regultated RA - convert subscription deployment to Bicep #62

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
1d413de
subscription migration json-->bicep
magrande Apr 12, 2022
d25d5c8
Modified readme subscription step
magrande Apr 12, 2022
5026366
Refector policy assignment modules
magrande Apr 13, 2022
92a336e
Using existing policy definition when assigning either custom or buil…
magrande Apr 15, 2022
94bc3aa
Using existing policy definition when assigning either custom or buil…
magrande Apr 15, 2022
4a41b57
Addressing comments
magrande Apr 19, 2022
568173e
Update modules/resourceGroupPolicyAssignment.bicep
magrande Apr 19, 2022
3ce8807
Update modules/resourceGroupPolicyAssignment.bicep
magrande Apr 19, 2022
29b2d7f
Update modules/resourceGroupPolicyAssignment.bicep
magrande Apr 19, 2022
f3b391b
Addressing new round of comments. Missing comments added, refactoring…
magrande Apr 19, 2022
499a08b
Update subscription.bicep
magrande Apr 19, 2022
1447e4a
Update subscription.bicep
magrande Apr 19, 2022
7e3518d
Some more usage of existing resources
magrande Apr 19, 2022
e2b6630
refactored custom-builtin policy assignments
magrande Apr 20, 2022
028c892
Update modules/workloadPoliciesDeployment.bicep
magrande Apr 21, 2022
c61866e
Adding dependencies on workloadPolicies deployment, and other bugs fixed
magrande Apr 22, 2022
821a94f
Update subscription.bicep
ckittel Apr 22, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 3 additions & 21 deletions modules/subscriptionPolicyAssignment.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,25 +6,7 @@ targetScope = 'subscription'
param enforcementMode string = 'Default'

@description('Subsription deployment\'s main location (centralus if not specified)')
@allowed([
'australiaeast'
'canadacentral'
'centralus'
'eastus'
'eastus2'
'westus2'
'francecentral'
'germanywestcentral'
'northeurope'
'southafricanorth'
'southcentralus'
'uksouth'
'westeurope'
'japaneast'
'southeastasia'
])
param location string = 'centralus'

param location string

@description('The name of the policy or policy set to assign.')
param policyDefinitionName string
Expand All @@ -33,7 +15,7 @@ param policyDefinitionName string
param policyAssignmentIdentity object = {}

@description('The desciption of the policy assignment')
param polcyAssignmentDescription string = ''
param policyAssignmentDescription string = ''

@description('Policy assignment metadata; this parameter can by any object')
param polcyAssignmentMetadata object = {}
Expand All @@ -55,7 +37,7 @@ resource policyAssignment 'Microsoft.Authorization/policyAssignments@2021-06-01'
location: location
properties: {
displayName: reference(subscriptionResourceId('Microsoft.Authorization/policySetDefinitions', policyDefintion.name), '2020-09-01').displayName
description: polcyAssignmentDescription
description: policyAssignmentDescription
notScopes: notScopes
policyDefinitionId: subscriptionResourceId('Microsoft.Authorization/policySetDefinitions', policyDefintion.name)
enforcementMode: enforcementMode
Expand Down
42 changes: 36 additions & 6 deletions modules/workloadPoliciesDeployment.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -88,13 +88,19 @@ module NoPublicIPsForVMScaleSetsPolicyAssignment 'resourceGroupPolicyAssignment.
}
}

@description('Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters - Policy definition')
resource DenyAksWithoutPolicyPolicyDefinition 'Microsoft.Authorization/policyDefinitions@2021-06-01' existing = {
name: '0a15ec92-a229-4763-bb14-0ea34a568f8d'
scope: subscription()
}

@description('Only support AKS clusters with Azure Policy enabled, deny any other. - Policy Assignment')
module DenyAksWithoutPolicyPolicyAssignment 'resourceGroupPolicyAssignment.bicep' = {
name: 'Workload-DenyAksWithoutPolicyPolicyAssignment'
scope: resourceGroup()
params: {
builtIn: true
policyDefinitionName: '0a15ec92-a229-4763-bb14-0ea34a568f8d'
policyDefinitionName: DenyAksWithoutPolicyPolicyDefinition.name
policyAssignmentDescription: 'Only support AKS clusters with Azure Policy enabled, deny any other.'
}
}
Expand All @@ -115,44 +121,68 @@ module DenyAagWithoutWafPolicyAssignment 'resourceGroupPolicyAssignment.bicep' =
}
}

@description('Role-Based Access Control (RBAC) should be used on Kubernetes Services - Policy definition.')
resource DenyAksWithoutRbacPolicyDefinition 'Microsoft.Authorization/policyDefinitions@2021-06-01' existing = {
name: 'ac4a19c2-fa67-49b4-8ae5-0b2e78c49457'
scope: subscription()
}

