Skip to content

Commit

Permalink
adding ARM modules (#613)
Browse files Browse the repository at this point in the history 
* adding modules

* defined contract

* update #3

* added enforcementMode param

* adding param

* UX and contract changes

* conditional firewall for hub vs vwan

* support for single vs N platform subs

* updated UX for single vs dedicated platform subscriptions

* updating built-in policy

* correcting parameter

* navigating policies for identity

* adding vwan and nva for networking

* removing peering

* adding scaleUnit for vpnGateway and ER for vwan

* fixing parameter

* adding disclaimer for sub selection

* adding private dns zones and moving to built-in policies

* adding policySet for DINE Private DNS Zones

* Added policyset for public paas

* removed custom references

* Update Deny-PublicEndpointsPolicySetDefinition.json

* policy updates

* adding policies and UX enhancements

* removing option for private dns zones when vwan is selected

* adding UX for vnet peering of dedicated ID sub

* adding peering for identity sub

* adding vnet peering for corp lz

* corp lz move and peering

* sequencing corp lz move vs peering

* updated description and displayName

* updating rg location for nw

* adding condition for AzFw as DNS proxy vs not

* adding peering support for identity to vwan hub

* updating displayName

Co-authored-by: Johan Dahlbom <johan@dahlbom.eu>
  • Loading branch information
@krnese @daltondhcp
krnese and daltondhcp authored Jul 13, 2021
1 parent 190b769 commit e411a85
Show file tree
Hide file tree
Showing 51 changed files with 30,635 additions and 0 deletions.
2,271 changes: 2,271 additions & 0 deletions eslzArm/eslz-portal.json
View file

Large diffs are not rendered by default.

3,404 changes: 3,404 additions & 0 deletions eslzArm/eslzArm.json
View file

Large diffs are not rendered by default.

