AKS Baseline regultated RA - convert subscription deployment to Bicep

docs/deploy/04-subscription.md

@@ -98,14 +98,14 @@ Not only do we enable them in the steps below by default, but also set up an Azu
 
    ```bash
    # [This may take up to six minutes to run.]
-   az deployment sub create -f subscription.json -l centralus -p networkWatcherRGRegion="${NETWORK_WATCHER_RG_REGION}"
+   az deployment sub create -f subscription.bicep -l centralus -p networkWatcherRGRegion="${NETWORK_WATCHER_RG_REGION}"
    ```
 
    If you do not have permissions on your subscription to enable Microsoft Defender (which requires the Azure RBAC role of _Subscription Owner_ or _Security Admin_), then instead execute the following variation of the same command. This will not enable Microsoft Defender services nor will Azure Policy attempt to enable the same (the policy will still be created, but in audit-only mode). Your final implementation should be to a subscription with these security services activated.
 
    ```bash
    # [This may take up to five minutes to run.]
-   az deployment sub create -f subscription.json -l centralus -p enableAzureDefender=false enforceAzureDefenderAutoDeployPolicies=false networkWatcherRGRegion="${NETWORK_WATCHER_RG_REGION}"
+   az deployment sub create -f subscription.bicep -l centralus -p enableMicrosoftDefenderForCloud=false enforceAzureDefenderAutoDeployPolicies=false networkWatcherRGRegion="${NETWORK_WATCHER_RG_REGION}"
    ```
 
 ## Azure Security Benchmark

modules/hubsPoliciesDeployment.bicep

@@ -0,0 +1,60 @@
+targetScope = 'resourceGroup'
+
+/*** EXISTING RESOURCES ***/
+
+@description('Allowed resource types - Policy definition')
+resource allowedResourceTypespolicyDefinition 'Microsoft.Authorization/policyDefinitions@2021-06-01' existing = {
+    name: 'a08ec900-254a-4555-9bf5-e42af04b5c5c'
+    scope: subscription()
+}
+
+@description('Network Watcher should be enabled - Policy Definition')
+resource NetworkWatcherShouldBeEnabledPolicyDefinition 'Microsoft.Authorization/policyDefinitions@2021-06-01' existing = {
+    name: 'b6e2945c-0b7b-40f5-9233-7a5323b5cdc6'
+    scope: subscription()
+}
+
+/*** RESOURCES ***/
+
+@description('Allowed Resources Policy applied to the hubs RG to only allow select networking and observation resources.')
+module allowedResourcespolicyAssignment 'resourceGroupPolicyAssignment.bicep' = {
+    name: 'Hubs-allowedResourcespolicyAssignment'
+    scope: resourceGroup()
+    params: {
+        builtIn: true
+        policyDefinitionName: allowedResourceTypespolicyDefinition.name
+        policyAssignmentDescription: 'List of supported resources for our enterprise hubs resource group'
+        policyAssignmentParameters: {
+            listOfResourceTypesAllowed: {
+                value: [
+                    'Microsoft.Insights/diagnosticSettings'
+                    'Microsoft.Insights/workbooks'
+                    'Microsoft.Network/azureFirewalls'
+                    'Microsoft.Network/bastionHosts'
+                    'Microsoft.Network/ipGroups'
+                    'Microsoft.Network/networkSecurityGroups'
+                    'Microsoft.Network/networkSecurityGroups/securityRules'
+                    'Microsoft.Network/publicIpAddresses'
+                    'Microsoft.Network/virtualNetworkGateways'
+                    'Microsoft.Network/virtualNetworks'
+                    'Microsoft.Network/virtualNetworks/subnets'
+                    'Microsoft.Network/virtualNetworks/virtualNetworkPeerings'
+                    'Microsoft.OperationalInsights/workspaces'
+                    'Microsoft.OperationsManagement/solutions'
+                    'Microsoft.Storage/storageAccounts'
+                ]
+            }
+        }
+    }
+}
+
+@description('Applying the \'Network Watcher Should be Enabled\' policy to the Hub resource group.')
+module NetworkWatcherShouldBeEnabledPolicyAssignment 'resourceGroupPolicyAssignment.bicep' = {
+    name: 'Hubs-NetworkWatcherShouldBeEnabledPolicyAssignment'
+    scope: resourceGroup()
+    params: {
+        builtIn: true
+        policyDefinitionName: NetworkWatcherShouldBeEnabledPolicyDefinition.name
+        policyAssignmentDescription: 'Applying the \'Network Watcher Should be Enabled\' policy to the Hub resource group.'
+    }
+}

