Main Bicep Branch Parity (#416)

* prefer local backends for terraform * add a Bicep Azure Sentinel module (#385) * Remove Client/Client Secret/Tenant Vars from Terraform Templates Co-authored-by: Bree Stryker <b-s-no-reply@microsoft.com> * add workflows to lint and build .bicep modules (#400) * disable verbose lint output (#402) * optionally deploy built-in Policy Initiatives for NIST 800-53, CMMC Level 3, or DOD IL5 (#397) * log activities from subscriptions used in a deployment into the Operations log analytics workspace (#412) * optionally deploy Azure Bastion Host from the base deployment (#406) Co-authored-by: Vidya Bala <vidbala@microsoft.com> Co-authored-by: Bree Stryker <b-s-no-reply@microsoft.com> Co-authored-by: Glenn Musa <4622125+glennmusa@users.noreply.github.com> Co-authored-by: Shawn Gibbs <shawngib@microsoft.com>
Azure · Sep 17, 2021 · 279d1b5 · 279d1b5
1 parent 276cdae
commit 279d1b5
Show file tree

Hide file tree

Showing 32 changed files with 3,868 additions and 855 deletions.
diff --git a/.github/workflows/validate-bicep.yml b/.github/workflows/validate-bicep.yml
@@ -0,0 +1,18 @@
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+
+name: validate-bicep
+on: 
+  pull_request:
+    paths: 
+    - '**.bicep'
+  workflow_dispatch:
+    paths:
+    - '**.bicep'
+jobs:
+  validate-bicep:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - run: |
+          az bicep build --file src/bicep/mlz.bicep
diff --git a/.github/workflows/validate-build-bicep.yml b/.github/workflows/validate-build-bicep.yml
@@ -0,0 +1,22 @@
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+
+name: validate-build-bicep
+on:
+  push:
+    paths:
+    - '**.bicep'
+    branches:
+      - bicep
+jobs:
+  validate-build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - run: |
+          git config user.name github-actions
+          git config user.email github-actions@github.com
+          az bicep build --file src/bicep/mlz.bicep --outfile src/bicep/mlz.json
+          git add src/bicep/mlz.json
+          git commit -m "GitHub Action: Build Bicep to JSON"
+          git push
diff --git a/src/bicep/README.md b/src/bicep/README.md
@@ -99,3 +99,45 @@ az deployment sub create \
     operationsSubscriptionId=$operationsSubscriptionId \
     sharedServicesSubscriptionId=$sharedServicesSubscriptionId
 ```
+
+## Adding Azure Policy
+
+To include one of the built in Azure policy initiatives for NIST 800-53, CMMC Level 3 or DoD IL5 compliance add the parameter with one of the following, NIST, IL5 or CMMC. For example deploying with MLZ:
+
+```plaintext
+az deployment sub create \
+  --location eastus \
+  --template-file mlz.bicep \
+  --parameters policy=<one of 'CMMC', 'IL5', or 'NIST'>
+```
+
+Or, apply policy after deploying MLZ:
+
+```plaintext
+az deployment group create \
+  --resource-group <Resource Group to assign> \
+  --name <original deployment name + descriptor> \
+  --template-file ./src/bicep/modules/policyAssignment.bicep \
+  --parameters builtInAssignment=<one of 'CMMC', 'IL5', or 'NIST'> logAnalyticsWorkspaceName=<Log analytics workspace name> \
+  --parameters logAnalyticsWorkspaceName=<Log Analytics Workspace Name> \
+  --parameters logAnalyticsWorkspaceResourceGroupName=<Log Analytics Workspace Resource Group Name>
+```
+
+Under the [modules/policies](modules/policies) directory are JSON files named for the initiatives with default parameters (except for a Log Analytics workspace ID value `<LAWORKSPACE>` that we substitute at deployment time -- any other parameter can be modified as needed).
+
+The result will be a policy assignment created for each resource group deployed by MLZ that can be viewed in the 'Compliance' view of Azure Policy in the Azure Portal.
