-
Notifications
You must be signed in to change notification settings - Fork 71
/
Copy pathassignments_org.tf
133 lines (116 loc) · 5.47 KB
/
assignments_org.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
##################
# General
##################
module "org_mg_whitelist_regions" {
source = "..//modules/def_assignment"
definition = module.whitelist_regions.definition
assignment_scope = data.azurerm_management_group.org.id
assignment_effect = "Deny"
assignment_parameters = {
listOfRegionsAllowed = ["uk", "uksouth", "ukwest", "europe", "northeurope", "westeurope", "global"] # Global is used in services such as Azure DNS
}
assignment_metadata = {
version = "1.0.0"
category = "Batch"
cloud_envs = [
"AzureCloud",
"AzureChinaCloud",
"AzureUSGovernment"
]
}
# optional resource selectors (preview)
resource_selectors = [
{
name = "SDPRegions"
selectors = {
kind = "resourceLocation"
in = ["uk", "uksouth", "ukwest"]
}
}
]
}
##################
# Security Center
##################
module "org_mg_configure_asc_initiative" {
source = "..//modules/set_assignment"
initiative = module.configure_asc_initiative.initiative
assignment_scope = data.azurerm_management_group.org.id
assignment_description = "Deploys and configures Defender settings and defines exports"
assignment_effect = "DeployIfNotExists"
assignment_location = "ukwest"
# resource remediation options
re_evaluate_compliance = var.re_evaluate_compliance
skip_remediation = var.skip_remediation
skip_role_assignment = var.skip_role_assignment
aad_group_remediation_object_ids = [data.azuread_group.rem.object_id] # add assignment identity to aad group(s)
assignment_parameters = {
workspaceId = local.dummy_resource_ids.azurerm_log_analytics_workspace
eventHubDetails = local.dummy_resource_ids.azurerm_eventhub_namespace_authorization_rule
securityContactsEmail = "[email protected]"
securityContactsPhone = "44897654987"
}
# use the `non_compliance_messages` output from the initiative module to set auto generated messages based off policy properties: descriptions/display names/custom ones found in metadata
# or override with you own Key/Value pairs map e.g. policy_definition_reference_id = 'message content'
non_compliance_messages = module.configure_asc_initiative.non_compliance_messages
# optional overrides (preview)
overrides = [
{
effect = "AuditIfNotExists"
selectors = {
in = ["ExportAscAlertsAndRecommendationsToEventhub", "ExportAscAlertsAndRecommendationsToLogAnalytics"]
}
}
]
}
##################
# Monitoring
##################
module "org_mg_platform_diagnostics_initiative" {
source = "..//modules/set_assignment"
initiative = module.platform_diagnostics_initiative.initiative
assignment_scope = data.azurerm_management_group.org.id
# resource remediation options
re_evaluate_compliance = var.re_evaluate_compliance
skip_remediation = var.skip_remediation
skip_role_assignment = var.skip_role_assignment
role_assignment_scope = data.azurerm_management_group.team_a.id # set explicit scopes, omit to use the assignment scope
role_definition_ids = [data.azurerm_role_definition.contributor.id] # set explicit roles, omit to use roles found in the definitions "policyRule"
# NOTE: You may omit parameters at assignment to use the definitions 'defaultValue'
assignment_parameters = {
workspaceId = local.dummy_resource_ids.azurerm_log_analytics_workspace
storageAccountId = local.dummy_resource_ids.azurerm_storage_account
eventHubName = local.dummy_resource_ids.azurerm_eventhub_namespace
eventHubAuthorizationRuleId = local.dummy_resource_ids.azurerm_eventhub_namespace_authorization_rule
metricsEnabled = "True"
logsEnabled = "True"
effect_DeployApplicationGatewayDiagnosticSetting = "DeployIfNotExists"
effect_DeployEventhubDiagnosticSetting = "DeployIfNotExists"
effect_DeployFirewallDiagnosticSetting = "DeployIfNotExists"
effect_DeployKeyvaultDiagnosticSetting = "AuditIfNotExists"
effect_DeployLoadbalancerDiagnosticSetting = "AuditIfNotExists"
effect_DeployNetworkInterfaceDiagnosticSetting = "AuditIfNotExists"
effect_DeployNetworkSecurityGroupDiagnosticSetting = "AuditIfNotExists"
effect_DeployPublicIpDiagnosticSetting = "AuditIfNotExists"
effect_DeployStorageAccountDiagnosticSetting = "DeployIfNotExists"
effect_DeploySubscriptionDiagnosticSetting = "DeployIfNotExists"
effect_DeployVnetDiagnosticSetting = "AuditIfNotExists"
effect_DeployVnetGatewayDiagnosticSetting = "AuditIfNotExists"
}
non_compliance_messages = module.platform_diagnostics_initiative.non_compliance_messages
}
##################
# Storage
##################
module "org_mg_storage_enforce_https" {
source = "..//modules/def_assignment"
definition = module.storage_enforce_https.definition
assignment_scope = data.azurerm_management_group.org.id
assignment_effect = "Deny"
}
module "org_mg_storage_enforce_minimum_tls1_2" {
source = "..//modules/def_assignment"
definition = module.storage_enforce_minimum_tls1_2.definition
assignment_scope = data.azurerm_management_group.org.id
assignment_effect = "Deny"
}