modules/networkWatchersPoliciesDeployment.bicep

@@ -0,0 +1,32 @@
+targetScope = 'resourceGroup'
+
+/*** EXISTING RESOURCES ***/
+
+@description('Allowed resource types - Policy definition')
+resource allowedResourceTypespolicyDefinition 'Microsoft.Authorization/policyDefinitions@2021-06-01' existing = {
+    name: 'a08ec900-254a-4555-9bf5-e42af04b5c5c'
+    scope: subscription()
+}
+
+/*** RESOURCES ***/
+
+@description('Allowed Resources Policy applied to the network watchers resource group to only allow select networking resources.')
+module allowedResourcespolicyAssignment 'resourceGroupPolicyAssignment.bicep' = {
+    name: 'NetworkWatchers-allowedResourcespolicyAssignment'
+    scope: resourceGroup()
+    params: {
+        builtIn: true
+        policyDefinitionName: allowedResourceTypespolicyDefinition.name
+        policyAssignmentDescription: 'List of supported resources for our Network Watcher resource group'
+        policyAssignmentEnforcementMode: 'DoNotEnforce' // Since this RG may be under existing policy control in your subscription, adding this policy as audit-only.
+        policyAssignmentParameters: {
+            listOfResourceTypesAllowed: {
+                value: [
+                    'Microsoft.Network/networkWatchers'
+                    'Microsoft.Network/networkWatchers/flowLogs'
+                ]
+            }
+        }
+    }
+}
+

modules/resourceGroupPolicyAssignment.bicep

@@ -0,0 +1,51 @@
+targetScope = 'resourceGroup'
+
+/*** PARAMETERS ***/
+
+@description('Indicates whether the policy being assigned is built in or not.')
+param builtIn bool = true
+
+@description('The name of the policy to assign.')
+@minLength(36)
+@maxLength(36)
+param policyDefinitionName string
+
+@description('The description of the policy assignment.')
+@minLength(1)
+param policyAssignmentDescription string
+
+@description('The he policy assignment\'s parameters')
+param policyAssignmentParameters object = {}
+
+@description('This property provides the ability to test the outcome of a policy on existing resources without initiating the policy effect or triggering entries in the Azure Activity log')
+@allowed([
+    'Default'
+    'DoNotEnforce'
+])
+param policyAssignmentEnforcementMode string = 'Default'
+
+/*** EXISTING RESOURCES ***/
+
+resource customPolicyDefinition 'Microsoft.Authorization/policyDefinitions@2021-06-01' existing = {
+    name: policyDefinitionName
+    scope: subscription()
+}
+
+/*** VARIABLES ***/
+
+var builtInPolicyDefinitionId = '/providers/Microsoft.Authorization/policyDefinitions/${policyDefinitionName}'
+
+/*** RESOURCES ***/
+
+@description('Assigns a Policy at Resource Group level')
+resource policyAssignment 'Microsoft.Authorization/policyAssignments@2021-06-01' =  {
+    name: guid( builtIn ? builtInPolicyDefinitionId : customPolicyDefinition.id, resourceGroup().name)
+    scope: resourceGroup()
+    properties: {
+        displayName: trim(take('[${resourceGroup().name}] ${ builtIn ? reference(builtInPolicyDefinitionId, '2021-06-01').displayName : customPolicyDefinition.properties.displayName }', 125))
+        description: policyAssignmentDescription
+        policyDefinitionId: builtIn ? builtInPolicyDefinitionId : customPolicyDefinition.id
+        parameters: policyAssignmentParameters
+        enforcementMode: policyAssignmentEnforcementMode
+    }
+}

