diff --git a/src/bicep/form/mlz.portal.json b/src/bicep/form/mlz.portal.json index f954617e5..87eb6aa6f 100644 --- a/src/bicep/form/mlz.portal.json +++ b/src/bicep/form/mlz.portal.json @@ -671,161 +671,274 @@ }, { "name": "compliance", - "label": "Compliance", + "label": "Security and Compliance", "elements": [ { - "name": "complianceDescriptionTextBlock", + "name": "Security and Compliance", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Mission Landing Zone comes bundled with built-in policies that can be applied to the resources it deploys and the ability to enable Microsoft Defender for Cloud for the subscriptions it is deployed into.", + "text": "To support the on-going security and compliance of your landing zone, MLZ provides options for configuring: Defender for Cloud, Regulatory Compliance Policies, and Microsoft Sentinel.", "link": { - "label": "Learn more", - "uri": "https://docs.microsoft.com/en-us/azure/defender-for-cloud/defender-for-cloud-introduction" + "label": "Click here to learn more about recommended security best practices", + "uri": "https://learn.microsoft.com/en-us/azure/security/fundamentals/operational-best-practices" } } }, { - "name": "policySection", - "label": "Enable Azure Policy", + "name": "defenderFreeSection", + "label": "Defender for Cloud - Cloud Security Posture Management", "type": "Microsoft.Common.Section", "elements": [ { - "name": "policySubsetDetailsTextBlock", + "name": "CSPMTextBox", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Mission Landing Zone comes bundled with a relevant subset of available Azure policies." + "text": "To support the on-going security and compliance of your landing zone, by default - MLZ deploys the free cloud security posture management features of Defender for Cloud, such as: secure score, which is powered by the Microsoft Cloud Security Benchmark. The Microsoft Cloud Security Benchmark is a security framework derived from Microsoft best practices, and NIST/CIS security Controls.", + "link": { + "label": "Click here to learn more about Defender for Cloud", + "uri": "https://docs.microsoft.com/en-us/azure/defender-for-cloud/defender-for-cloud-introduction" + } } - }, + } + ] + }, + { + "name": "defenderSection", + "label": "Defender for Cloud - Workload Protection Plans and other advanced management features", + "type": "Microsoft.Common.Section", + "elements": [ { - "name": "policyOptionalTextBlock", + "name": "defenderSubscriptionDetailsText", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Enabling policies is optional, but recommended." + "text": "For further enhanced protection, MLZ has the option of activiating the paid features of Defender for Cloud, such as: Defender Cloud Security Posture Management (DCSPM) and workload protection plans for additional threat protection for resources, such as: servers, storage, and more." } }, { - "name": "deployPolicy", + "name": "defenderSKUWarningText", + "type": "Microsoft.Common.InfoBox", + "visible": true, + "options": { + "text": "Enabling the additional paid features of Microsoft Defender for Cloud is recommended. If you have previously enabled any paid workload protection plans, you must select the checkbox and relevant plans on the dropdown list, to ensure protection is maintained through any deployment(s) of MLZ.", + "uri": "https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-cloud-introduction#protect-cloud-workloads" + } + }, + { + "name": "deployDefender", "type": "Microsoft.Common.CheckBox", - "label": "Create policy assignments?", - "toolTip": "Check here to create policy assignments for the resources created by Mission Landing Zone.", + "label": "Enable additional features for Microsoft Defender for Cloud?", + "toolTip": "Check here to enable additional paid features of Microsoft Defender for Cloud.", "constraints": { "required": false } }, { - "name": "policy", + "name": "Checkavailability", + "type": "Microsoft.Common.InfoBox", + "options": { + "icon": "Info", + "text": "Click the link to open a new browser tab, to confirm what workload protection features are available in the in Azure Commercial and Azure Government Clouds.", + "uri": "https://learn.microsoft.com/en-us/azure/security/fundamentals/feature-availability#microsoft-defender-for-cloud" + }, + "visible": "[steps('compliance').defenderSection.deployDefender]" + }, + { + "name": "deployDefenderPlans", "type": "Microsoft.Common.DropDown", - "label": "Policy Assignment", + "label": "Defender for Cloud Additional Features", "placeholder": "", - "defaultValue": "NIST SP 800-53", - "toolTip": "DoD IL5 is only available in AzureUsGovernment and will switch to NISTRev4 if tried in AzureCloud.", - "multiselect": false, + "defaultValue": "VirtualMachines", + "toolTip": "Check feature availability of paid Defender for Cloud features", + "multiselect": true, "selectAll": false, "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, - "defaultDescription": "Select one of the bundled built-in policy assignments.", + "defaultDescription": "Select paid Defender for Cloud features.", "constraints": { "allowedValues": [ { - "label": "NIST SP 800-53 Rev4", - "description": "The US National Institute of Standards and Technology (NIST) publishes a catalog of security and privacy controls, Special Publication (SP) 800-53, for all federal information systems in the United States (except those related to national security).", - "value": "NISTRev4" + "label": "Defender CSPM", + "description": "Provides enhanced posture management tools, such as: attack paths, cloud security explorer, and governance", + "value": "CloudPosture" }, { - "label": "NIST SP 800-53 Rev5", - "description": "The US National Institute of Standards and Technology (NIST) publishes a catalog of security and privacy controls, Special Publication (SP) 800-53, for all federal information systems in the United States (except those related