diff --git a/README.md b/README.md index f31f314..dd6d09e 100644 --- a/README.md +++ b/README.md @@ -25,6 +25,9 @@ - [Definition and Assignment Scopes](#definition-and-assignment-scopes) - [Limitations](#limitations) - [Useful Resources](#useful-resources) +- [Known Issues](#known-issues) + - [Parameter Values are nulled with TF >= 14](#parameter-values-are-nulled-with-tf--14) + - [Error: Invalid for_each argument](#error-invalid-for_each-argument) ## Repo Folder Structure @@ -68,7 +71,7 @@ ```hcl module whitelist_regions { source = "gettek/policy-as-code/azurerm//modules/definition" - version = "1.1.0" + version = "1.2.0" policy_name = "whitelist_regions" display_name = "Allow resources only in whitelisted regions" policy_category = "General" @@ -91,7 +94,7 @@ Policy Initiatives are used to combine sets of definitions in order to simplify ```hcl module platform_baseline_initiative { source = "gettek/policy-as-code/azurerm//modules/initiative" - version = "1.1.0" + version = "1.2.0" initiative_name = "platform_baseline_initiative" initiative_display_name = "[Platform]: Baseline Policy Set" initiative_description = "Collection of policies representing the baseline platform requirements" @@ -114,7 +117,7 @@ module platform_baseline_initiative { ```hcl module org_mg_whitelist_regions { source = "gettek/policy-as-code/azurerm//modules/def_assignment" - version = "1.1.0" + version = "1.2.0" definition = module.whitelist_regions.definition assignment_scope = local.default_assignment_scope assignment_effect = "Deny" @@ -140,9 +143,9 @@ Azure Policy supports the following types of effect: ### Automate Remediation Tasks -The `def_assignment` and `set_assignment` modules will automatically create [remediation tasks](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/policy_remediation) for policies with effects of `DeployIfNotExists` and `Modify`. The task name is suffixed with a timestamp to ensure a new task gets created on each `terraform apply`. This can be prevented with `-TF_VAR_skip_remediation=true`. +The `def_assignment` and `set_assignment` modules will automatically create [remediation tasks](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/policy_remediation) for policies with effects of `DeployIfNotExists` and `Modify`. The task name is suffixed with a timestamp to ensure a new task gets created on each `terraform apply`. This can be prevented with `-var "skip_remediation=true"`. -> :bulb: **Note:** To fully automate remediation tasks without manual intervention via the portal, it may be necessary in some instances to create custom role defenitions. This is a disadvantage by design as identified [in this GitHub issue](https://github.com/Azure/azure-powershell/issues/10196). However an example custom role definition [as seen here](policies/Monitoring/deploy_subscription_diagnostic_setting/README.md#cross-subscription-role-assignment) can be used by the system assigned managed identity, created by the policy assignment, to remediate cross-subscription activity log forwarders. +> :bulb: **Note:** To fully automate remediation tasks without manual intervention via the portal, it may be necessary in some instances to create custom role definitions. This is a disadvantage by design as identified [in this GitHub issue](https://github.com/Azure/azure-powershell/issues/10196). However a Custom or [Built-In](https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles) Role definition reference can be assigned to the managed identity created by the policy assignment [as seen here](examples/assignments_org.tf#L60). ## Creating Custom Versions of Built-In Policies @@ -252,3 +255,13 @@ module from_mono_repo_with_tags { - [Terraform Provider: azurerm_policy_set_definition](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/policy_set_definition) - [Terraform Provider: azurerm_policy_assignment](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/policy_assignment) - [Terraform Provider: azurerm_policy_remediation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/policy_remediation) + +## Known Issues + +### Parameter Values are nulled with TF >= 14 + +When using Terraform 14 and above it appears all `parameter_values` within a policy set definition are nulled, these are then recreated and removed on each consecutive plan/apply. **[Issue 11327 raised here](https://github.com/terraform-providers/terraform-provider-azurerm/issues/11327)** + +### Error: Invalid for_each argument + +You may sometimes experience plan/apply issues when running an initial deployment of the `set_assignment` module. To prevent this, set the flag `-var "skip_remediation=true"` and omit for consecutive builds. diff --git a/examples/README.md b/examples/README.md index c3d0725..0a0a080 100644 Binary files a/examples/README.md and b/examples/README.md differ diff --git a/examples/TEMPLATE.md b/examples/TEMPLATE.md index e61cc67..617b0d1 100644 --- a/examples/TEMPLATE.md +++ b/examples/TEMPLATE.md @@ -1,18 +1,3 @@ # Azure Policy Deployments -This examples folder demonstrates an effective deployment of Azure Policy Definitions and Assignments. The order of execution is generally from `definitions.tf` -> `initiatives.tf` -> `assignments_.tf` - -### Resources - -* azurerm_policy_definition.def -* azurerm_policy_set_definition.set -* azurerm_policy_set_definition.cis_benchmark -* azurerm_policy_assignment.def -* azurerm_policy_assignment.set -* azurerm_policy_remediation.rem -* random_uuid.org_mg_remediate_platform_diagnostics_initiative -* random_uuid.org_mg_add_replace_resource_group_tag_key_modify -* data.azurerm_role_definition.security_admin -* azurerm_role_assignment.org_mg_configure_asc_initiative -* azurerm_role_definition.org_mg_remediate_platform_diagnostics_initiative -* azurerm_role_assignment.org_mg_add_replace_resource_group_tag_key_modify +This examples folder demonstrates an effective deployment of Azure Policy Definitions and Assignments. The order of execution is generally from `definitions.tf` -> `initiatives.tf` -> `assignments_.tf` \ No newline at end of file diff --git a/examples/assignments_org.tf b/examples/assignments_org.tf index 4be04df..e9596cb 100644 --- a/examples/assignments_org.tf +++ b/examples/assignments_org.tf @@ -60,7 +60,7 @@ module org_mg_configure_asc_initiative { resource azurerm_role_assignment org_mg_configure_asc_initiative { count = var.skip_remediation ? 0 : 1 scope = azurerm_management_group.org.id - role_definition_id = data.azurerm_role_definition.security_admin.id + role_definition_id = data.azurerm_role_definition.contributor.id principal_id = module.org_mg_configure_asc_initiative.identity_id } @@ -98,41 +98,6 @@ module org_mg_network_deny_nat_rules_firewall { ################## # Monitoring ################## -resource random_uuid org_mg_remediate_platform_diagnostics_initiative {} - -resource azurerm_role_definition org_mg_remediate_platform_diagnostic_settings { - name = "policy_remediates_platform_diagnostic_settings" - role_definition_id = random_uuid.org_mg_remediate_platform_diagnostics_initiative.result - scope = azurerm_management_group.org.id - description = "Enables the managed identity created by policy assignment permissions to remediate non compliant resources" - - permissions { - actions = [ - "Microsoft.Authorization/*/read", - "Microsoft.Automation/automationAccounts/*", - "Microsoft.Compute/virtualMachines/extensions/write", - "Microsoft.Compute/virtualMachines/extensions/read", - "Microsoft.EventHub/namespaces/authorizationrules/listkeys/action", - "Microsoft.Insights/alertRules/*", - "Microsoft.Insights/components/*/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.Insights/diagnosticSettings/*", - "Microsoft.OperationalInsights/*", - "Microsoft.OperationsManagement/*", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Resources/subscriptions/resourcegroups/deployments/*", - "Microsoft.Support/*", - "Microsoft.Storage/storageAccounts/listKeys/action", - "Microsoft.Storage/storageAccounts/read", - ] - } - - assignable_scopes = [ - azurerm_management_group.org.id - ] -} - module org_mg_platform_diagnostics_initiative { source = "..//modules/set_assignment" initiative = module.platform_diagnostics_initiative.initiative @@ -157,35 +122,6 @@ module org_mg_platform_diagnostics_initiative { resource azurerm_role_assignment org_mg_remediate_platform_diagnostic_settings { count = var.skip_remediation ? 0 : 1 scope = azurerm_management_group.org.id - role_definition_id = azurerm_role_definition.org_mg_remediate_platform_diagnostic_settings.role_definition_resource_id + role_definition_id = data.azurerm_role_definition.contributor.id principal_id = module.org_mg_platform_diagnostics_initiative.identity_id } - - -################## -# Tags -################## - -resource random_uuid org_mg_add_replace_resource_group_tag_key_modify {} - -resource azurerm_role_definition org_mg_add_replace_resource_group_tag_key_modify { - name = "policy_remediates_add_replace_resource_group_tags" - role_definition_id = random_uuid.org_mg_add_replace_resource_group_tag_key_modify.result - scope = azurerm_management_group.org.id - description = "Enables the managed identity created by policy assignment permissions to remediate non resource group tags" - permissions { - actions = [ - "Microsoft.Authorization/*/read", - "Microsoft.Automation/automationAccounts/*", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Resources/subscriptions/resourcegroups/deployments/*", - "Microsoft.Resources/tags/read", - "Microsoft.Resources/tags/write", - "Microsoft.Support/*" - ] - } - assignable_scopes = [ - azurerm_management_group.org.id - ] -} diff --git a/examples/assignments_team_a.tf b/examples/assignments_team_a.tf index e33b8f1..6372370 100644 --- a/examples/assignments_team_a.tf +++ b/examples/assignments_team_a.tf @@ -40,7 +40,7 @@ module customer_mg_add_replace_resource_group_tag_key_modify { resource azurerm_role_assignment customer_mg_add_replace_resource_group_tag_key_modify { count = var.skip_remediation ? 0 : 1 scope = azurerm_management_group.team_a.id - role_definition_id = azurerm_role_definition.org_mg_add_replace_resource_group_tag_key_modify.role_definition_resource_id + role_definition_id = data.azurerm_role_definition.tag_contributor.id principal_id = module.customer_mg_add_replace_resource_group_tag_key_modify.identity_id } diff --git a/examples/backend.tf b/examples/backend.tf index 77c511d..586f2c9 100644 --- a/examples/backend.tf +++ b/examples/backend.