+
+## Adding Remote Access via Bastion Host
+
+To deploy a virtual machine as a jumpbox into the network without a Public IP Address using Azure Bastion Host, provide two parameters `deployRemoteAccess=true` and `linuxVmAdminPasswordOrKey=<your password>` to the deployment. A quick and easy way to generate a secure password from the .devcontainer is the command `openssl rand -base64 14`.
+
+```plaintext
+my_password=$(openssl rand -base64 14)
+
+az deployment sub create \
+  --name "myRemoteAccessDeployment" \
+  --location "eastus" \
+  --template-file "src/bicep/mlz.bicep" \
+  --parameters deployRemoteAccess="true" \
+  --parameters linuxVmAdminPasswordOrKey="$my_password"
+```
diff --git a/src/bicep/bicepconfig.json b/src/bicep/bicepconfig.json
@@ -0,0 +1,28 @@
+{
+    "analyzers": {
+      "core": {
+        "verbose": false,
+        "enabled": true,
+        "rules": {
+          "no-hardcoded-env-urls": {
+            "level": "error"
+          },
+          "no-unused-params": {
+            "level": "error"
+          },
+          "no-unused-vars": {
+            "level": "error"
+          },
+          "prefer-interpolation": {
+            "level": "error"
+          },
+          "secure-parameter-default": {
+            "level": "error"
+          },
+          "simplify-interpolation": {
+            "level": "error"
+          }
+        }
+      }
+    }
+  }
diff --git a/src/bicep/examples/remoteAccess/README.md b/src/bicep/examples/remoteAccess/README.md
@@ -8,7 +8,7 @@ Read on to understand what this example does, and when you're ready, collect all
 
 ### Deploys Azure Bastion Host
 
-The docs on Azure Bastion: https://docs.microsoft.com/en-us/azure/bastion/bastion-overview
+The docs on Azure Bastion: <https://docs.microsoft.com/en-us/azure/bastion/bastion-overview>
 
 Some particulars about Bastion:
 
@@ -20,7 +20,7 @@ Some particulars about Bastion:
 
 This example deploys two virtual machines into a new subnet in the existing Hub virtual network to serve as jumpboxes.
 
-The docs on Virtual Machines: https://docs.microsoft.com/en-us/azure/templates/microsoft.compute/virtualmachines?tabs=json
+The docs on Virtual Machines: <https://docs.microsoft.com/en-us/azure/templates/microsoft.compute/virtualmachines?tabs=json>
 
 ## Pre-requisites
 
@@ -97,20 +97,25 @@ hubVirtualNetworkName="hub-vnet"
 hubSubnetResourceId="/subscriptions/.../providers/Microsoft.Network/virtualNetworks/hub-vnet/subnets/hub-subnet"
 hubNetworkSecurityGroupResourceId="/subscriptions/.../providers/Microsoft.Network/networkSecurityGroups/hub-nsg"
 
+linuxPassword=$(openssl rand -base64 14) # generate a random 14 character password
+
 az deployment group create \
   --name "RemoteAccessExample" \
   --resource-group $hubResourceGroupName \
-  --template-file "./remoteAccess.bicep" \
+  --template-file "./main.bicep" \
   --parameters \
   hubVirtualNetworkName="$hubVirtualNetworkName" \
   hubSubnetResourceId="$hubSubnetResourceId" \
-  hubNetworkSecurityGroupResourceId="$hubNetworkSecurityGroupResourceId"
+  hubNetworkSecurityGroupResourceId="$hubNetworkSecurityGroupResourceId" \
+  linuxVmAdminPasswordOrKey="$linuxPassword"
 ```
 
 Or, completely experimentally, try the Portal:
 
-#### AzureCloud
-[![Deploy To Azure](../../docs/imgs/deploytoazure.svg?sanitze=true)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fglennmusa%2Fmissionlz%2Fglennmusa%2Fbicep%2Fsrc%2Fbicep%2Fexamples%2FremoteAccess%2FremoteAccess.json)
+### AzureCloud
+
+[![Deploy To Azure](../../docs/imgs/deploytoazure.svg?sanitze=true)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fglennmusa%2Fmissionlz%2Fglennmusa%2Fbicep%2Fsrc%2Fbicep%2Fexamples%2FremoteAccess%2Fmain.json)
+
+### AzureUSGovernment
 