@description('Deny AKS clusters without RBAC policy applied to the appliction resource group. - Policy assignment')
module DenyAksWithoutRbacPolicyAssignment 'resourceGroupPolicyAssignment.bicep' = {
name: 'Workload-DenyAksWithoutRbacPolicyAssignment'
scope: resourceGroup()
params: {
builtIn: true
policyDefinitionName: 'ac4a19c2-fa67-49b4-8ae5-0b2e78c49457'
policyDefinitionName: DenyAksWithoutRbacPolicyDefinition.name
policyAssignmentDescription: 'Only allow AKS with RBAC support enabled.'
}
}

@description('Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version - Policy definition')
resource DenyOldAksPolicyDefinition 'Microsoft.Authorization/policyDefinitions@2021-06-01' existing = {
name: 'fb893a29-21bb-418c-a157-e99480ec364c'
scope: subscription()
}

@description('Deny AKS clusters on old version policy applied to the appliction resource group. - Policy Assignment')
module DenyOldAksPolicyAssignment 'resourceGroupPolicyAssignment.bicep' = {
name: 'Workload-DenyOldAksPolicyAssignment'
scope: resourceGroup()
params: {
builtIn: true
policyDefinitionName: 'fb893a29-21bb-418c-a157-e99480ec364c'
policyDefinitionName: DenyOldAksPolicyDefinition.name
policyAssignmentDescription: 'Disallow older AKS versions.'
}
}

@description('Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys - Policy definition')
resource CustomerManagedEncryptionPolicyDefinition 'Microsoft.Authorization/policyDefinitions@2021-06-01' existing = {
name: '7d7be79c-23ba-4033-84dd-45e2a5ccdd67'
scope: subscription()
}

@description('\'Customer-Managed Disk Encryption\' applied to resource group - Policy Assignment.')
module CustomerManagedEncryptionPolicyAssignment 'resourceGroupPolicyAssignment.bicep' = {
name: 'Workload-CustomerManagedEncryptionPolicyAssignment'
scope: resourceGroup()
params: {
builtIn: true
policyDefinitionName: '7d7be79c-23ba-4033-84dd-45e2a5ccdd67'
policyDefinitionName: CustomerManagedEncryptionPolicyDefinition.name
}
}

@description('\'Encryption at Host\' policy applied to the resource group - Policy Assignment.')
@description('Temp disks and cache for agent node pools in Azure Kubernetes Service clusters should be encrypted at host - Policy definition')
resource EncryptionAtHostPolicyDefinition 'Microsoft.Authorization/policyDefinitions@2021-06-01' existing = {
name: '41425d9f-d1a5-499a-9932-f8ed8453932c'
scope: subscription()
}

@description('Temp disks and cache for agent node pools in Azure Kubernetes Service clusters should be encrypted at host - Policy Assignment.')
module EncryptionAtHostPolicyAssignment 'resourceGroupPolicyAssignment.bicep' = {
name: 'Workload-EncryptionAtHostPolicyAssignment'
scope: resourceGroup()
params: {
builtIn: true
policyDefinitionName: '41425d9f-d1a5-499a-9932-f8ed8453932c'
policyDefinitionName: EncryptionAtHostPolicyDefinition.name
}
}
28 changes: 17 additions & 11 deletions subscription.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,13 +5,13 @@ targetScope = 'subscription'
@description('By default Microsoft Defender for Kubernetes Service, Container Registry, and Key Vault are configured to deploy via Azure Policy, use this parameter to disable that.')
ckittel marked this conversation as resolved.
Show resolved Hide resolved
param enforceAzureDefenderAutoDeployPolicies bool = true

@description('By default Microsoft Defender for Kubernetes Service, Container Registry, and Key Vault are enabled; use this parameter to prevent them from being enabled. Deploying these requires subscription Owner or Security Admin roles.')
param enableAzureDefender bool = true
@description('By default Microsoft Defender for Containers service is enabled; use this parameter to prevent the involved pricings from being enabled. Deploying these requires subscription Owner or Security Admin roles.')
param enableMicrosoftDefenderForCloud bool = true

@description('networkWatcherRG often times already exists in a subscription. Empty string will result in using the default resource location.')
param networkWatcherRGRegion string = ''

@description('Subsription deployment\'s main location (centralus if not specified)')
@description('This region is used as the default for all generic resource groups and for any additional deployment resources. No resources are actually deployed to this resource group.')
@allowed([
'australiaeast'
'canadacentral'
Expand Down Expand Up @@ -57,6 +57,11 @@ resource rgNetworkWatchers 'Microsoft.Resources/resourceGroups@2021-04-01' = {
location: empty(networkWatcherRGRegion) ? 'centralus' : networkWatcherRGRegion
ckittel marked this conversation as resolved.
Show resolved Hide resolved
}