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 0.13" + required_version = "<= 0.13.6" required_providers { azurerm = { diff --git a/examples/data.tf b/examples/data.tf index 04458d7..95b487c 100644 --- a/examples/data.tf +++ b/examples/data.tf @@ -8,7 +8,11 @@ locals { } } -# Security Admin Built-In Role Definition -data azurerm_role_definition security_admin { - name = "Security Admin" +# Built-in Roles +data "azurerm_role_definition" "contributor" { + name = "Contributor" } + +data "azurerm_role_definition" "tag_contributor" { + name = "Tag Contributor" +} \ No newline at end of file diff --git a/modules/cis_benchmark/README.md b/modules/cis_benchmark/README.md index 1f12bbf..7cadc35 100644 --- a/modules/cis_benchmark/README.md +++ b/modules/cis_benchmark/README.md @@ -16,6 +16,8 @@ We do not want to assign the set defined by Azure as it is: ## Built-In Reference Modified from: [Built-In: CISv1_1_0_audit](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policySetDefinitions/Regulatory%20Compliance/CISv1_1_0_audit.json) + + ## Requirements No requirements. @@ -24,26 +26,36 @@ No requirements. | Name | Version | |------|---------| -| azurerm | n/a | +| [azurerm](#provider\_azurerm) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [azurerm_policy_set_definition.cis_benchmark](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/policy_set_definition) | resource | +| [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| audit\_log\_analytics\_workspace\_retention\_id | The audit\_log\_analytics\_workspace\_retention custom policy Id to replace CISv110x5x1x2 | `any` | n/a | yes | -| benchmark\_version | Usually the git tag version for this benchmark | `string` | `"1.0.0"` | no | -| description | Benchmark description | `string` | n/a | yes | -| display\_name | Benchmark display name | `string` | n/a | yes | -| management\_group\_name | The scope at which the benchmark will be defined. Currently this must be the group\_id of a management group. Changing this forces a new resource to be created | `string` | n/a | yes | -| name | Benchmark name. Changing this forces a new resource to be created | `string` | n/a | yes | +| [audit\_log\_analytics\_workspace\_retention\_id](#input\_audit\_log\_analytics\_workspace\_retention\_id) | The audit\_log\_analytics\_workspace\_retention custom policy Id to replace CISv110x5x1x2 | `any` | n/a | yes | +| [benchmark\_version](#input\_benchmark\_version) | Usually the git tag version for this benchmark | `string` | `"1.0.0"` | no | +| [description](#input\_description) | Benchmark description | `string` | n/a | yes | +| [display\_name](#input\_display\_name) | Benchmark display name | `string` | n/a | yes | +| [management\_group\_name](#input\_management\_group\_name) | The scope at which the benchmark will be defined. Currently this must be the group\_id of a management group. Changing this forces a new resource to be created | `string` | n/a | yes | +| [name](#input\_name) | Benchmark name. Changing this forces a new resource to be created | `string` | n/a | yes | ## Outputs | Name | Description | |------|-------------| -| id | The Id of the Benchmark Definition | -| initiative | The complete CIS Benchmark Initiative resource node | -| metadata | The metadata of the Benchmark Definition | -| name | The name of the Benchmark Definition | -| parameters | The combined parameters of the Benchmark Definition | - +| [id](#output\_id) | The Id of the Benchmark Definition | +| [initiative](#output\_initiative) | The complete CIS Benchmark Initiative resource node | +| [metadata](#output\_metadata) | The metadata of the Benchmark Definition | +| [name](#output\_name) | The name of the Benchmark Definition | +| [parameters](#output\_parameters) | The combined parameters of the Benchmark Definition | diff --git a/modules/cis_benchmark/data.tf b/modules/cis_benchmark/data.tf new file mode 100644 index 0000000..a0f6417 --- /dev/null +++ b/modules/cis_benchmark/data.tf @@ -0,0 +1 @@ +data azurerm_client_config current {} \ No newline at end of file diff --git a/modules/cis_benchmark/main.tf b/modules/cis_benchmark/main.tf index 26f97f1..95bdfc3 100644 --- a/modules/cis_benchmark/main.tf +++ b/modules/cis_benchmark/main.tf @@ -31,21 +31,6 @@ resource azurerm_policy_set_definition cis_benchmark { reference_id = "CISv110x1x2" } - policy_definition_reference { - policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60" - reference_id = "CISv110x1x3" - } - - policy_definition_reference { - policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4" - reference_id = "CISv110x1x3m" - } - - policy_definition_reference { - policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9" - reference_id = "CISv110x1x3mm" - } - policy_definition_reference { policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9" reference_id = "CISv110x1x23" @@ -230,16 +215,6 @@ resource azurerm_policy_set_definition cis_benchmark { reference_id = "CISv110x5x1x2m" } - policy_definition_reference { - policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/1a4e592a-6a6e-44a5-9814-e36264ca96e7" - reference_id = "CISv110x5x1x3" - } - - policy_definition_reference { - policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/41388f1c-2db0-4c25-95b2-35d7f5ccbfa9" - reference_id = "CISv110x5x1x4" - } - policy_definition_reference { policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/fbb99e8e-e444-4da0-9ff1-75c92f5a85b2" reference_id = "CISv110x5x1x6" @@ -249,92 +224,7 @@ resource azurerm_policy_set_definition cis_benchmark { policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21" reference_id = "CISv110x5x1x7" } - - policy_definition_reference { - parameter_values = jsonencode({ - operationName = { value = "Microsoft.Authorization/policyAssignments/write" } - }) - policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/c5447c04-a4d7-4ba8-a263-c9ee321a6858" - reference_id = "CISv110x5x2x1" - } - - policy_definition_reference { - parameter_values = jsonencode({ - operationName = { value = "Microsoft.Network/networkSecurityGroups/write" } - }) - policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/b954148f-4c11-4c38-8221-be76711e194a" - reference_id = "CISv110x5x2x2" - } - - policy_definition_reference { - parameter_values = jsonencode({ - operationName = { value = "Microsoft.Network/networkSecurityGroups/delete" } - }) - policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/b954148f-4c11-4c38-8221-be76711e194a" - reference_id = "CISv110x5x2x3" - } - - policy_definition_reference { - parameter_values = jsonencode({ - operationName = { value = "Microsoft.Network/networkSecurityGroups/securityRules/write" } - }) - policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/b954148f-4c11-4c38-8221-be76711e194a" - reference_id = "CISv110x5x2x4" - } - - policy_definition_reference { - parameter_values = jsonencode({ - operationName = { value = "Microsoft.Network/networkSecurityGroups/securityRules/delete" } - }) - policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/b954148f-4c11-4c38-8221-be76711e194a" - reference_id = "CISv110x5x2x5" - } - - policy_definition_reference { - parameter_values = jsonencode({ - operationName = { value = "Microsoft.Security/securitySolutions/write" } - }) - policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/3b980d31-7904-4bb7-8575-5665739a8052" - reference_id = "CISv110x5x2x6" - } - - policy_definition_reference { - parameter_values = jsonencode({ - operationName = { value = "Microsoft.Security/securitySolutions/delete" } - }) - policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/3b980d31-7904-4bb7-8575-5665739a8052" - reference_id = "CISv110x5x2x7" - } - - policy_definition_reference { - parameter_values = jsonencode({ - operationName = { value = "Microsoft.Sql/servers/firewallRules/write" } - }) - policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/b954148f-4c11-4c38-8221-be76711e194a" - reference_id = "CISv110x5x2x8" - } - - policy_definition_reference { - parameter_values = jsonencode({ - operationName = { value = "Microsoft.Sql/servers/firewallRules/delete" } - }) - policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/b954148f-4c11-4c38-8221-be76711e194a" - reference_id = "CISv110x5x2x8m" - } - - policy_definition_reference { - parameter_values = jsonencode({ - operationName = { value = "Microsoft.Security/policies/write" } - }) - policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/3b980d31-7904-4bb7-8575-5665739a8052" - reference_id = "CISv110x5x2x9" - } - - policy_definition_reference { - policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/e372f825-a257-4fb8-9175-797a8a8627d6" - reference_id = "CISv110x6x1" - } - + policy_definition_reference { policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/2c89a2e5-7285-40fe-afe0-ae8654b92fab" reference_id = "CISv110x6x2" diff --git a/modules/cis_benchmark/variables.tf b/modules/cis_benchmark/variables.tf index 97feac4..7e9958e 100644 --- a/modules/cis_benchmark/variables.tf +++ b/modules/cis_benchmark/variables.tf @@ -26,7 +26,14 @@ variable benchmark_version { locals { parameters = file("${path.module}/parameters.json") - metadata = jsonencode(merge({ category = "Regulatory Compliance" }, { version = var.benchmark_version })) + metadata = jsonencode(merge( + { createdBy = data.azurerm_client_config.current.client_id }, + { category = "Regulatory Compliance" }, + { createdOn = timestamp() }, + { updatedBy = "" }, + { updatedOn = "" }, + { version = var.benchmark_version }, + )) } variable audit_log_analytics_workspace_retention_id { diff --git a/modules/def_assignment/README.md b/modules/def_assignment/README.md index afe0339..fc7d301 100644 --- a/modules/def_assignment/README.md +++ b/modules/def_assignment/README.md @@ -10,28 +10,38 @@ No requirements. | Name | Version | |------|---------| -| azurerm | n/a | +| [azurerm](#provider\_azurerm) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [azurerm_policy_assignment.def](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/policy_assignment) | resource | +| [azurerm_policy_remediation.rem](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/policy_remediation) | resource | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| assignment\_description | A description to use for the Policy Assignment. Changing this forces a new resource to be created | `string` | `null` | no | -| assignment\_display\_name | The policy assignment display name, if blank the definition display\_name will be used. Changing this forces a new resource to be created | `string` | `null` | no | -| assignment\_effect | The effect of the policy. Changing this forces a new resource to be created | `string` | `null` | no | -| assignment\_enforcement\_mode | Can be set to 'true' or 'false' to control whether the assignment is enforced | `bool` | `true` | no | -| assignment\_location | The Azure location where this policy assignment should exist, required when an Identity is assigned. Defaults to UK South. Changing this forces a new resource to be created | `string` | `"uksouth"` | no | -| assignment\_not\_scopes | A list of the Policy Assignment's excluded scopes. Must be full resource IDs | `list` | `[]` | no | -| assignment\_parameters | The policy assignment parameters. Changing this forces a new resource to be created | `any` | `null` | no | -| assignment\_scope | The scope at which the policy will be assigned. Must be full resource IDs. Changing this forces a new resource to be created | `string` | n/a | yes | -| definition | Policy Definition resource node | `any` | n/a | yes | -| skip\_remediation | Should the module skip creation of a remediation task for policies that DeployIfNotExists and Modify | `bool` | `false` | no | +| [assignment\_description](#input\_assignment\_description) | A description to use for the Policy Assignment. Changing this forces a new resource to be created | `string` | `""` | no | +| [assignment\_display\_name](#input\_assignment\_display\_name) | The policy assignment display name, if blank the definition display\_name will be used. Changing this forces a new resource to be created | `string` | `""` | no | +| [assignment\_effect](#input\_assignment\_effect) | The effect of the policy. Changing this forces a new resource to be created | `string` | `null` | no | +| [assignment\_enforcement\_mode](#input\_assignment\_enforcement\_mode) | Can be set to 'true' or 'false' to control whether the assignment is enforced | `bool` | `true` | no | +| [assignment\_location](#input\_assignment\_location) | The Azure location where this policy assignment should exist, required when an Identity is assigned. Defaults to UK South. Changing this forces a new resource to be created | `string` | `"uksouth"` | no | +| [assignment\_not\_scopes](#input\_assignment\_not\_scopes) | A list of the Policy Assignment's excluded scopes. Must be full resource IDs | `list` | `[]` | no | +| [assignment\_parameters](#input\_assignment\_parameters) | The policy assignment parameters. Changing this forces a new resource to be created | `any` | `null` | no | +| [assignment\_scope](#input\_assignment\_scope) | The scope at which the policy will be assigned. Must be full resource IDs. Changing this forces a new resource to be created | `string` | n/a | yes | +| [definition](#input\_definition) | Policy Definition resource node | `any` | n/a | yes | +| [skip\_remediation](#input\_skip\_remediation) | Should the module skip creation of a remediation task for policies that DeployIfNotExists and Modify | `bool` | `false` | no | ## Outputs | Name | Description | |------|-------------| -| id | The Policy Assignment Id | -| identity\_id | The Managed Identity block containing Principal Id & Tenant Id of this Policy Assignment if type is SystemAssigned | -| remediation\_id | The Id of the Policy Remediation | - +| [id](#output\_id) | The Policy Assignment Id | +| [identity\_id](#output\_identity\_id) | The Managed Identity block containing Principal Id & Tenant Id of this Policy Assignment if type is SystemAssigned | +| [remediation\_id](#output\_remediation\_id) | The Id of the Policy Remediation | diff --git a/modules/def_assignment/main.tf b/modules/def_assignment/main.tf index 7143c34..54c4afb 100644 --- a/modules/def_assignment/main.tf +++ b/modules/def_assignment/main.tf @@ -13,7 +13,7 @@ resource azurerm_policy_assignment def { identity { type = local.identity_type } - + lifecycle { create_before_destroy = true ignore_changes = [ @@ -27,4 +27,6 @@ resource azurerm_policy_remediation rem { name = lower("${var.definition.name}-${formatdate("DD-MM-YYYY-hh:mm:ss", timestamp())}") scope = var.assignment_scope policy_assignment_id = azurerm_policy_assignment.def.id + + depends_on = [ azurerm_policy_assignment.def ] } diff --git a/modules/def_assignment/variables.tf b/modules/def_assignment/variables.tf index 44e4cf4..ea052df 100644 --- a/modules/def_assignment/variables.tf +++ b/modules/def_assignment/variables.tf @@ -17,13 +17,13 @@ variable assignment_not_scopes { variable assignment_display_name { type = string description = "The policy assignment display name, if blank the definition display_name will be used. Changing this forces a new resource to be created" - default = null + default = "" } variable assignment_description { type = string description = "A description to use for the Policy Assignment. Changing this forces a new resource to be created" - default = null + default = "" } variable assignment_effect { @@ -61,10 +61,10 @@ locals { assignment_name = lower(substr(var.definition.name, 0, 24)) # definition display_name will be used if omitted - display_name = var.assignment_display_name != null ? var.assignment_display_name : var.definition.display_name + display_name = var.assignment_display_name != "" ? var.assignment_display_name : var.definition.display_name # definition discription will be used if omitted - description = var.assignment_description != null ? var.assignment_description : var.definition.description + description = var.assignment_description != "" ? var.assignment_description : var.definition.description # convert assignment parameters to the required assignment structure parameter_values = var.assignment_parameters != null ? { diff --git a/modules/definition/README.md b/modules/definition/README.md index 4f21c4e..8e02849 100644 --- a/modules/definition/README.md +++ b/modules/definition/README.md @@ -1,6 +1,6 @@ # POLICY DEFINITION MODULE -This reusable module depends on populating `var.policy_category` and `var.policy_name` to correspend with the subfolder containing the policy defenition `json` files, expected as `parameters.json` and `rules.json`. +This module depends on populating `var.policy_category` and `var.policy_name` to correspond with the subfolder containing the policy definition `json` files, expected as `parameters.json` and `rules.json`. > :bulb: **Note:** More information on Policy Defenition Structure [can be found here](https://docs.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure) @@ -14,31 +14,41 @@ No requirements. | Name | Version | |------|---------| -| azurerm | n/a | +| [azurerm](#provider\_azurerm) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [azurerm_policy_definition.def](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/policy_definition) | resource | +| [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| display\_name | Display Name to be used for this policy | `string` | n/a | yes | -| management\_group\_name | The management group scope at which the policy will be defined. Changing this forces a new resource to be created. | `string` | n/a | yes | -| policy\_category | The category of the policy, should correspond to the correct category folder under /policies/policy\_category | `string` | n/a | yes | -| policy\_description | Policy definition description | `string` | `null` | no | -| policy\_metadata | The metadata for the policy definition. This is a JSON string representing additional metadata that should be stored with the policy definition. Omitting this will merge var.policy\_category and var.policy\_version as the metadata | `any` | `null` | no | -| policy\_mode | The mode of the policy, can be All or Indexed | `string` | `"All"` | no | -| policy\_name | Name to be used for this policy, this should correspond to the correct category folder under /policies/policy\_category/policy\_name if using local policies. Changing this forces a new resource to be created. | `string` | n/a | yes | -| policy\_parameters | Parameters for the policy definition. This field is a JSON string that allows you to parameterise your policy definition. Omitting this assumes the file is located at /policies/var.policy\_category/var.policy\_name/parameters.json | `any` | `null` | no | -| policy\_rule | The policy rule for the policy definition. This is a JSON string representing the rule that contains an if and a then block. Omitting this assumes the file is located at /policies/var.policy\_category/var.policy\_name/rules.json/ | `any` | `null` | no | -| policy\_version | The git tag or version for this policy, defaults to 1.0.0 | `string` | `"1.0.0"` | no | +| [display\_name](#input\_display\_name) | Display Name to be used for this policy | `string` | n/a | yes | +| [management\_group\_name](#input\_management\_group\_name) | The management group scope at which the policy will be defined. Changing this forces a new resource to be created. | `string` | n/a | yes | +| [policy\_category](#input\_policy\_category) | The category of the policy, should correspond to the correct category folder under /policies/policy\_category | `string` | n/a | yes | +| [policy\_description](#input\_policy\_description) | Policy definition description | `string` | `""` | no | +| [policy\_metadata](#input\_policy\_metadata) | The metadata for the policy definition. This is a JSON string representing additional metadata that should be stored with the policy definition. Omitting this will merge var.policy\_category and var.policy\_version as the metadata | `any` | `null` | no | +| [policy\_mode](#input\_policy\_mode) | The mode of the policy, can be All or Indexed | `string` | `"All"` | no | +| [policy\_name](#input\_policy\_name) | Name to be used for this policy, this should correspond to the correct category folder under /policies/policy\_category/policy\_name if using local policies. Changing this forces a new resource to be created. | `string` | n/a | yes | +| [policy\_parameters](#input\_policy\_parameters) | Parameters for the policy definition. This field is a JSON string that allows you to parameterise your policy definition. Omitting this assumes the file is located at /policies/var.policy\_category/var.policy\_name/parameters.json | `any` | `null` | no | +| [policy\_rule](#input\_policy\_rule) | The policy rule for the policy definition. This is a JSON string representing the rule that contains an if and a then block. Omitting this assumes the file is located at /policies/var.policy\_category/var.policy\_name/rules.json/ | `any` | `null` | no | +| [policy\_version](#input\_policy\_version) | The version for this policy, defaults to 1.0.0 | `string` | `"1.0.0"` | no | ## Outputs | Name | Description | |------|-------------| -| definition | The complete resource node of the Policy Definition | -| id | The Id of the Policy Definition | -| metadata | The metadata of the Policy Definition | -| name | The name of the Policy Definition | -| parameters | The parameters of the Policy Definition | -| rules | The rules of the Policy Definition | - +| [definition](#output\_definition) | The complete resource node of the Policy Definition | +| [id](#output\_id) | The Id of the Policy Definition | +| [metadata](#output\_metadata) | The metadata of the Policy Definition | +| [name](#output\_name) | The name of the Policy Definition | +| [parameters](#output\_parameters) | The parameters of the Policy Definition | +| [rules](#output\_rules) | The rules of the Policy Definition | diff --git a/modules/definition/TEMPLATE.md b/modules/definition/TEMPLATE.md index b3566a1..349be88 100644 --- a/modules/definition/TEMPLATE.md +++ b/modules/definition/TEMPLATE.md @@ -1,6 +1,6 @@ # POLICY DEFINITION MODULE -This reusable module depends on populating `var.policy_category` and `var.policy_name` to correspend with the subfolder containing the policy defenition `json` files, expected as `parameters.json` and `rules.json`. +This module depends on populating `var.policy_category` and `var.policy_name` to correspond with the subfolder containing the policy definition `json` files, expected as `parameters.json` and `rules.json`. > :bulb: **Note:** More information on Policy Defenition Structure [can be found here](https://docs.