-#### AzureUSGovernment
-[![Deploy To Azure US Gov](../../docs/imgs/deploytoazuregov.svg?sanitize=true)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fglennmusa%2Fmissionlz%2Fglennmusa%2Fbicep%2Fexamples%2FremoteAccess%2FremoteAccess.json)
+[![Deploy To Azure US Gov](../../docs/imgs/deploytoazuregov.svg?sanitize=true)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fglennmusa%2Fmissionlz%2Fglennmusa%2Fbicep%2Fexamples%2FremoteAccess%2Fmain.json)
diff --git a/src/bicep/examples/remoteAccess/main.bicep b/src/bicep/examples/remoteAccess/main.bicep
@@ -0,0 +1,73 @@
+param location string = resourceGroup().location
+
+param hubVirtualNetworkName string
+param hubSubnetResourceId string
+param hubNetworkSecurityGroupResourceId string
+
+param bastionHostName string = 'bastionHost'
+param bastionHostSubnetAddressPrefix string = '10.0.100.160/27'
+param bastionHostPublicIPAddressName string = 'bastionHostPublicIPAddress'
+param bastionHostPublicIPAddressSkuName string = 'Standard'
+param bastionHostPublicIPAddressAllocationMethod string = 'Static'
+param bastionHostPublicIPAddressAvailabilityZones array = []
+param bastionHostIPConfigurationName string = 'bastionHostIPConfiguration'
+
+param linuxVmName string = 'linuxVirtualMachine'
+param linuxVmSize string = 'Standard_B2s'
+param linuxVmOsDiskCreateOption string = 'FromImage'
+param linuxVmOsDiskType string = 'Standard_LRS'
+param linuxVmImagePublisher string = 'Canonical'
+param linuxVmImageOffer string = 'UbuntuServer'
+param linuxVmImageSku string = '18.04-LTS'
+param linuxVmImageVersion string = 'latest'
+param linuxVmAdminUsername string = 'azureuser'
+
+@allowed([
+  'sshPublicKey'
+  'password'
+])
+param linuxVmAuthenticationType string = 'password'
+@secure()
+@minLength(14)
+param linuxVmAdminPasswordOrKey string
+
+param linuxVmNetworkInterfaceName string = 'linuxVmNetworkInterface'
+param linuxVmNetworkInterfaceIpConfigurationName string = 'linuxVmIpConfiguration'
+param linuxVmNetworkInterfacePrivateIPAddressAllocationMethod string = 'Dynamic'
+
+param nowUtc string = utcNow()
+
+module remoteAccess '../../modules/remoteAccess.bicep' = {
+  name: 'deploy-remoteAccess-Example-${nowUtc}'
+  params: {
+    location: location
+
+    hubVirtualNetworkName: hubVirtualNetworkName
+    hubSubnetResourceId: hubSubnetResourceId
+    hubNetworkSecurityGroupResourceId: hubNetworkSecurityGroupResourceId
+
+    bastionHostName: bastionHostName
+    bastionHostSubnetAddressPrefix: bastionHostSubnetAddressPrefix
+    bastionHostPublicIPAddressName: bastionHostPublicIPAddressName
+    bastionHostPublicIPAddressSkuName: bastionHostPublicIPAddressSkuName
+    bastionHostPublicIPAddressAllocationMethod: bastionHostPublicIPAddressAllocationMethod
+    bastionHostPublicIPAddressAvailabilityZones: bastionHostPublicIPAddressAvailabilityZones
+    bastionHostIPConfigurationName: bastionHostIPConfigurationName
+
+    linuxNetworkInterfaceIpConfigurationName: linuxVmNetworkInterfaceIpConfigurationName
+    linuxNetworkInterfacePrivateIPAddressAllocationMethod: linuxVmNetworkInterfacePrivateIPAddressAllocationMethod
+
+    linuxVmName: linuxVmName
+    linuxVmSize: linuxVmSize
+    linuxVmOsDiskCreateOption: linuxVmOsDiskCreateOption
+    linuxVmOsDiskType: linuxVmOsDiskType
+    linuxVmImagePublisher: linuxVmImagePublisher
+    linuxVmImageOffer: linuxVmImageOffer
+    linuxVmImageSku: linuxVmImageSku
+    linuxVmImageVersion: linuxVmImageVersion
+    linuxVmAdminUsername: linuxVmAdminUsername
+    linuxVmAuthenticationType: linuxVmAuthenticationType
+    linuxVmAdminPasswordOrKey: linuxVmAdminPasswordOrKey
+    linuxVmNetworkInterfaceName: linuxVmNetworkInterfaceName
+  }
+}