163 changes: 163 additions & 0 deletions eslzArm/managementGroupTemplates/mgmtGroupStructure/mgmtGroups.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,163 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"topLevelManagementGroupPrefix": {
"type": "string",
"metadata": {
"description": "Provide prefix for the management group structure."
}
},
"platformMgs": {
"type": "array",
"defaultValue": [
"management",
"connectivity",
"identity"
],
"metadata": {
"description": "Management groups for platform specific purposes, such as management, networking, identity etc."
}
},
"landingZoneMgs": {
"type": "array",
"defaultValue": [
"online",
"corp"
],
"metadata": {
"description": "These are the landing zone management groups."
}
}
},
"variables": {
"enterpriseScaleManagementGroups": {
"platform": "[concat(parameters('topLevelManagementGroupPrefix'), '-', 'platform')]",
"landingZone": "[concat(parameters('topLevelManagementGroupPrefix'), '-', 'landingzones')]",
"decommissioned": "[concat(parameters('topLevelManagementGroupPrefix'), '-', 'decommissioned')]",
"sandboxes": "[concat(parameters('topLevelManagementGroupPrefix'), '-', 'sandboxes')]"
}
},
"resources": [
{
// Create top level management group under tenant root
"type": "Microsoft.Management/managementGroups",
"apiVersion": "2020-05-01",
"name": "[parameters('topLevelManagementGroupPrefix')]",
"properties": {}
},
{
// Create management group for platform management groups
"type": "Microsoft.Management/managementGroups",
"apiVersion": "2020-05-01",
"name": "[variables('enterpriseScaleManagementGroups').platform]",
"dependsOn": [
"[tenantResourceId('Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]"
],
"properties": {
"displayName": "[variables('enterpriseScaleManagementGroups').platform]",
"details": {
"parent": {
"id": "[tenantResourceId('Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]"
}
}
}
},
{
// Create management group for landing zones
"type": "Microsoft.Management/managementGroups",
"apiVersion": "2020-05-01",
"name": "[variables('enterpriseScaleManagementGroups').landingZone]",
"dependsOn": [
"[tenantResourceId('Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]"
],
"properties": {
"displayName": "[variables('enterpriseScaleManagementGroups').landingZone]",
"details": {
"parent": {
"id": "[tenantResourceId('Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]"
}
}
}
},
{
// Create management group for sandbox subscriptions
"type": "Microsoft.Management/managementGroups",
"apiVersion": "2020-05-01",
"name": "[variables('enterpriseScaleManagementGroups').sandboxes]",
"dependsOn": [
"[tenantResourceId('Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]"
],
"properties": {
"displayName": "[variables('enterpriseScaleManagementGroups').sandboxes]",
"details": {
"parent": {
"id": "[tenantResourceId('Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]"
}
}
}
},
{
// Create management group for decommissioned subscriptions
"type": "Microsoft.Management/managementGroups",
"apiVersion": "2020-05-01",
"name": "[variables('enterpriseScaleManagementGroups').decommissioned]",
"dependsOn": [
"[tenantResourceId('Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]"
],
"properties": {
"displayName": "[variables('enterpriseScaleManagementGroups').decommissioned]",
"details": {
"parent": {
"id": "[tenantResourceId('Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]"
}
}
}
},
{
// Create child management groups for platform resources
"condition": "[not(empty(parameters('platformMgs')))]",
"type": "Microsoft.Management/managementGroups",
"apiVersion": "2020-05-01",
"name": "[concat(parameters('topLevelManagementGroupPrefix'), '-', parameters('platformMgs')[copyIndex()])]",
"dependsOn": [
"[tenantResourceId('Microsoft.Management/managementGroups', variables('enterpriseScaleManagementGroups').platform)]"
],
"copy": {
"name": "platformMgCopy",
"count": "[length(parameters('platformMgs'))]"
},
"properties": {
"displayName": "[concat(parameters('topLevelManagementGroupPrefix'), '-', parameters('platformMgs')[copyIndex()])]",
"details": {
"parent": {
"id": "[tenantResourceId('Microsoft.Management/managementGroups/', variables('enterpriseScaleManagementGroups').platform)]"
}
}
}
},
{
// Create child management groups for landing zones
"condition": "[not(empty(parameters('landingZoneMgs')))]",
"type": "Microsoft.Management/managementGroups",
"apiVersion": "2020-05-01",
"name": "[concat(parameters('topLevelManagementGroupPrefix'), '-', parameters('landingZoneMgs')[copyIndex()])]",
"dependsOn": [
"[tenantResourceId('Microsoft.Management/managementGroups/', variables('enterpriseScaleManagementGroups').landingZone)]"
],
"copy": {
"name": "lzMgCopy",
"count": "[length(parameters('landingZoneMgs'))]"
},
"properties": {
"displayName": "[concat(parameters('topLevelManagementGroupPrefix'), '-', parameters('landingZoneMgs')[copyIndex()])]",
"details": {
"parent": {
"id": "[tenantResourceId('Microsoft.Management/managementGroups/', variables('enterpriseScaleManagementGroups').landingZone)]"
}
}
}
}
],
"outputs": {}
}
130 changes: 130 additions & 0 deletions eslzArm/managementGroupTemplates/mgmtGroupStructure/mgmtGroupsLite.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,130 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"topLevelManagementGroupPrefix": {
"type": "string",
"metadata": {
"description": "Provide prefix for the management group structure."
}
},
"landingZoneMgs": {
"type": "array",
"defaultValue": [
"online",
"corp"
],
"metadata": {
"description": "These are the landing zone management groups."
}
}
},
"variables": {
"enterpriseScaleManagementGroups": {
"platform": "[concat(parameters('topLevelManagementGroupPrefix'), '-', 'platform')]",