modules/spokesPoliciesDeployment.bicep

@@ -0,0 +1,53 @@
+targetScope = 'resourceGroup'
+
+
+@description('Allowed resource types - Policy definition')
+resource allowedResourceTypespolicyDefinition 'Microsoft.Authorization/policyDefinitions@2021-06-01' existing = {
+    name: 'a08ec900-254a-4555-9bf5-e42af04b5c5c'
+    scope: subscription()
+}
+
+@description('Network Watcher should be enabled - Policy Definition')
+resource NetworkWatcherShouldBeEnabledPolicyDefinition 'Microsoft.Authorization/policyDefinitions@2021-06-01' existing = {
+    name: 'b6e2945c-0b7b-40f5-9233-7a5323b5cdc6'
+    scope: subscription()
+}
+
+
+/*** RESOURCES ***/
+
+@description('Allowed Resources Policy applied to the spokes RG to only allow select networking and observation resources.')
+module allowedResourcespolicyAssignment 'resourceGroupPolicyAssignment.bicep' = {
+    name: 'Spokes-allowedResourcespolicyAssignment'
+    scope: resourceGroup()
+    params: {
+        builtIn: true
+        policyDefinitionName: allowedResourceTypespolicyDefinition.name
+        policyAssignmentDescription: 'List of supported resources for our enterprise spokes resource group'
+        policyAssignmentParameters: {
+            listOfResourceTypesAllowed: {
+                value: [
+                    'Microsoft.Network/networkSecurityGroups'
+                    'Microsoft.Network/privateDnsZones'
+                    'Microsoft.Network/privateDnsZones/virtualNetworkLinks'
+                    'Microsoft.Network/publicIpAddresses'
+                    'Microsoft.Network/routeTables'
+                    'Microsoft.Network/virtualNetworks'
+                    'Microsoft.Network/virtualNetworks/subnets'
+                    'Microsoft.Network/virtualNetworks/virtualNetworkPeerings'
+                ]
+            }
+        }
+    }
+}
+
+@description('Applying the \'Network Watcher Should be Enabled\' policy to the Hub resource group.')
+module NetworkWatcherShouldBeEnabledPolicyAssignment 'resourceGroupPolicyAssignment.bicep' = {
+    name: 'Spokes-NetworkWatcherShouldBeEnabledPolicyAssignment'
+    scope: resourceGroup()
+    params: {
+        builtIn: true
+        policyDefinitionName: NetworkWatcherShouldBeEnabledPolicyDefinition.name
+        policyAssignmentDescription: 'Applying the \'Network Watcher Should be Enabled\' policy to the Spoke resource group.'
+    }
+}

modules/subscriptionPolicyAssignment.bicep

@@ -0,0 +1,50 @@
+targetScope = 'subscription'
+
+/*** PARAMETERS ***/
+
+@description('The policy assignment enforcement mode.')
+@allowed([
+    'Default'
+    'DoNotEnforce'
+])
+param enforcementMode string = 'Default'
+
+@description('Subsription deployment\'s main location.')
+@minLength(4)
+param location string
+
+@description('The name of the policy set to assign.')
+@minLength(36)
+@maxLength(36)
+param policyDefinitionSetName string
+
+@description('The desciption of the policy assignment.')
+@minLength(1)
+param policyAssignmentDescription string
+
+@description('Policy assignment metadata; this parameter can by any object.')
+param polcyAssignmentMetadata object = {}
+
+/*** VARIABLES ***/
+
+var builtIntPolicyDefinitionSetId = subscriptionResourceId('Microsoft.Authorization/policySetDefinitions', policyDefinitionSetName)
+
+/*** RESOURCES ***/
+
+@description('Assignment of policy')
+resource policyAssignment 'Microsoft.Authorization/policyAssignments@2021-06-01' =  {
+    name: guid(builtIntPolicyDefinitionSetId)
+    identity: {
+        type: 'SystemAssigned'
+    }
+    location: location
+    scope: subscription()
+    properties: {
+        displayName: reference(builtIntPolicyDefinitionSetId, '2021-06-01').displayName
+        description: policyAssignmentDescription
+        notScopes: []
+        policyDefinitionId: builtIntPolicyDefinitionSetId
+        enforcementMode: enforcementMode
+        metadata: polcyAssignmentMetadata
+    }
+}