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure) diff --git a/modules/definition/variables.tf b/modules/definition/variables.tf index 006fd0d..e0b3ca5 100644 --- a/modules/definition/variables.tf +++ b/modules/definition/variables.tf @@ -16,7 +16,7 @@ variable display_name { variable policy_description { type = string description = "Policy definition description" - default = null + default = "" } variable policy_mode { @@ -32,7 +32,7 @@ variable policy_category { variable policy_version { type = string - description = "The git tag or version for this policy, defaults to 1.0.0" + description = "The version for this policy, defaults to 1.0.0" default = "1.0.0" } @@ -66,8 +66,8 @@ locals { { createdBy = data.azurerm_client_config.current.client_id }, { category = var.policy_category }, { createdOn = timestamp() }, - { updatedBy = null }, - { updatedOn = null }, + { updatedBy = "" }, + { updatedOn = "" }, { version = var.policy_version }, )) : var.policy_metadata } diff --git a/modules/initiative/README.md b/modules/initiative/README.md index 5bc0b0b..dc89d85 100644 --- a/modules/initiative/README.md +++ b/modules/initiative/README.md @@ -12,27 +12,37 @@ No requirements. | Name | Version | |------|---------| -| azurerm | n/a | +| [azurerm](#provider\_azurerm) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [azurerm_policy_set_definition.set](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/policy_set_definition) | resource | +| [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| initiative\_category | The category of the initiative | `string` | `"General"` | no | -| initiative\_description | Policy initiative description | `string` | `""` | no | -| initiative\_display\_name | Policy initiative display name | `string` | n/a | yes | -| initiative\_name | Policy initiative name. Changing this forces a new resource to be created | `string` | n/a | yes | -| initiative\_version | The git tag version for this policy, will be suffixed to initiative\_display\_name and initiative\_description | `string` | `"1.0.0"` | no | -| management\_group\_name | The scope at which the initiative will be defined. Currently this must be the group\_id of a management group. Changing this forces a new resource to be created | `string` | n/a | yes | -| member\_definitions | Policy Defenition resource nodes that will be members of this initiative | `any` | n/a | yes | +| [initiative\_category](#input\_initiative\_category) | The category of the initiative | `string` | `"General"` | no | +| [initiative\_description](#input\_initiative\_description) | Policy initiative description | `string` | `""` | no | +| [initiative\_display\_name](#input\_initiative\_display\_name) | Policy initiative display name | `string` | n/a | yes | +| [initiative\_name](#input\_initiative\_name) | Policy initiative name. Changing this forces a new resource to be created | `string` | n/a | yes | +| [initiative\_version](#input\_initiative\_version) | The version for this initiative, defaults to 1.0.0 | `string` | `"1.0.0"` | no | +| [management\_group\_name](#input\_management\_group\_name) | The scope at which the initiative will be defined. Currently this must be the group\_id of a management group. Changing this forces a new resource to be created | `string` | `null` | no | +| [member\_definitions](#input\_member\_definitions) | Policy Defenition resource nodes that will be members of this initiative | `any` | n/a | yes | ## Outputs | Name | Description | |------|-------------| -| id | The Id of the Policy Set Definition | -| initiative | The complete Policy Initiative resource node | -| metadata | The metadata of the Policy Set Definition | -| name | The name of the Policy Set Definition | -| parameters | The combined parameters of the Policy Set Definition | - +| [id](#output\_id) | The Id of the Policy Set Definition | +| [initiative](#output\_initiative) | The complete Policy Initiative resource node | +| [metadata](#output\_metadata) | The metadata of the Policy Set Definition | +| [name](#output\_name) | The name of the Policy Set Definition | +| [parameters](#output\_parameters) | The combined parameters of the Policy Set Definition | diff --git a/modules/initiative/main.tf b/modules/initiative/main.tf index 7fae678..1178ed3 100644 --- a/modules/initiative/main.tf +++ b/modules/initiative/main.tf @@ -6,6 +6,9 @@ resource azurerm_policy_set_definition set { management_group_name = var.management_group_name + metadata = local.metadata + parameters = local.all_parameters + dynamic "policy_definition_reference" { for_each = [for d in var.member_definitions : { id = d.id @@ -15,7 +18,7 @@ resource azurerm_policy_set_definition set { content { policy_definition_id = policy_definition_reference.value.id - reference_id = policy_definition_reference.value.ref_id + reference_id = policy_definition_reference.value.ref_id parameter_values = jsonencode({ for k in keys(policy_definition_reference.value.parameters) : k => { value = "[parameters('${k}')]" } @@ -23,9 +26,6 @@ resource azurerm_policy_set_definition set { } } - parameters = local.all_parameters - metadata = local.metadata - lifecycle { create_before_destroy = true ignore_changes = [ diff --git a/modules/initiative/variables.tf b/modules/initiative/variables.tf index 89429e9..bb2232b 100644 --- a/modules/initiative/variables.tf +++ b/modules/initiative/variables.tf @@ -1,6 +1,7 @@ variable management_group_name { type = string description = "The scope at which the initiative will be defined. Currently this must be the group_id of a management group. Changing this forces a new resource to be created" + default = null } variable initiative_name { @@ -27,7 +28,7 @@ variable initiative_category { variable initiative_version { type = string - description = "The git tag version for this policy, will be suffixed to initiative_display_name and initiative_description" + description = "The version for this initiative, defaults to 1.0.0" default = "1.0.0" } @@ -44,12 +45,13 @@ locals { } all_parameters = jsonencode(merge(values(local.parameters)...)) + metadata = jsonencode(merge( { createdBy = data.azurerm_client_config.current.client_id }, { category = var.initiative_category }, { createdOn = timestamp() }, - { updatedBy = null }, - { updatedOn = null }, + { updatedBy = "" }, + { updatedOn = "" }, { version = var.initiative_version }, )) } diff --git a/modules/set_assignment/README.md b/modules/set_assignment/README.md index 9f365cb..7fbb5ac 100644 --- a/modules/set_assignment/README.md +++ b/modules/set_assignment/README.md @@ -10,27 +10,37 @@ No requirements. | Name | Version | |------|---------| -| azurerm | n/a | +| [azurerm](#provider\_azurerm) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [azurerm_policy_assignment.set](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/policy_assignment) | resource | +| [azurerm_policy_remediation.rem](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/policy_remediation) | resource | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| assignment\_description | A description to use for the Policy Assignment. Changing this forces a new resource to be created | `string` | `null` | no | -| assignment\_display\_name | The policy assignment display name, if blank the definition display\_name will be used. Changing this forces a new resource to be created | `string` | `null` | no | -| assignment\_effect | The effect of the policy. Changing this forces a new resource to be created | `string` | `null` | no | -| assignment\_enforcement\_mode | Can be set to 'true' or 'false' to control whether the assignment is enforced | `bool` | `true` | no | -| assignment\_location | The Azure location where this policy assignment should exist, required when an Identity is assigned. Defaults to UK South. Changing this forces a new resource to be created | `string` | `null` | no | -| assignment\_not\_scopes | A list of the Policy Assignment's excluded scopes. Must be full resource IDs | `list` | `[]` | no | -| assignment\_parameters | The policy assignment parameters. Changing this forces a new resource to be created | `any` | `null` | no | -| assignment\_scope | The scope at which the policy initiative will be assigned. Must be full resource IDs. Changing this forces a new resource to be created | `string` | n/a | yes | -| initiative | Policy Initiative resource node | `any` | n/a | yes | -| skip\_remediation | Should the module skip creation of a remediation task for policies that Append, DeployIfNotExists and Modify | `bool` | `false` | no | +| [assignment\_description](#input\_assignment\_description) | A description to use for the Policy Assignment. Changing this forces a new resource to be created | `string` | `""` | no | +| [assignment\_display\_name](#input\_assignment\_display\_name) | The policy assignment display name, if blank the definition display\_name will be used. Changing this forces a new resource to be created | `string` | `""` | no | +| [assignment\_effect](#input\_assignment\_effect) | The effect of the policy. Changing this forces a new resource to be created | `string` | `null` | no | +| [assignment\_enforcement\_mode](#input\_assignment\_enforcement\_mode) | Can be set to 'true' or 'false' to control whether the assignment is enforced | `bool` | `true` | no | +| [assignment\_location](#input\_assignment\_location) | The Azure location where this policy assignment should exist, required when an Identity is assigned. Defaults to UK South. Changing this forces a new resource to be created | `string` | `"uksouth"` | no | +| [assignment\_not\_scopes](#input\_assignment\_not\_scopes) | A list of the Policy Assignment's excluded scopes. Must be full resource IDs | `list` | `[]` | no | +| [assignment\_parameters](#input\_assignment\_parameters) | The policy assignment parameters. Changing this forces a new resource to be created | `any` | `null` | no | +| [assignment\_scope](#input\_assignment\_scope) | The scope at which the policy initiative will be assigned. Must be full resource IDs. Changing this forces a new resource to be created | `string` | n/a | yes | +| [initiative](#input\_initiative) | Policy Initiative resource node | `any` | n/a | yes | +| [skip\_remediation](#input\_skip\_remediation) | Should the module skip creation of a remediation task for policies that DeployIfNotExists and Modify | `bool` | `false` | no | ## Outputs | Name | Description | |------|-------------| -| id | The Policy Assignment Id | -| identity\_id | The Managed Identity block containing Principal Id & Tenant Id of this Policy Assignment if type is SystemAssigned | - +| [id](#output\_id) | The Policy Assignment Id | +| [identity\_id](#output\_identity\_id) | The Managed Identity block containing Principal Id & Tenant Id of this Policy Assignment if type is SystemAssigned | diff --git a/modules/set_assignment/main.tf b/modules/set_assignment/main.tf index 40f47b3..c69241d 100644 --- a/modules/set_assignment/main.tf +++ b/modules/set_assignment/main.tf @@ -28,4 +28,6 @@ resource azurerm_policy_remediation rem { scope = var.assignment_scope policy_assignment_id = azurerm_policy_assignment.set.id policy_definition_reference_id = each.value.reference_id + + depends_on = [ azurerm_policy_assignment.set ] } diff --git a/modules/set_assignment/variables.tf b/modules/set_assignment/variables.tf index 41f21d2..2e2e033 100644 --- a/modules/set_assignment/variables.tf +++ b/modules/set_assignment/variables.tf @@ -17,13 +17,13 @@ variable assignment_not_scopes { variable assignment_display_name { type = string description = "The policy assignment display name, if blank the definition display_name will be used. Changing this forces a new resource to be created" - default = null + default = "" } variable assignment_description { type = string description = "A description to use for the Policy Assignment. Changing this forces a new resource to be created" - default = null + default = "" } variable assignment_effect { @@ -61,10 +61,10 @@ locals { assignment_name = lower(substr(var.initiative.name, 0, 24)) # initiative display_name will be used if omitted - display_name = var.assignment_display_name != null ? var.assignment_display_name : var.initiative.display_name + display_name = var.assignment_display_name != "" ? var.assignment_display_name : var.initiative.display_name # initiative discription will be used if omitted - description = var.assignment_description != null ? var.assignment_description : var.initiative.description + description = var.assignment_description != "" ? var.assignment_description : var.initiative.description # convert assignment parameters to the required assignment structure parameter_values = var.assignment_parameters != null ? { diff --git a/policies/Compute/deploy_lad_vm_agent_linux_vm/README.md b/policies/Compute/deploy_linux_lad_vm_agent/README.md similarity index 100% rename from policies/Compute/deploy_lad_vm_agent_linux_vm/README.md rename to policies/Compute/deploy_linux_lad_vm_agent/README.md diff --git a/policies/Compute/deploy_lad_vm_agent_linux_vm/example-lad-config.json b/policies/Compute/deploy_linux_lad_vm_agent/example-lad-config.json similarity index 100% rename from