"landingZone": "[concat(parameters('topLevelManagementGroupPrefix'), '-', 'landingzones')]",
"decommissioned": "[concat(parameters('topLevelManagementGroupPrefix'), '-', 'decommissioned')]",
"sandboxes": "[concat(parameters('topLevelManagementGroupPrefix'), '-', 'sandboxes')]"
}
},
"resources": [
{
// Create top level management group under tenant root
"type": "Microsoft.Management/managementGroups",
"apiVersion": "2020-05-01",
"name": "[parameters('topLevelManagementGroupPrefix')]",
"properties": {}
},
{
// Create management group for platform management groups
"type": "Microsoft.Management/managementGroups",
"apiVersion": "2020-05-01",
"name": "[variables('enterpriseScaleManagementGroups').platform]",
"dependsOn": [
"[tenantResourceId('Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]"
],
"properties": {
"displayName": "[variables('enterpriseScaleManagementGroups').platform]",
"details": {
"parent": {
"id": "[tenantResourceId('Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]"
}
}
}
},
{
// Create management group for landing zones
"type": "Microsoft.Management/managementGroups",
"apiVersion": "2020-05-01",
"name": "[variables('enterpriseScaleManagementGroups').landingZone]",
"dependsOn": [
"[tenantResourceId('Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]"
],
"properties": {
"displayName": "[variables('enterpriseScaleManagementGroups').landingZone]",
"details": {
"parent": {
"id": "[tenantResourceId('Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]"
}
}
}
},
{
// Create management group for sandbox subscriptions
"type": "Microsoft.Management/managementGroups",
"apiVersion": "2020-05-01",
"name": "[variables('enterpriseScaleManagementGroups').sandboxes]",
"dependsOn": [
"[tenantResourceId('Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]"
],
"properties": {
"displayName": "[variables('enterpriseScaleManagementGroups').sandboxes]",
"details": {
"parent": {
"id": "[tenantResourceId('Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]"
}
}
}
},
{
// Create management group for decommissioned subscriptions
"type": "Microsoft.Management/managementGroups",
"apiVersion": "2020-05-01",
"name": "[variables('enterpriseScaleManagementGroups').decommissioned]",
"dependsOn": [
"[tenantResourceId('Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]"
],
"properties": {
"displayName": "[variables('enterpriseScaleManagementGroups').decommissioned]",
"details": {
"parent": {
"id": "[tenantResourceId('Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]"
}
}
}
},
{
// Create child management groups for landing zones
"condition": "[not(empty(parameters('landingZoneMgs')))]",
"type": "Microsoft.Management/managementGroups",
"apiVersion": "2020-05-01",
"name": "[concat(parameters('topLevelManagementGroupPrefix'), '-', parameters('landingZoneMgs')[copyIndex()])]",
"dependsOn": [
"[tenantResourceId('Microsoft.Management/managementGroups/', variables('enterpriseScaleManagementGroups').landingZone)]"
],
"copy": {
"name": "lzMgCopy",
"count": "[length(parameters('landingZoneMgs'))]"
},
"properties": {
"displayName": "[concat(parameters('topLevelManagementGroupPrefix'), '-', parameters('landingZoneMgs')[copyIndex()])]",
"details": {
"parent": {
"id": "[tenantResourceId('Microsoft.Management/managementGroups/', variables('enterpriseScaleManagementGroups').landingZone)]"
}
}
}
}
],
"outputs": {}
}
43 changes: 43 additions & 0 deletions ...rm/managementGroupTemplates/policyAssignments/DENY-AksPrivEscalationPolicyAssignment.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"enforcementMode": {
"type": "string",
"allowedValues": [
"Default",
"DoNotEnforce"
],
"defaultValue": "Default"
}
},
"variables": {
"policyDefinitions": {
"denyAksNoPrivEsc": "/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99"
},
"policyAssignmentNames": {
"denyAksNoPrivEsc": "Deny-Priv-Esc-AKS",
"description": "Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.",
"displayName": "Kubernetes clusters should not allow container privilege escalation"
}
},
"resources": [
{
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2019-09-01",
"name": "[variables('policyAssignmentNames').denyAksNoPrivEsc]",
"properties": {
"description": "[variables('policyAssignmentNames').description]",
"displayName": "[variables('policyAssignmentNames').displayName]",
"policyDefinitionId": "[variables('policyDefinitions').denyAksNoPrivEsc]",
"enforcementMode": "[parameters('enforcementMode')]",
"parameters": {
"effect": {
"value": "deny"
}
}
}
}
],
"outputs": {}
}
43 changes: 43 additions & 0 deletions eslzArm/managementGroupTemplates/policyAssignments/DENY-AksPrivilegedPolicyAssignment.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"enforcementMode": {
"type": "string",
"allowedValues": [
"Default",
"DoNotEnforce"
],
"defaultValue": "Default"
}
},
"variables": {
"policyDefinitions": {
"denyAksPriv": "/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4"
},
"policyAssignmentNames": {
"denyAksPriv": "Deny-Privileged-AKS",
"description": "Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.",
"displayName": "Kubernetes cluster should not allow privileged containers"
}
},
"resources": [
{
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2019-09-01",
"name": "[variables('policyAssignmentNames').denyAksPriv]",
"properties": {
"description": "[variables('policyAssignmentNames').description]",
"displayName": "[variables('policyAssignmentNames').displayName]",
"policyDefinitionId": "[variables('policyDefinitions').denyAksPriv]",
"enforcementMode": "[parameters('enforcementMode')]",
"parameters": {
"effect": {
"value": "deny"
}
}
}
}
],
"outputs": {}
}
Loading

0 comments on commit e411a85

Please sign in to comment.