Skip to content

Commit

Permalink
Add condition to Enable-DDoS-VNET policy assignments in `alzDefault…
Browse files Browse the repository at this point in the history 
…PolicyAssignments` (#182)

* add conditional to ddos policies

* swap corp to connectivity

* add note

* disable liniting for block
  • Loading branch information
@jtracey93
jtracey93 authored Mar 11, 2022
1 parent eabee47 commit 0f5d753
Show file tree
Hide file tree
Showing 2 changed files with 19 additions and 14 deletions.
25 changes: 15 additions & 10 deletions infra-as-code/bicep/modules/policy/assignments/alzDefaults/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,16 +8,16 @@ This module deploys the default Azure Landing Zone Azure Policy Assignments to t
The module requires the following inputs:

| Parameter | Description | Requirement | Example | Default Value |
| ---------------------------------------------------- | ---------------------------------------------------------------------------------- | ----------- | ----------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------- |
| parTopLevelManagementGroupPrefix | Prefix for the management group hierarchy. | Yes | `alz` | `alz` |
| parLogAnalyticsWorkSpaceAndAutomationAccountLocation | The region where the Log Analytics Workspace & Automation Account are deployed. | Yes | `eastus` | `eastus` |
| parLogAnalyticsWorkspaceResourceID | Log Analytics Workspace Resource ID | Yes | `/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/alz-logging/providers/Microsoft.OperationalInsights/workspaces/alz-log-analytics` | None |
| parLogAnalyticsWorkspaceLogRetentionInDays | Number of days of log retention for Log Analytics Workspace | Yes | `365` | `365` |
| parAutomationAccountName | Automation Account name | Yes | `alz-automation-account` | `alz-automation-account` |
| parMSDFCEmailSecurityContact | An e-mail address that you want Microsoft Defender for Cloud alerts to be sent to. | Yes | `security_contact@replace_me.com` | `security_contact@replace_me.com` |
| parDdosProtectionPlanId | ID of the DDoS Protection Plan which will be applied to the Virtual Networks | Yes | `/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/Hub_Networking_POC/providers/Microsoft.Network/ddosProtectionPlans/alz-Ddos-Plan` | (empty string) |
| parTelemetryOptOut | Set Parameter to true to Opt-out of deployment telemetry | Yes | `false` | `false` |
| Parameter | Description | Requirement | Example | Default Value |
| ---------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- | ----------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------- |
| parTopLevelManagementGroupPrefix | Prefix for the management group hierarchy. | Yes | `alz` | `alz` |
| parLogAnalyticsWorkSpaceAndAutomationAccountLocation | The region where the Log Analytics Workspace & Automation Account are deployed. | Yes | `eastus` | `eastus` |
| parLogAnalyticsWorkspaceResourceID | Log Analytics Workspace Resource ID | Yes | `/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/alz-logging/providers/Microsoft.OperationalInsights/workspaces/alz-log-analytics` | None |
| parLogAnalyticsWorkspaceLogRetentionInDays | Number of days of log retention for Log Analytics Workspace | Yes | `365` | `365` |
| parAutomationAccountName | Automation Account name | Yes | `alz-automation-account` | `alz-automation-account` |
| parMSDFCEmailSecurityContact | An e-mail address that you want Microsoft Defender for Cloud alerts to be sent to. | Yes | `security_contact@replace_me.com` | `security_contact@replace_me.com` |
| parDdosProtectionPlanId | ID of the DDoS Protection Plan which will be applied to the Virtual Networks. If left empty, the policy Enable-DDoS-VNET will not be assigned at connectivity or landing zone Management Groups to avoid VNET deployment issues. | Yes | `/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/Hub_Networking_POC/providers/Microsoft.Network/ddosProtectionPlans/alz-Ddos-Plan` | (empty string) |
| parTelemetryOptOut | Set Parameter to true to Opt-out of deployment telemetry | Yes | `false` | `false` |

## Outputs

Expand All @@ -26,6 +26,11 @@ The module does not generate any outputs.
## Deployment

> For the examples below we assume you have downloaded or cloned the Git repo as-is and are in the root of the repository as your selected directory in your terminal of choice.
<!-- markdownlint-disable -->
> **Important:** If you decide to not use a DDoS Standard plan in your environment and therefore leave the parameter `parDdosProtectionPlanId` as an empty string (`''`) then the policy Enable-DDoS-VNET will not be assigned at connectivity or landing zone Management Groups to avoid VNET deployment issues.
>
> However, if you later do decide to deploy an DDoS Standard Plan, you will need to remember to come back and update the parameter `parDdosProtectionPlanId` with the resource ID of the DDoS Standard Plan to ensure the policy is applied to the relevant Management Groups. You can then use a policy [remediation task](https://docs.microsoft.com/azure/governance/policy/how-to/remediate-resources) to bring all non-compliant VNETs back into compliance, once a [compliance scan](https://docs.microsoft.com/azure/governance/policy/how-to/get-compliance-data#evaluation-triggers) has taken place.
<!-- markdownlint-restore -->
### Azure CLI
```bash
Expand Down
8 changes: 4 additions & 4 deletions infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
SUMMARY: This module deploys the default Azure Landing Zone Azure Policy Assignments to the Management Group Hierarchy and also assigns the relevant RBAC.
DESCRIPTION: This module deploys the default Azure Landing Zone Azure Policy Assignments to the Management Group Hierarchy and also assigns the relevant RBAC for the system-assigned Managed Identities created for policies that require them (e.g DeployIfNotExist & Modify effect policies).
AUTHOR/S: jtracey93
VERSION: 1.0.3
VERSION: 1.0.4
*/

Expand All @@ -30,7 +30,7 @@ param parAutomationAccountName string = 'alz-automation-account'
@description('An e-mail address that you want Microsoft Defender for Cloud alerts to be sent to.')
param parMSDFCEmailSecurityContact string = 'security_contact@replace_me.com'

@description('ID of the DdosProtectionPlan which will be applied to the Virtual Networks. Default: Empty String')
@description('ID of the DdosProtectionPlan which will be applied to the Virtual Networks. If left empty, the policy Enable-DDoS-VNET will not be assigned at connectivity or landing zone Management Groups to avoid VNET deployment issues. Default: Empty String')
param parDdosProtectionPlanId string = ''

@description('Set Parameter to true to Opt-out of deployment telemetry')
Expand Down Expand Up @@ -397,7 +397,7 @@ module modPolicyAssignmentIntRootDeployVMSSMonitoring '../../../policy/assignmen

// // Modules - Policy Assignments - Connectivity Management Group
// Module - Policy Assignment - Enable-DDoS-VNET
module modPolicyAssignmentConnEnableDDoSVNET '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = {
module modPolicyAssignmentConnEnableDDoSVNET '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!empty(parDdosProtectionPlanId)) {
scope: managementGroup(varManagementGroupIDs.platformConnectivity)
name: varModuleDeploymentNames.modPolicyAssignmentConnEnableDDoSVNET
params: {
Expand Down Expand Up @@ -597,7 +597,7 @@ module modPolicyAssignmentLZsDeployVMBackup '../../../policy/assignments/policyA
}

// Module - Policy Assignment - Enable-DDoS-VNET
module modPolicyAssignmentLZsEnableDDoSVNET '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = {
module modPolicyAssignmentLZsEnableDDoSVNET '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!empty(parDdosProtectionPlanId)) {
scope: managementGroup(varManagementGroupIDs.landingZones)
name: varModuleDeploymentNames.modPolicyAssignmentLZsEnableDDoSVNET
params: {
Expand Down

0 comments on commit 0f5d753

Please sign in to comment.