policies/Compute/deploy_lad_vm_agent_linux_vm/example-lad-config.json rename to policies/Compute/deploy_linux_lad_vm_agent/example-lad-config.json diff --git a/policies/Compute/deploy_lad_vm_agent_linux_vm/parameters.json b/policies/Compute/deploy_linux_lad_vm_agent/parameters.json similarity index 100% rename from policies/Compute/deploy_lad_vm_agent_linux_vm/parameters.json rename to policies/Compute/deploy_linux_lad_vm_agent/parameters.json diff --git a/policies/Compute/deploy_lad_vm_agent_linux_vm/rules.json b/policies/Compute/deploy_linux_lad_vm_agent/rules.json similarity index 93% rename from policies/Compute/deploy_lad_vm_agent_linux_vm/rules.json rename to policies/Compute/deploy_linux_lad_vm_agent/rules.json index 01da992..a3ed117 100644 --- a/policies/Compute/deploy_lad_vm_agent_linux_vm/rules.json +++ b/policies/Compute/deploy_linux_lad_vm_agent/rules.json @@ -348,7 +348,29 @@ } } } - } + }, + "fileLogs": [ + { + "file": "/var/log/audit/audit.log", + "table": "AuditLogs", + "sinks": "" + }, + { + "file": "/var/log/messages", + "table": "MessagesLogs", + "sinks": "" + }, + { + "file": "/var/log/secure", + "table": "SecureLogs", + "sinks": "" + }, + { + "file": "/var/log/yum.log", + "table": "YumLogs", + "sinks": "" + } + ] }, "protectedSettings": { "storageAccountName": "[parameters('diagnosticsStorageAccountName')]", diff --git a/policies/Compute/deploy_lad_vm_agent_linux_vmss/README.md b/policies/Compute/deploy_linux_lad_vmss_agent/README.md similarity index 100% rename from policies/Compute/deploy_lad_vm_agent_linux_vmss/README.md rename to policies/Compute/deploy_linux_lad_vmss_agent/README.md diff --git a/policies/Compute/deploy_lad_vm_agent_linux_vmss/example-lad-config.json b/policies/Compute/deploy_linux_lad_vmss_agent/example-lad-config.json similarity index 100% rename from policies/Compute/deploy_lad_vm_agent_linux_vmss/example-lad-config.json rename to policies/Compute/deploy_linux_lad_vmss_agent/example-lad-config.json diff --git a/policies/Compute/deploy_lad_vm_agent_linux_vmss/parameters.json b/policies/Compute/deploy_linux_lad_vmss_agent/parameters.json similarity index 100% rename from policies/Compute/deploy_lad_vm_agent_linux_vmss/parameters.json rename to policies/Compute/deploy_linux_lad_vmss_agent/parameters.json diff --git a/policies/Compute/deploy_lad_vm_agent_linux_vmss/rules.json b/policies/Compute/deploy_linux_lad_vmss_agent/rules.json similarity index 86% rename from policies/Compute/deploy_lad_vm_agent_linux_vmss/rules.json rename to policies/Compute/deploy_linux_lad_vmss_agent/rules.json index fb5beee..8963763 100644 --- a/policies/Compute/deploy_lad_vm_agent_linux_vmss/rules.json +++ b/policies/Compute/deploy_linux_lad_vmss_agent/rules.json @@ -329,7 +329,7 @@ "diagnosticMonitorConfiguration": { "eventVolume": "Medium", "syslogEvents": { - "sinks": "SyslogJsonBlob", + "sinks": "", "syslogEventConfiguration": { "LOG_AUTH": "LOG_DEBUG", "LOG_AUTHPRIV": "LOG_DEBUG", @@ -358,71 +358,29 @@ "fileLogs": [ { "file": "/var/log/audit/audit.log", - "table": "AuditLog", - "sinks": "AuditLogJsonBlob" - }, - { - "file": "/var/log/cron", - "table": "CronLog", - "sinks": "CronLogJsonBlob" - }, - { - "file": "/var/log/maillog", - "table": "MailLog", - "sinks": "MailLogJsonBlob" + "table": "AuditLogs", + "sinks": "" }, { "file": "/var/log/messages", - "table": "MessagesLog", - "sinks": "MessagesLogJsonBlob" + "table": "MessagesLogs", + "sinks": "" }, { "file": "/var/log/secure", - "table": "SecureLog", - "sinks": "SecureLogJsonBlob" + "table": "SecureLogs", + "sinks": "" }, { "file": "/var/log/yum.log", - "table": "YumLog", - "sinks": "YumLogJsonBlob" + "table": "YumLogs", + "sinks": "" } ] }, "protectedSettings": { "storageAccountName": "[parameters('diagnosticsStorageAccountName')]", - "storageAccountSasToken": "[parameters('diagnosticsStorageAccountSas')]", - "sinksConfig": { - "sink": [ - { - "name": "SyslogJsonBlob", - "type": "JsonBlob" - }, - { - "name": "AuditLogJsonBlob", - "type": "JsonBlob" - }, - { - "name": "CronLogJsonBlob", - "type": "JsonBlob" - }, - { - "name": "MailLogJsonBlob", - "type": "JsonBlob" - }, - { - "name": "MessagesLogJsonBlob", - "type": "JsonBlob" - }, - { - "name": "SecureLogJsonBlob", - "type": "JsonBlob" - }, - { - "name": "YumLogJsonBlob", - "type": "JsonBlob" - } - ] - } + "storageAccountSasToken": "[parameters('diagnosticsStorageAccountSas')]" } } } diff --git a/policies/Compute/deploy_log_analytics_agent_linux_vm/README.md b/policies/Compute/deploy_linux_log_analytics_vm_agent/README.md similarity index 100% rename from policies/Compute/deploy_log_analytics_agent_linux_vm/README.md rename to policies/Compute/deploy_linux_log_analytics_vm_agent/README.md diff --git a/policies/Compute/deploy_log_analytics_agent_linux_vmss/parameters.json b/policies/Compute/deploy_linux_log_analytics_vm_agent/parameters.json similarity index 72% rename from policies/Compute/deploy_log_analytics_agent_linux_vmss/parameters.json rename to policies/Compute/deploy_linux_log_analytics_vm_agent/parameters.json index 42b080e..94a0a03 100644 --- a/policies/Compute/deploy_log_analytics_agent_linux_vmss/parameters.json +++ b/policies/Compute/deploy_linux_log_analytics_vm_agent/parameters.json @@ -15,8 +15,8 @@ "type": "String", "defaultValue": "", "metadata": { - "displayName": "Log Analytics workspace", - "description": "Specify the Log Analytics workspace the agent should be connected to. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "displayName": "Log Analytics Workspace Id", + "description": "Specify the Log Analytics Workspace Id the agent should be connected to. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", "assignPermissions": true } }, diff --git a/policies/Compute/deploy_log_analytics_agent_linux_vm/rules.json b/policies/Compute/deploy_linux_log_analytics_vm_agent/rules.json similarity index 86% rename from policies/Compute/deploy_log_analytics_agent_linux_vm/rules.json rename to policies/Compute/deploy_linux_log_analytics_vm_agent/rules.json index 78ed288..0c23996 100644 --- a/policies/Compute/deploy_log_analytics_agent_linux_vm/rules.json +++ b/policies/Compute/deploy_linux_log_analytics_vm_agent/rules.json @@ -270,38 +270,18 @@ "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" ], "existenceCondition": { - "anyOf": [ + "allOf": [ { - "allOf": [ - { - "field": "Microsoft.Compute/virtualMachines/extensions/type", - "equals": "OmsAgentForLinux" - }, - { - "field": "Microsoft.Compute/virtualMachines/extensions/publisher", - "equals": "Microsoft.EnterpriseCloud.Monitoring" - }, - { - "field": "Microsoft.Compute/virtualMachines/extensions/provisioningState", - "equals": "Succeeded" - } - ] + "field": "Microsoft.Compute/virtualMachines/extensions/type", + "equals": "OmsAgentForLinux" }, { - "allOf": [ - { - "field": "Microsoft.Compute/virtualMachines/extensions/type", - "equals": "DependencyAgentLinux" - }, - { - "field": "Microsoft.Compute/virtualMachines/extensions/publisher", - "equals": "Microsoft.Azure.Monitoring.DependencyAgent" - }, - { - "field": "Microsoft.Compute/virtualMachines/extensions/provisioningState", - "equals": "Succeeded" - } - ] + "field": "Microsoft.Compute/virtualMachines/extensions/publisher", + "equals": "Microsoft.EnterpriseCloud.Monitoring" + }, + { + "field": "Microsoft.Compute/virtualMachines/extensions/provisioningState", + "equals": "Succeeded" } ] }, @@ -334,25 +314,13 @@ "typeHandlerVersion": "1.13", "autoUpgradeMinorVersion": true, "settings": { - "workspaceId": "[parameters('workspaceId')]", + "workspaceId": "[reference(parameters('workspaceId'), '2015-03-20').customerId]", "stopOnMultipleConnections": "true" }, "protectedSettings": { "workspaceKey": "[listKeys(parameters('workspaceId'), '2015-03-20').primarySharedKey]" } } - }, - { - "type": "Microsoft.Compute/virtualMachines/extensions", - "name": "[concat(parameters('vmName'), '/', 'DependencyAgentLinux')]", - "apiVersion": "2020-12-01", - "location": "[parameters('vmLocation')]", - "properties": { - "publisher": "Microsoft.Azure.Monitoring.DependencyAgent", - "type": "DependencyAgentLinux", - "typeHandlerVersion": "9.10", - "autoUpgradeMinorVersion": true - } } ] }, diff --git a/policies/Compute/deploy_log_analytics_agent_linux_vmss/README.md b/policies/Compute/deploy_linux_log_analytics_vmss_agent/README.md similarity index 100% rename from policies/Compute/deploy_log_analytics_agent_linux_vmss/README.md rename to policies/Compute/deploy_linux_log_analytics_vmss_agent/README.md diff --git a/policies/Compute/deploy_log_analytics_agent_linux_vm/parameters.json b/policies/Compute/deploy_linux_log_analytics_vmss_agent/parameters.json similarity index 72% rename from policies/Compute/deploy_log_analytics_agent_linux_vm/parameters.json rename to policies/Compute/deploy_linux_log_analytics_vmss_agent/parameters.json index 42b080e..94a0a03 100644 --- a/policies/Compute/deploy_log_analytics_agent_linux_vm/parameters.json +++ b/policies/Compute/deploy_linux_log_analytics_vmss_agent/parameters.json @@ -15,8 +15,8 @@ "type": "String", "defaultValue": "", "metadata": { - "displayName": "Log Analytics workspace", - "description": "Specify the Log Analytics workspace the agent should be connected to. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "displayName": "Log Analytics Workspace Id", + "description": "Specify the Log Analytics Workspace Id the agent should be connected to. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", "assignPermissions": true } }, diff --git a/policies/Compute/deploy_log_analytics_agent_linux_vmss/rules.json b/policies/Compute/deploy_linux_log_analytics_vmss_agent/rules.json similarity index 86% rename from policies/Compute/deploy_log_analytics_agent_linux_vmss/rules.json rename to policies/Compute/deploy_linux_log_analytics_vmss_agent/rules.json index 941b50a..413674f 100644 --- a/policies/Compute/deploy_log_analytics_agent_linux_vmss/rules.json +++ b/policies/Compute/deploy_linux_log_analytics_vmss_agent/rules.json @@ -270,38 +270,18 @@ "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" ], "existenceCondition": { - "anyOf": [ + "allOf": [ { - "allOf": [ - { - "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/type", - "equals": "OmsAgentForLinux" - }, - { - "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/publisher", - "equals": "Microsoft.EnterpriseCloud.Monitoring" - }, - { - "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/provisioningState", - "equals": "Succeeded" - } - ] + "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/type", + "equals": "OmsAgentForLinux" }, { - "allOf": [ - { - "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/type", - "equals": "DependencyAgentLinux" - }, - { - "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/publisher", - "equals": "Microsoft.Azure.Monitoring.DependencyAgent" - }, - { - "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/provisioningState", - "equals": "Succeeded" - } - ] + "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/publisher", + "equals": "Microsoft.EnterpriseCloud.Monitoring" + }, + { + "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/provisioningState", + "equals": "Succeeded" } ] }, @@ -334,25 +314,13 @@ "typeHandlerVersion": "1.13", "autoUpgradeMinorVersion": true, "settings": { - "workspaceId": "[parameters('workspaceId')]", + "workspaceId": "[reference(parameters('workspaceId'), '2015-03-20').customerId]", "stopOnMultipleConnections": "true" }, "protectedSettings": { "workspaceKey": "[listKeys(parameters('workspaceId'), '2015-03-20').primarySharedKey]" } } - }, - { - "type": "Microsoft.Compute/virtualMachineScaleSets/extensions", - "name": "[concat(parameters('vmName'), '/', 'DependencyAgentLinux')]", - "apiVersion": "2020-12-01", - "location": "[parameters('vmLocation')]", - "properties": { - "publisher": "Microsoft.Azure.Monitoring.DependencyAgent", - "type": "DependencyAgentLinux", - "typeHandlerVersion": "9.10", - "autoUpgradeMinorVersion": true - } } ] }, diff --git a/policies/Compute/deploy_log_analytics_agent_windows_vm/README.md b/policies/Compute/deploy_windows_log_analytics_vm_agent/README.md similarity index 100% rename from policies/Compute/deploy_log_analytics_agent_windows_vm/README.md rename to policies/Compute/deploy_windows_log_analytics_vm_agent/README.md diff --git a/policies/Compute/deploy_log_analytics_agent_windows_vm/parameters.json b/policies/Compute/deploy_windows_log_analytics_vm_agent/parameters.json similarity index 69% rename from policies/Compute/deploy_log_analytics_agent_windows_vm/parameters.json rename to policies/Compute/deploy_windows_log_analytics_vm_agent/parameters.json index 0418f06..122e6b8 100644 --- a/policies/Compute/deploy_log_analytics_agent_windows_vm/parameters.json +++ b/policies/Compute/deploy_windows_log_analytics_vm_agent/parameters.json @@ -15,8 +15,9 @@ "type": "String", "defaultValue": "", "metadata": { - "displayName": "Log Analytics workspace", - "description": "Specify the Log Analytics workspace the agent should be connected to. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID." + "displayName": "Log Analytics Workspace Id", + "description": "Specify the Log Analytics Workspace Id the agent should be connected to. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "assignPermissions": true } }, "listOfImageIdToInclude_windows": { diff --git a/policies/Compute/deploy_log_analytics_agent_windows_vm/rules.json b/policies/Compute/deploy_windows_log_analytics_vm_agent/rules.json similarity index 87% rename from policies/Compute/deploy_log_analytics_agent_windows_vm/rules.json rename to policies/Compute/deploy_windows_log_analytics_vm_agent/rules.json index a72b9e7..bc86ad8 100644 --- a/policies/Compute/deploy_log_analytics_agent_windows_vm/rules.json +++ b/policies/Compute/deploy_windows_log_analytics_vm_agent/rules.json @@ -194,36 +194,16 @@ "existenceCondition": { "allOf": [ { - "allOf": [ - { - "field": "Microsoft.Compute/virtualMachines/extensions/type", - "equals": "MicrosoftMonitoringAgent" - }, - { - "field": "Microsoft.Compute/virtualMachines/extensions/publisher", - "equals": "Microsoft.EnterpriseCloud.Monitoring" - }, - { - "field": "Microsoft.Compute/virtualMachines/extensions/provisioningState", - "equals": "Succeeded" - } - ] + "field": "Microsoft.Compute/virtualMachines/extensions/type", + "equals": "MicrosoftMonitoringAgent" }, { - "allOf": [ - { - "field": "Microsoft.Compute/virtualMachines/extensions/type", - "equals": "DependencyAgentWindows" - }, - { - "field": "Microsoft.Compute/virtualMachines/extensions/publisher", - "equals": "Microsoft.Azure.Monitoring.DependencyAgent" - }, - { - "field": "Microsoft.Compute/virtualMachines/extensions/provisioningState", - "equals": "Succeeded" - } - ] + "field": "Microsoft.Compute/virtualMachines/extensions/publisher", + "equals": "Microsoft.EnterpriseCloud.Monitoring" + }, + { + "field": "Microsoft.Compute/virtualMachines/extensions/provisioningState", + "equals": "Succeeded" } ] }, @@ -256,7 +236,7 @@ "typeHandlerVersion": "1.0", "autoUpgradeMinorVersion": true, "settings": { - "workspaceId": "[parameters('workspaceId')]", + "workspaceId": "[reference(parameters('workspaceId'), '2015-03-20').customerId]", "stopOnMultipleConnections": "true" }, "protectedSettings": { diff --git a/policies/Compute/deploy_log_analytics_agent_windows_vmss/README.md b/policies/Compute/deploy_windows_log_analytics_vmss_agent/README.md similarity index 100% rename from policies/Compute/deploy_log_analytics_agent_windows_vmss/README.md rename to policies/Compute/deploy_windows_log_analytics_vmss_agent/README.md diff --git a/policies/Compute/deploy_log_analytics_agent_windows_vmss/parameters.json b/policies/Compute/deploy_windows_log_analytics_vmss_agent/parameters.json similarity index 69% rename from policies/Compute/deploy_log_analytics_agent_windows_vmss/parameters.json rename to policies/Compute/deploy_windows_log_analytics_vmss_agent/parameters.json index 0418f06..122e6b8 100644 --- a/policies/Compute/deploy_log_analytics_agent_windows_vmss/parameters.json +++ b/policies/Compute/deploy_windows_log_analytics_vmss_agent/parameters.json @@ -15,8 +15,9 @@ "type": "String", "defaultValue": "", "metadata": { - "displayName": "Log Analytics workspace", - "description": "Specify the Log Analytics workspace the agent should be connected to. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID." + "displayName": "Log Analytics Workspace Id", + "description": "Specify the Log Analytics Workspace Id the agent should be connected to. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "assignPermissions": true } }, "listOfImageIdToInclude_windows": { diff --git a/policies/Compute/deploy_log_analytics_agent_windows_vmss/rules.json b/policies/Compute/deploy_windows_log_analytics_vmss_agent/rules.json similarity index 87% rename from policies/Compute/deploy_log_analytics_agent_windows_vmss/rules.json rename to policies/Compute/deploy_windows_log_analytics_vmss_agent/rules.json index 1e441c9..cd7d606 100644 --- a/policies/Compute/deploy_log_analytics_agent_windows_vmss/rules.json +++ b/policies/Compute/deploy_windows_log_analytics_vmss_agent/rules.json @@ -189,41 +189,22 @@ "details": { "type": "Microsoft.Compute/virtualMachineScaleSets/extensions", "roleDefinitionIds": [ - "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c" ], "existenceCondition": { "allOf": [ { - "allOf": [ - { - "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/type", - "equals": "MicrosoftMonitoringAgent" - }, - { - "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/publisher", - "equals": "Microsoft.EnterpriseCloud.Monitoring" - }, - { - "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/provisioningState", - "equals": "Succeeded" - } - ] + "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/type", + "equals": "MicrosoftMonitoringAgent" }, { - "allOf": [ - { - "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/type", - "equals": "DependencyAgentWindows" - }, - { - "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/publisher", - "equals": "Microsoft.Azure.Monitoring.DependencyAgent" - }, - { - "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/provisioningState", - "equals": "Succeeded" - } - ] + "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/publisher", + "equals": "Microsoft.EnterpriseCloud.Monitoring" + }, + { + "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/provisioningState", + "equals": "Succeeded" } ] }, @@ -256,7 +237,7 @@ "typeHandlerVersion": "1.0", "autoUpgradeMinorVersion": true, "settings": { - "workspaceId": "[parameters('workspaceId')]", + "workspaceId": "[reference(parameters('workspaceId'), '2015-03-20').customerId]", "stopOnMultipleConnections": "true" }, "protectedSettings": { @@ -264,7 +245,13 @@ } } } - ] + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Enabled MicrosoftMonitoringAgent extension for: ', parameters('vmName'))]" + } + } }, "parameters": { "vmName": { diff --git a/policies/Compute/deploy_wad_agent_windows_vm/README.md b/policies/Compute/deploy_windows_wad_vm_agent/README.md similarity index 100% rename from policies/Compute/deploy_wad_agent_windows_vm/README.md rename to policies/Compute/deploy_windows_wad_vm_agent/README.md diff --git a/policies/Compute/deploy_wad_agent_windows_vm/parameters.json b/policies/Compute/deploy_windows_wad_vm_agent/parameters.json similarity index 91% rename from policies/Compute/deploy_wad_agent_windows_vm/parameters.json rename to policies/Compute/deploy_windows_wad_vm_agent/parameters.json index 10c46c1..60cf563 100644 --- a/policies/Compute/deploy_wad_agent_windows_vm/parameters.json +++ b/policies/Compute/deploy_windows_wad_vm_agent/parameters.json @@ -29,12 +29,12 @@ "assignPermissions": true } }, - "eventHubSharedAccessKey": { + "eventHubSharedAccessKeyId": { "type": "String", "defaultValue": "", "metadata": { - "displayName": "Event Hub Base64 Encoded Shared Access Key", - "description": "The Event Hub Shared Access Key. Should be base64 encoded" + "displayName": "Event Hub Shared Access Key Resource Id", + "description": "The Event Hub Shared Access Key Key Resource Id." } }, "eventHubSharedAccessKeyName": { diff --git a/policies/Compute/deploy_wad_agent_windows_vm/rules.json b/policies/Compute/deploy_windows_wad_vm_agent/rules.json similarity index 91% rename from policies/Compute/deploy_wad_agent_windows_vm/rules.json rename to policies/Compute/deploy_windows_wad_vm_agent/rules.json index cdbeba7..e297235 100644 --- a/policies/Compute/deploy_wad_agent_windows_vm/rules.json +++ b/policies/Compute/deploy_windows_wad_vm_agent/rules.json @@ -229,7 +229,7 @@ "eventHubUrl": { "type": "String" }, - "eventHubSharedAccessKey": { + "eventHubSharedAccessKeyId": { "type": "String" }, "eventHubSharedAccessKeyName": { @@ -237,7 +237,8 @@ } }, "variables": { - "wadlogs": " ", + "sinks": "[concat('')]", + "wadlogs": "[concat('', variables('sinks'), ' ')]", "wadcfgxstart": "[concat(variables('wadlogs'), '" @@ -251,7 +252,7 @@ "properties": { "publisher": "Microsoft.Azure.Diagnostics", "type": "IaaSDiagnostics", - "typeHandlerVersion": "1.5", + "typeHandlerVersion": "1.18", "autoUpgradeMinorVersion": true, "settings": { "xmlCfg": "[base64(concat(variables('wadcfgxstart'), variables('wadmetricsresourceid'), parameters('vmName'), variables('wadcfgxend')))]", @@ -263,7 +264,7 @@ "storageAccountEndPoint": "[concat('https://', environment().suffixes.storage)]", "EventHub": { "Url": "[parameters('eventHubUrl')]", - "SharedAccessKey": "[parameters('eventHubSharedAccessKey')]", + "SharedAccessKey": "[listkeys(parameters('eventHubSharedAccessKeyId'), '2015-08-01').primaryKey]", "SharedAccessKeyName": "[parameters('eventHubSharedAccessKeyName')]" } } @@ -287,8 +288,8 @@ "eventHubUrl": { "Value": "[parameters('eventHubUrl')]" }, - "eventHubSharedAccessKey": { - "Value": "[parameters('eventHubSharedAccessKey')]" + "eventHubSharedAccessKeyId": { + "Value": "[parameters('eventHubSharedAccessKeyId')]" }, "eventHubSharedAccessKeyName": { "Value": "[parameters('eventHubSharedAccessKeyName')]" diff --git a/policies/Compute/deploy_wad_agent_windows_vmss/README.md b/policies/Compute/deploy_windows_wad_vmss_agent/README.md similarity index 100% rename from policies/Compute/deploy_wad_agent_windows_vmss/README.md rename to policies/Compute/deploy_windows_wad_vmss_agent/README.md diff --git a/policies/Compute/deploy_wad_agent_windows_vmss/parameters.json b/policies/Compute/deploy_windows_wad_vmss_agent/parameters.json similarity index 91% rename from policies/Compute/deploy_wad_agent_windows_vmss/parameters.json rename to policies/Compute/deploy_windows_wad_vmss_agent/parameters.json index 10c46c1..60cf563 100644 --- a/policies/Compute/deploy_wad_agent_windows_vmss/parameters.json +++ b/policies/Compute/deploy_windows_wad_vmss_agent/parameters.json @@ -29,12 +29,12 @@ "assignPermissions": true } }, - "eventHubSharedAccessKey": { + "eventHubSharedAccessKeyId": { "type": "String", "defaultValue": "", "metadata": { - "displayName": "Event Hub Base64 Encoded Shared Access Key", - "description": "The Event Hub Shared Access Key. Should be base64 encoded" + "displayName": "Event Hub Shared Access Key Resource Id", + "description": "The Event Hub Shared Access Key Key Resource