@description('Security Admin Role built-in role.')
resource securityAdminRole 'Microsoft.Authorization/roleDefinitions@2018-01-01-preview' existing = {
name: 'fb1c8493-542b-48eb-b624-b4c8fea62acd'
}

ckittel marked this conversation as resolved.
Show resolved Hide resolved
@description('Microsoft Defender for Containers provides real-time threat protection for containerized environments and generates alerts for suspicious activities.')
resource pdEnableAksDefender 'Microsoft.Authorization/policyDefinitions@2021-06-01' = {
name: guid(subscription().id, 'EnableDefenderForAks')
Expand Down Expand Up @@ -86,7 +91,7 @@ resource pdEnableAksDefender 'Microsoft.Authorization/policyDefinitions@2021-06-
deploymentScope: 'subscription'
existenceScope: 'subscription'
roleDefinitionIds: [
'/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd'
securityAdminRole.id
]
existenceCondition: {
field: 'Microsoft.Security/pricings/pricingTier'
Expand Down Expand Up @@ -147,7 +152,7 @@ resource pdEnableAkvDefender 'Microsoft.Authorization/policyDefinitions@2021-06-
deploymentScope: 'subscription'
existenceScope: 'subscription'
roleDefinitionIds: [
'/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd'
securityAdminRole.id
]
existenceCondition: {
field: 'Microsoft.Security/pricings/pricingTier'
Expand Down Expand Up @@ -431,45 +436,46 @@ module defenderPolicyDeployment 'modules/subscriptionPolicyAssignment.bicep' = {
category: 'Microsoft Defender for Cloud'
}
policyDefinitionName: psdEnableDefender.name
polcyAssignmentDescription: 'Ensures that Microsoft Defender for Kuberentes Service, Container Service, and Key Vault are enabled.'
policyAssignmentDescription: 'Ensures that Microsoft Defender for Kuberentes Service, Container Service, and Key Vault are enabled.'
enforcementMode: enforceAzureDefenderAutoDeployPolicies ? 'Default' : 'DoNotEnforce'
notScopes: []
}
}

@description('Enable Microsoft Defender Standard for Key Vault. Requires Owner or Security Admin role.')
resource enableKeyVaultspricing 'Microsoft.Security/pricings@2018-06-01' = if (enableAzureDefender) {
resource enableKeyVaultspricing 'Microsoft.Security/pricings@2018-06-01' = if (enableMicrosoftDefenderForCloud) {
name: 'KeyVaults'
properties: {
pricingTier: 'Standard'
}
}

@description('Enable Microsoft Defender Standard for Container Registry. Requires Owner or Security Admin role.')
magrande marked this conversation as resolved.
Show resolved Hide resolved
resource enableContainerRegistry 'Microsoft.Security/pricings@2018-06-01' = if (enableAzureDefender) {
resource enableContainerRegistry 'Microsoft.Security/pricings@2018-06-01' = if (enableMicrosoftDefenderForCloud) {
name: 'ContainerRegistry'
properties: {
pricingTier: 'Standard'
}
}

@description('Enable Microsoft Defender Standard for Kubernetes Service. Requires Owner or Security Admin role.')
magrande marked this conversation as resolved.
Show resolved Hide resolved
resource enableKubernetesService 'Microsoft.Security/pricings@2018-06-01' = if (enableAzureDefender) {
resource enableKubernetesService 'Microsoft.Security/pricings@2018-06-01' = if (enableMicrosoftDefenderForCloud) {
name: 'KubernetesService'
properties: {
pricingTier: 'Standard'
}
}

@description('Enable Microsoft Defender Standard for Azure Resource Manager. Requires Owner or Security Admin role.')
resource enableArm 'Microsoft.Security/pricings@2018-06-01' = if (enableAzureDefender) {
resource enableArm 'Microsoft.Security/pricings@2018-06-01' = if (enableMicrosoftDefenderForCloud) {
name: 'Arm'
properties: {
pricingTier: 'Standard'
}
}

@description('Enable Microsoft Defender Standard for Azure DNS. Requires Owner or Security Admin role.')
resource enableDns 'Microsoft.Security/pricings@2018-06-01' = if (enableAzureDefender) {
resource enableDns 'Microsoft.Security/pricings@2018-06-01' = if (enableMicrosoftDefenderForCloud) {
name: 'Dns'
properties: {
pricingTier: 'Standard'
Expand Down