Skip to content

Commit

Permalink
Update/caf sync november 01 (#85)
Browse files Browse the repository at this point in the history 
* Updated parameters

* Fix sync script
  • Loading branch information
@anwather
anwather authored Nov 4, 2022
1 parent 406ccce commit 60e2266
Show file tree
Hide file tree
Showing 2 changed files with 26 additions and 35 deletions.
41 changes: 11 additions & 30 deletions Scripts/CloudAdoptionFramework/Assignments/CAF-RootMG-Default.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,27 +28,7 @@
"friendlyNameToDocumentIfGuid": "Azure Security Benchmark"
},
"parameters": {
"aadAuthenticationInSqlServerMonitoringEffect": "Disabled",
"diskEncryptionMonitoringEffect": "Disabled",
"encryptionOfAutomationAccountMonitoringEffect": "Disabled",
"identityDesignateLessThanOwnersMonitoringEffect": "Disabled",
"identityDesignateMoreThanOneOwnerMonitoringEffect": "Disabled",
"identityEnableMFAForWritePermissionsMonitoringEffect": "Disabled",
"identityRemoveDeprecatedAccountMonitoringEffect": "Disabled",
"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect": "Disabled",
"identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect": "Disabled",
"identityRemoveExternalAccountWithReadPermissionsMonitoringEffect": "Disabled",
"identityRemoveExternalAccountWithWritePermissionsMonitoringEffect": "Disabled",
"jitNetworkAccessMonitoringEffect": "Disabled",
"networkSecurityGroupsOnSubnetsMonitoringEffect": "AuditIfNotExists",
"sqlDbEncryptionMonitoringEffect": "Disabled",
"sqlManagedInstanceAdvancedDataSecurityEmailAdminsMonitoringEffect": "Disabled",
"sqlManagedInstanceAdvancedDataSecurityEmailsMonitoringEffect": "Disabled",
"sqlServerAdvancedDataSecurityEmailAdminsMonitoringEffect": "Disabled",
"sqlServerAdvancedDataSecurityMonitoringEffect": "Disabled",
"systemUpdatesMonitoringEffect": "Disabled",
"vmssSystemUpdatesMonitoringEffect": "Disabled",
"windowsDefenderExploitGuardMonitoringEffect": "Disabled",
"useRbacRulesMonitoringEffect": "Disabled",
"useServicePrincipalToProtectSubscriptionsMonitoringEffect": "Disabled",
"identityEnableMFAForOwnerPermissionsMonitoringEffect": "Disabled",
Expand All @@ -68,16 +48,17 @@
"friendlyNameToDocumentIfGuid": "Microsoft Defender For Cloud"
},
"parameters": {
"enableAscForServers": "DeployIfNotExists",
"enableAscForSql": "DeployIfNotExists",
"enableAscForAppServices": "DeployIfNotExists",
"enableAscForStorage": "DeployIfNotExists",
"enableAscForContainers": "DeployIfNotExists",
"enableAscForKeyVault": "DeployIfNotExists",
"enableAscForSqlOnVm": "DeployIfNotExists",
"enableAscForArm": "DeployIfNotExists",
"enableAscForDns": "DeployIfNotExists",
"enableAscForOssDb": "DeployIfNotExists"
"enableAscForServers": "Disabled",
"enableAscForSql": "Disabled",
"enableAscForAppServices": "Disabled",
"enableAscForStorage": "Disabled",
"enableAscForContainers": "Disabled",
"enableAscForKeyVault": "Disabled",
"enableAscForSqlOnVm": "Disabled",
"enableAscForArm": "Disabled",
"enableAscForDns": "Disabled",
"enableAscForOssDb": "Disabled",
"enableAscForCosmosDbs": "Disabled"
}
}
]
Expand Down
20 changes: 15 additions & 5 deletions Scripts/CloudAdoptionFramework/Sync-CAFPolicies.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,15 +43,25 @@ foreach ($policyUri in $defaultPolicyURIs) {
}
if ($type -match 'Microsoft.Authorization/policySetDefinitions') {
$name = $_.Value | ConvertFrom-Json | Select-Object -ExpandProperty Name
$environments = ($_.Value | ConvertFrom-Json | Select-Object -ExpandProperty Properties).metadata.alzCloudEnvironments
if ($environments.Length -eq 3) {
$fileName = $name
}
else {
switch ($environments | Select-Object -First 1) {
"AzureChinaCloud" { $fileName = "$name.$_" }
"AzureUSGovernment" { $fileName = "$name.$_" }
}
}
$baseTemplate = @{
name = $_.Value | ConvertFrom-Json | Select-Object -ExpandProperty Name
properties = $_.Value | ConvertFrom-Json | Select-Object -ExpandProperty Properties
}
$baseTemplate | ConvertTo-Json -Depth 50 | Out-File -FilePath $definitionsRootFolder\initiatives\CAF\$name.json -Force
(Get-Content $definitionsRootFolder\initiatives\CAF\$name.json) -replace "\[\[", "[" | Set-Content $definitionsRootFolder\initiatives\CAF\$name.json
(Get-Content $definitionsRootFolder\initiatives\CAF\$name.json) -replace "variables\('scope'\)", "'/providers/Microsoft.Management/managementGroups/$managementGroupId'" | Set-Content $definitionsRootFolder\initiatives\CAF\$name.json
(Get-Content $definitionsRootFolder\initiatives\CAF\$name.json) -replace "', '", "" | Set-Content $definitionsRootFolder\initiatives\CAF\$name.json
(Get-Content $definitionsRootFolder\initiatives\CAF\$name.json) -replace "\[concat\(('(.+)')\)\]", "`$2" | Set-Content $definitionsRootFolder\initiatives\CAF\$name.json
$baseTemplate | ConvertTo-Json -Depth 50 | Out-File -FilePath $definitionsRootFolder\initiatives\CAF\$fileName.json -Force
(Get-Content $definitionsRootFolder\initiatives\CAF\$fileName.json) -replace "\[\[", "[" | Set-Content $definitionsRootFolder\initiatives\CAF\$fileName.json
(Get-Content $definitionsRootFolder\initiatives\CAF\$fileName.json) -replace "variables\('scope'\)", "'/providers/Microsoft.Management/managementGroups/$managementGroupId'" | Set-Content $definitionsRootFolder\initiatives\CAF\$fileName.json
(Get-Content $definitionsRootFolder\initiatives\CAF\$fileName.json) -replace "', '", "" | Set-Content $definitionsRootFolder\initiatives\CAF\$fileName.json
(Get-Content $definitionsRootFolder\initiatives\CAF\$fileName.json) -replace "\[concat\(('(.+)')\)\]", "`$2" | Set-Content $definitionsRootFolder\initiatives\CAF\$fileName.json
}

}
Expand Down

0 comments on commit 60e2266

Please sign in to comment.