Id." } }, "eventHubSharedAccessKeyName": { diff --git a/policies/Compute/deploy_wad_agent_windows_vmss/rules.json b/policies/Compute/deploy_windows_wad_vmss_agent/rules.json similarity index 91% rename from policies/Compute/deploy_wad_agent_windows_vmss/rules.json rename to policies/Compute/deploy_windows_wad_vmss_agent/rules.json index e3afdee..f6c2e05 100644 --- a/policies/Compute/deploy_wad_agent_windows_vmss/rules.json +++ b/policies/Compute/deploy_windows_wad_vmss_agent/rules.json @@ -229,7 +229,7 @@ "eventHubUrl": { "type": "String" }, - "eventHubSharedAccessKey": { + "eventHubSharedAccessKeyId": { "type": "String" }, "eventHubSharedAccessKeyName": { @@ -237,7 +237,8 @@ } }, "variables": { - "wadlogs": " ", + "sinks": "[concat('')]", + "wadlogs": "[concat('', variables('sinks'), ' ')]", "wadcfgxstart": "[concat(variables('wadlogs'), '" @@ -251,7 +252,7 @@ "properties": { "publisher": "Microsoft.Azure.Diagnostics", "type": "IaaSDiagnostics", - "typeHandlerVersion": "1.5", + "typeHandlerVersion": "1.18", "autoUpgradeMinorVersion": true, "settings": { "xmlCfg": "[base64(concat(variables('wadcfgxstart'), variables('wadmetricsresourceid'), parameters('vmName'), variables('wadcfgxend')))]", @@ -263,7 +264,7 @@ "storageAccountEndPoint": "[concat('https://', environment().suffixes.storage)]", "EventHub": { "Url": "[parameters('eventHubUrl')]", - "SharedAccessKey": "[parameters('eventHubSharedAccessKey')]", + "SharedAccessKey": "[listkeys(parameters('eventHubSharedAccessKeyId'), '2015-08-01').primaryKey]", "SharedAccessKeyName": "[parameters('eventHubSharedAccessKeyName')]" } } @@ -287,8 +288,8 @@ "eventHubUrl": { "Value": "[parameters('eventHubUrl')]" }, - "eventHubSharedAccessKey": { - "Value": "[parameters('eventHubSharedAccessKey')]" + "eventHubSharedAccessKeyId": { + "Value": "[parameters('eventHubSharedAccessKeyId')]" }, "eventHubSharedAccessKeyName": { "Value": "[parameters('eventHubSharedAccessKeyName')]" diff --git a/policies/Compute/preview_deploy_linux_monitor_agent_vm/README.md b/policies/Compute/preview_deploy_linux_azure_monitor_vm_agent/README.md similarity index 100% rename from policies/Compute/preview_deploy_linux_monitor_agent_vm/README.md rename to policies/Compute/preview_deploy_linux_azure_monitor_vm_agent/README.md diff --git a/policies/Compute/preview_deploy_linux_monitor_agent_vm/parameters.json b/policies/Compute/preview_deploy_linux_azure_monitor_vm_agent/parameters.json similarity index 100% rename from policies/Compute/preview_deploy_linux_monitor_agent_vm/parameters.json rename to policies/Compute/preview_deploy_linux_azure_monitor_vm_agent/parameters.json diff --git a/policies/Compute/preview_deploy_linux_monitor_agent_vm/rules.json b/policies/Compute/preview_deploy_linux_azure_monitor_vm_agent/rules.json similarity index 100% rename from policies/Compute/preview_deploy_linux_monitor_agent_vm/rules.json rename to policies/Compute/preview_deploy_linux_azure_monitor_vm_agent/rules.json diff --git a/policies/Compute/preview_deploy_windows_monitor_agent_vm/README.md b/policies/Compute/preview_deploy_windows_azure_monitor_vm_agent/README.md similarity index 100% rename from policies/Compute/preview_deploy_windows_monitor_agent_vm/README.md rename to policies/Compute/preview_deploy_windows_azure_monitor_vm_agent/README.md diff --git a/policies/Compute/preview_deploy_windows_monitor_agent_vm/parameters.json b/policies/Compute/preview_deploy_windows_azure_monitor_vm_agent/parameters.json similarity index 100% rename from policies/Compute/preview_deploy_windows_monitor_agent_vm/parameters.json rename to policies/Compute/preview_deploy_windows_azure_monitor_vm_agent/parameters.json diff --git a/policies/Compute/preview_deploy_windows_monitor_agent_vm/rules.json b/policies/Compute/preview_deploy_windows_azure_monitor_vm_agent/rules.json similarity index 100% rename from policies/Compute/preview_deploy_windows_monitor_agent_vm/rules.json rename to policies/Compute/preview_deploy_windows_azure_monitor_vm_agent/rules.json diff --git a/policies/Monitoring/deploy_application_gateway_diagnostic_setting/README.md b/policies/Monitoring/deploy_application_gateway_diagnostic_setting/README.md index 32ad043..17d6438 100644 --- a/policies/Monitoring/deploy_application_gateway_diagnostic_setting/README.md +++ b/policies/Monitoring/deploy_application_gateway_diagnostic_setting/README.md @@ -21,7 +21,7 @@ Modified from: [Built-In Samples: DiagnosticSettingsForNSG_Deploy.json](https:// ## Assignment ```hcl module logging_mg_deploy_application_gateway_diagnostic_setting { - source = "github.com/gettek/azurerm-terraform-policy-as-code.git//modules/def_assignment?ref=1.0.0" + source = "github.com/gettek/azurerm-terraform-policy-as-code.git//modules/def_assignment?ref=1.2.0" definition_name = "deploy_application_gateway_diagnostic_setting" definition_version = "1.0.0" definition_scope = data.azurerm_management_group.org.id diff --git a/policies/Monitoring/deploy_eventhub_diagnostic_setting/README.md b/policies/Monitoring/deploy_eventhub_diagnostic_setting/README.md index c84e32f..b2d28ac 100644 --- a/policies/Monitoring/deploy_eventhub_diagnostic_setting/README.md +++ b/policies/Monitoring/deploy_eventhub_diagnostic_setting/README.md @@ -21,7 +21,7 @@ Modified from: [Built-In: EventHub_DeployDiagnosticLog_Deploy_LogAnalytics](http ## Assignment ```hcl module logging_mg_deploy_eventhub_diagnostic_setting { - source = "github.com/gettek/azurerm-terraform-policy-as-code.git//modules/def_assignment?ref=1.0.0" + source = "github.com/gettek/azurerm-terraform-policy-as-code.git//modules/def_assignment?ref=1.2.0" definition_name = "deploy_eventhub_diagnostic_setting" definition_version = "1.0.0" definition_scope = data.azurerm_management_group.org.id diff --git a/policies/Monitoring/deploy_expressroute_connection_diagnostic_setting/README.md b/policies/Monitoring/deploy_expressroute_connection_diagnostic_setting/README.md index 52d47a5..8139397 100644 --- a/policies/Monitoring/deploy_expressroute_connection_diagnostic_setting/README.md +++ b/policies/Monitoring/deploy_expressroute_connection_diagnostic_setting/README.md @@ -23,7 +23,7 @@ Modified from: [Built-In Samples: apply-diagnostic-setting-publicipaddresses-eve ## Assignment ```hcl module logging_mg_deploy_expressroute_connection_diagnostic_setting { - source = "github.com/gettek/azurerm-terraform-policy-as-code.git//modules/def_assignment?ref=1.0.0" + source = "github.com/gettek/azurerm-terraform-policy-as-code.git//modules/def_assignment?ref=1.2.0" definition_name = "deploy_expressroute_connection_diagnostic_setting" definition_version = "1.0.0" definition_scope = data.azurerm_management_group.org.id diff --git a/policies/Monitoring/deploy_expressroute_diagnostic_setting/README.md b/policies/Monitoring/deploy_expressroute_diagnostic_setting/README.md index 6eacf51..41bcb1d 100644 --- a/policies/Monitoring/deploy_expressroute_diagnostic_setting/README.md +++ b/policies/Monitoring/deploy_expressroute_diagnostic_setting/README.md @@ -21,7 +21,7 @@ Modified from: [Built-In Samples: apply-diagnostic-setting-publicipaddresses-eve ## Assignment ```hcl module logging_mg_deploy_expressroute_diagnostic_setting { - source = "github.com/gettek/azurerm-terraform-policy-as-code.git//modules/def_assignment?ref=1.0.0" + source = "github.com/gettek/azurerm-terraform-policy-as-code.git//modules/def_assignment?ref=1.2.0" definition_name = "deploy_expressroute_diagnostic_setting" definition_version = "1.0.0" definition_scope = data.azurerm_management_group.org.id diff --git a/policies/Monitoring/deploy_firewall_diagnostic_setting/README.md b/policies/Monitoring/deploy_firewall_diagnostic_setting/README.md index 9071f1e..f62dafa 100644 --- a/policies/Monitoring/deploy_firewall_diagnostic_setting/README.md +++ b/policies/Monitoring/deploy_firewall_diagnostic_setting/README.md @@ -21,7 +21,7 @@ Modified from: [Built-In: KeyVault_DeployDiagnosticLog_Deploy_LogAnalytics](http ## Assignment ```hcl module logging_mg_deploy_firewall_diagnostic_setting { - source = "github.com/gettek/azurerm-terraform-policy-as-code.git//modules/def_assignment?ref=1.0.0" + source = "github.com/gettek/azurerm-terraform-policy-as-code.git//modules/def_assignment?ref=1.2.0" definition_name = "deploy_firewall_diagnostic_setting" definition_version = "1.0.0" definition_scope = data.azurerm_management_group.org.id diff --git a/policies/Monitoring/deploy_keyvault_diagnostic_setting/README.md b/policies/Monitoring/deploy_keyvault_diagnostic_setting/README.md index d26a4d9..67c060f 100644 --- a/policies/Monitoring/deploy_keyvault_diagnostic_setting/README.md +++ b/policies/Monitoring/deploy_keyvault_diagnostic_setting/README.md @@ -21,7 +21,7 @@ Modified from: [Built-In: KeyVault_DeployDiagnosticLog_Deploy_LogAnalytics](http ## Assignment ```hcl module logging_mg_deploy_keyvault_diagnostic_setting { - source = "github.com/gettek/azurerm-terraform-policy-as-code.git//modules/def_assignment?ref=1.0.0" + source = "github.com/gettek/azurerm-terraform-policy-as-code.git//modules/def_assignment?ref=1.2.0" definition_name = "deploy_keyvault_diagnostic_setting" definition_version = "1.0.0" definition_scope = data.azurerm_management_group.org.id diff --git a/policies/Monitoring/deploy_loadbalancer_diagnostic_setting/README.md b/policies/Monitoring/deploy_loadbalancer_diagnostic_setting/README.md index ab9d245..fe6ea9e 100644 --- a/policies/Monitoring/deploy_loadbalancer_diagnostic_setting/README.md +++ b/policies/Monitoring/deploy_loadbalancer_diagnostic_setting/README.md @@ -21,7 +21,7 @@ Modified from: [Built-In: KeyVault_DeployDiagnosticLog_Deploy_LogAnalytics](http ## Assignment ```hcl module logging_mg_deploy_loadbalancer_diagnostic_setting { - source = "github.com/gettek/azurerm-terraform-policy-as-code.git//modules/def_assignment?ref=1.0.0" + source = "github.com/gettek/azurerm-terraform-policy-as-code.git//modules/def_assignment?ref=1.2.0" definition_name = "deploy_loadbalancer_diagnostic_setting" definition_version = "1.0.0" definition_scope = data.azurerm_management_group.org.id diff --git a/policies/Monitoring/deploy_network_interface_diagnostic_setting/README.md b/policies/Monitoring/deploy_network_interface_diagnostic_setting/README.md index 56e76ac..b875799 100644 --- a/policies/Monitoring/deploy_network_interface_diagnostic_setting/README.md +++ b/policies/Monitoring/deploy_network_interface_diagnostic_setting/README.md @@ -21,7 +21,7 @@ Modified from: [Built-In Samples: apply-diagnostic-setting-publicipaddresses-eve ## Assignment ```hcl module logging_mg_deploy_network_interface_diagnostic_setting { - source = "github.com/gettek/azurerm-terraform-policy-as-code.git//modules/def_assignment?ref=1.0.0" + source = "github.com/gettek/azurerm-terraform-policy-as-code.git//modules/def_assignment?ref=1.2.0" definition_name = "deploy_network_interface_diagnostic_setting" definition_version = "1.0.0" definition_scope = data.azurerm_management_group.org.id diff --git a/policies/Monitoring/deploy_network_security_group_diagnostic_setting/README.md b/policies/Monitoring/deploy_network_security_group_diagnostic_setting/README.md index 5657696..a9b064d 100644 --- a/policies/Monitoring/deploy_network_security_group_diagnostic_setting/README.md +++ b/policies/Monitoring/deploy_network_security_group_diagnostic_setting/README.md @@ -21,7 +21,7 @@ Modified from: [Built-In Samples: DiagnosticSettingsForNSG_Deploy.json](https:// ## Assignment ```hcl module logging_mg_deploy_network_security_group_diagnostic_setting { - source = "github.com/gettek/azurerm-terraform-policy-as-code.git//modules/def_assignment?ref=1.0.0" + source = "github.com/gettek/azurerm-terraform-policy-as-code.git//modules/def_assignment?ref=1.2.0" definition_name = "deploy_network_security_group_diagnostic_setting" definition_version = "1.0.0" definition_scope = data.azurerm_management_group.org.id diff --git a/policies/Monitoring/deploy_public_ip_diagnostic_setting/README.md b/policies/Monitoring/deploy_public_ip_diagnostic_setting/README.md index 4804286..eadd609 100644 --- a/policies/Monitoring/deploy_public_ip_diagnostic_setting/README.md +++ b/policies/Monitoring/deploy_public_ip_diagnostic_setting/README.md @@ -21,7 +21,7 @@ Modified from: [Built-In Samples: apply-diagnostic-setting-publicipaddresses-eve ## Assignment ```hcl module logging_mg_deploy_public_ip_diagnostic_setting { - source = "github.com/gettek/azurerm-terraform-policy-as-code.git//modules/def_assignment?ref=1.0.0" + source = "github.com/gettek/azurerm-terraform-policy-as-code.git//modules/def_assignment?ref=1.2.0" definition_name = "deploy_public_ip_diagnostic_setting" definition_version = "1.0.0" definition_scope = data.azurerm_management_group.org.id diff --git a/policies/Monitoring/deploy_storage_account_diagnostic_setting/README.md b/policies/Monitoring/deploy_storage_account_diagnostic_setting/README.md index 700e1e5..ca9fe77 100644 --- a/policies/Monitoring/deploy_storage_account_diagnostic_setting/README.md +++ b/policies/Monitoring/deploy_storage_account_diagnostic_setting/README.md @@ -21,7 +21,7 @@ Modified from: [Built-In Samples: DiagnosticSettingsForNSG_Deploy.json](https:// ## Assignment ```hcl module logging_mg_deploy_storage_account_diagnostic_setting { - source = "github.com/gettek/azurerm-terraform-policy-as-code.git//modules/def_assignment?ref=1.0.0" + source = "github.com/gettek/azurerm-terraform-policy-as-code.git//modules/def_assignment?ref=1.2.0" definition_name = "deploy_storage_account_diagnostic_setting" definition_version = "1.0.0" definition_scope = data.azurerm_management_group.org.id diff --git a/policies/Monitoring/deploy_subscription_diagnostic_setting/README.md b/policies/Monitoring/deploy_subscription_diagnostic_setting/README.md index 2ee4aa6..2148f9b 100644 --- a/policies/Monitoring/deploy_subscription_diagnostic_setting/README.md +++ b/policies/Monitoring/deploy_subscription_diagnostic_setting/README.md @@ -23,7 +23,7 @@ And this [ARM Template](https://docs.microsoft.com/en-us/azure/azure-monitor/sam ## Assignment ```hcl module logging_mg_deploy_subscription_diagnostic_setting { - source = "github.com/gettek/azurerm-terraform-policy-as-code.git//modules/def_assignment?ref=1.0.0" + source = "github.com/gettek/azurerm-terraform-policy-as-code.git//modules/def_assignment?ref=1.2.0" definition_name = "deploy_subscription_diagnostic_setting" definition_version = "1.0.0" definition_scope = data.azurerm_management_group.org.id @@ -44,45 +44,16 @@ module logging_mg_deploy_subscription_diagnostic_setting { ## Cross Subscription Role Assignment -In order to successfully remediation cross-subscription diagnostic settings, a custom role definition is required such as below. +In order to successfully remediation cross-subscription diagnostic settings, a custom or built-in role definition reference is required such as below. ```hcl -resource random_uuid remediate_diagnostic_settings {} - -resource azurerm_role_definition remediate_diagnostic_settings { - name = "policy_remediates_subscription_diagnostic_settings" - role_definition_id = random_uuid.remediate_diagnostic_settings.result - scope = data.azurerm_management_group.org.id - description = "Enables the managed identity created by policy assignment permissions to remediate non compliant resources" - - permissions { - actions = [ - "Microsoft.Authorization/*/read", - "Microsoft.Insights/alertRules/*", - "Microsoft.Insights/components/*/read", - "Microsoft.Automation/automationAccounts/*", - "Microsoft.EventHub/namespaces/authorizationrules/listkeys/action", - "Microsoft.Insights/alertRules/*", - "Microsoft.Insights/diagnosticSettings/*", - "Microsoft.OperationalInsights/*", - "Microsoft.OperationsManagement/*", - "Microsoft.Resources/deployments/*", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Resources/subscriptions/resourcegroups/deployments/*", - "Microsoft.Support/*", - "Microsoft.Storage/storageAccounts/listKeys/action", - "Microsoft.Storage/storageAccounts/read" - ] - } - - assignable_scopes = [ - data.azurerm_management_group.org.id - ] +data "azurerm_role_definition" "contributor" { + name = "Contributor" } resource azurerm_role_assignment logging_policy_remediates_diagnostic_settings { scope = data.azurerm_management_group.logging.id - role_definition_id = azurerm_role_definition.remediate_diagnostic_settings.role_definition_resource_id + role_definition_id = data.azurerm_role_definition.contributor.id principal_id = module.logging_mg_deploy_subscription_diagnostic_setting.identity_id } ``` diff --git a/policies/Monitoring/deploy_virtual_machine_diagnostic_setting/README.md b/policies/Monitoring/deploy_virtual_machine_diagnostic_setting/README.md index 2ef31cf..bee10f0 100644 --- a/policies/Monitoring/deploy_virtual_machine_diagnostic_setting/README.md +++ b/policies/Monitoring/deploy_virtual_machine_diagnostic_setting/README.md @@ -21,7 +21,7 @@ Modified from: [Built-In Samples: DiagnosticSettingsForNSG_Deploy.json](https:// ## Assignment ```hcl module logging_mg_deploy_virtual_machine_diagnostic_setting { - source = "github.com/gettek/azurerm-terraform-policy-as-code.git//modules/def_assignment?ref=1.0.0" + source = "github.com/gettek/azurerm-terraform-policy-as-code.git//modules/def_assignment?ref=1.2.0" definition_name = "deploy_virtual_machine_diagnostic_setting" definition_version = "1.0.0" definition_scope = data.azurerm_management_group.org.id diff --git a/policies/Monitoring/deploy_vnet_diagnostic_setting/README.md b/policies/Monitoring/deploy_vnet_diagnostic_setting/README.md index c32ea2d..16d5662 100644 --- a/policies/Monitoring/deploy_vnet_diagnostic_setting/README.md +++ b/policies/Monitoring/deploy_vnet_diagnostic_setting/README.md @@ -21,7 +21,7 @@ Modified from: [Built-In Samples: DiagnosticSettingsForNSG_Deploy.json](https:// ## Assignment ```hcl module logging_mg_deploy_vnet_diagnostic_setting { - source = "github.com/gettek/azurerm-terraform-policy-as-code.git//modules/def_assignment?ref=1.0.0" + source = "github.com/gettek/azurerm-terraform-policy-as-code.git//modules/def_assignment?ref=1.2.0" definition_name = "deploy_vnet_diagnostic_setting" definition_version = "1.0.0" definition_scope = data.azurerm_management_group.org.id diff --git a/policies/Monitoring/deploy_vnet_gateway_diagnostic_setting/README.md b/policies/Monitoring/deploy_vnet_gateway_diagnostic_setting/README.md index 488926c..5f04f92 100644 --- a/policies/Monitoring/deploy_vnet_gateway_diagnostic_setting/README.md +++ b/policies/Monitoring/deploy_vnet_gateway_diagnostic_setting/README.md @@ -21,7 +21,7 @@ Modified from: [Built-In Samples: DiagnosticSettingsForNSG_Deploy.json](https:// ## Assignment ```hcl module logging_mg_deploy_vnet_gateway_diagnostic_setting { - source = "github.com/gettek/azurerm-terraform-policy-as-code.git//modules/def_assignment?ref=1.0.0" + source = "github.com/gettek/azurerm-terraform-policy-as-code.git//modules/def_assignment?ref=1.2.0" definition_name = "deploy_vnet_gateway_diagnostic_setting" definition_version = "1.0.0" definition_scope = data.azurerm_management_group.org.id diff --git a/policies/Security Center/README.md b/policies/Security Center/README.md index f2e0ffb..31d1425 100644 --- a/policies/Security Center/README.md +++ b/policies/Security Center/README.md @@ -26,7 +26,7 @@ module configure_asc { source = "..//modules/definition" for_each = local.security_center_policies policy_name = each.key - display_name = title(replace(each.key, "_", " ")) + display_name = each.value policy_description = each.value policy_category = "Security Center" management_group_name = data.azurerm_management_group.org.name diff --git a/policies/Security Center/auto_provision_log_analytics_agent_custom_workspace/parameters.json b/policies/Security Center/auto_provision_log_analytics_agent_custom_workspace/parameters.json index 7402da1..96412c5 100644 --- a/policies/Security Center/auto_provision_log_analytics_agent_custom_workspace/parameters.json +++ b/policies/Security Center/auto_provision_log_analytics_agent_custom_workspace/parameters.json @@ -17,6 +17,7 @@ "displayName": "Log Analytics workspace", "description": "Auto provision the Log Analytics agent on your subscriptions to monitor and collect security data using a custom workspace.", "assignPermissions": true - } + }, + "defaultValue": "" } } \ No newline at end of file diff --git a/policies/Security Center/enable_vulnerability_vm_assessments/README.md b/policies/Security Center/enable_vulnerability_vm_assessments/README.md index 5362d15..3fc5342 100644 --- a/policies/Security Center/enable_vulnerability_vm_assessments/README.md +++ b/policies/Security Center/enable_vulnerability_vm_assessments/README.md @@ -1,4 +1,4 @@ -# Continuously Export Security Alerts and Recommendations +# Enable VM Vulnerability Assessment Solution ## Display Name diff --git a/policies/Security Center/export_asc_alerts_and_recommendations_to_eventhub/parameters.json b/policies/Security Center/export_asc_alerts_and_recommendations_to_eventhub/parameters.json index 2f393c2..eee83e3 100644 --- a/policies/Security Center/export_asc_alerts_and_recommendations_to_eventhub/parameters.json +++ b/policies/Security Center/export_asc_alerts_and_recommendations_to_eventhub/parameters.json @@ -120,6 +120,7 @@ "displayName": "Event Hub details (Authorization Rule ID)", "description": "The Event Hub details of where the data should be exported to: Subscription, Event Hub Namespace, Event Hub, and Authorizations rules with 'Send' claim. If you do not already have an event hub, visit Event Hubs to create one (https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.EventHub%2Fnamespaces).", "assignPermissions": true - } + }, + "defaultValue": "" } } \ No newline at end of file diff --git a/policies/Security Center/export_asc_alerts_and_recommendations_to_log_analytics/parameters.json b/policies/Security Center/export_asc_alerts_and_recommendations_to_log_analytics/parameters.json index 5b4d4f3..c91c15b 100644 --- a/policies/Security Center/export_asc_alerts_and_recommendations_to_log_analytics/parameters.json +++ b/policies/Security Center/export_asc_alerts_and_recommendations_to_log_analytics/parameters.json @@ -17,7 +17,7 @@ "defaultValue": "policy-export-asc-alerts", "metadata": { "displayName": "Resource group name", - "description": "The resource group name where the export to Event Hub configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Event Hub configured." + "description": "The resource group name where the export to Log Analytics configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics configured." } }, "resourceGroupLocation": { @@ -29,7 +29,7 @@ "defaultValue": "uksouth", "metadata": { "displayName": "Resource group location", - "description": "The location where the resource group and the export to Event Hub configuration are created.", + "description": "The location where the resource group and the export to Log Analytics configuration are created.", "strongType": "location" } }, @@ -120,6 +120,7 @@ "displayName": "Log Analytics workspace", "description": "Auto provision the Log Analytics agent on your subscriptions to monitor and collect security data using a custom workspace.", "assignPermissions": true - } + }, + "defaultValue": "" } }