to national security).", - "value": "NISTRev5" + "label": "Defender for Servers", + "description": "Provide server protections through Microsoft Defender for Endpoint or extended protection with just-in-time network access, file integrity monitoring, vulnerability assessment, and more.", + "value": "VirtualMachines" }, { - "label": "DoD IL5", - "description": "The Defense Information Systems Agency (DISA) is an agency of the US Department of Defense (DoD) that is responsible for developing and maintaining the DoD Cloud Computing Security Requirements Guide (SRG). These policies are only available for AzureUsGovernment and will switch to NISTRev4 if tried in AzureCloud.", - "value": "IL5" + "label": "Defender for API", + "description": "Safeguards APIs throughout their lifecycle, offering detection, response coverage, and vulnerability prioritization", + "value": "Api" }, { - "label": "CMMC", - "description": "The Cybersecurity Maturity Model Certification (CMMC) is a new framework developed by the US Department of Defense (DoD) that requires formal third-party audits of defense industrial base (DIB) contractor cybersecurity practices.", - "value": "CMMC" + "label": "Defender for App Services", + "description": "Diagnose weaknesses in your application infrastructure that can leave your environment susceptible to attack.", + "value": "AppServices" + }, + { + "label": "Defender for Resource Manager", + "description": "Protects against suspicious Azure Resource Mnagement operations, use of exploitation toolkits, and lateral movement.", + "value": "Arm" + }, + { + "label": "Defender for Azure Cosmos DB", + "description": "detects potential SQL injections, known bad actors based on Microsoft Threat Intelligence, suspicious access patterns, and potential exploitation of your database through compromised identities, or malicious insiders.", + "value": "CosmosDbs" + }, + { + "label": "Defender for Key Vault", + "description": "Detects unusual and potentially harmful attempts to access or exploit Key Vault accounts. This layer of protection helps you address threats even if you're not a security expert, and without the need to manage third-party security monitoring systems.", + "value": "KeyVaults" + }, + { + "label": "Defender for open-source relational databases", + "description": "Provide alerts when it detects anomalous database access and query patterns as well as suspicious database activities", + "value": "OpenSourceRelationalDatabases" + }, + { + "label": "Defender for SQL Server on machines", + "description": "Identify and mitigate potential database vulnerabilities and detecting anomalous activities that could indicate threats to your databases.", + "value": "SqlServerVirtualMachines" + }, + { + "label": "Defender for Azure SQL", + "description": "Provides vulnerability assessment and threat protection for Azure SQL.", + "value": "SqlServers" + }, + { + "label": "Defender for Storage", + "description": "Detect unusual and potentially harmful attempts to access or exploit your storage accounts using: advanced threat detection capabilities and Microsoft Threat Intelligence data to provide contextual security alerts.", + "value": "StorageAccounts" + }, + { + "label": "Defender for Containers", + "description": "Provides security posture management, vulnerability assessment, run-time threat protection, and deployment-montioring for containers.", + "value": "Containers" } ] }, - "visible": "[steps('compliance').policySection.deployPolicy]" + "visible": "[steps('compliance').defenderSection.deployDefender]" + }, + { + "name": "emailSecurityContact", + "type": "Microsoft.Common.TextBox", + "label": "Security Contact E-Mail Address", + "defaultValue": "", + "toolTip": "Provide an e-mail address as a security contact for Microsoft Defender for Cloud", + "placeholder": "johndoe@contoso.com", + "multiLine": false, + "constraints": { + "required": "[steps('compliance').defenderSection.deployDefender]", + "validations": [ + { + "regex": "^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*$", + "message": "Provide a valid e-mail address" + } + ] + }, + "visible": "[steps('compliance').defenderSection.deployDefender]" } ] }, { - "name": "defenderSection", - "label": "Enable Microsoft Defender for Cloud", + "name": "policySection", + "label": "Assign Regulatory Compliance Policies", "type": "Microsoft.Common.Section", "elements": [ { - "name": "defenderSubscriptionDetailsText", + "name": "policySubsetDetailsTextBlock", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Mission Landing Zone can activate Microsoft Defender for Cloud for each subscription it is deployed into." + "text": "To assist with security compliance, MLZ can deploy additional regulatory compliance frameworks, powered by Azure Policy, to your landing zone." } }, { - "name": "defenderOptionalDetailsText", + "name": "policyOptionalTextBlock", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Enabling Microsoft Defender for Cloud is optional, but recommended." + "text": "Enabling policies is optional, but recommended if your organization must follow certain standards." } }, { - "name": "deployDefender", + "name": "deployPolicy", "type": "Microsoft.Common.CheckBox", - "label": "Enable Microsoft Defender for Cloud?", - "toolTip": "Check here to enable Microsoft Defender for Cloud for the subscriptions used to deploy Mission Landing Zone.", + "label": "Create policy assignments?", + "toolTip": "Check here to assign regulatory compliance policy assignments for the Mission Landing Zone.", "constraints": { "required": false } }, { - "name": "emailSecurityContact", - "type": "Microsoft.Common.TextBox", - "label": "Security Contact E-Mail Address", - "defaultValue": "", - "toolTip": "Provide an e-mail address as a security contact for Microsoft Defender for Cloud", - "placeholder": "johndoe@contoso.com", - "multiLine": false, + "name": "policy", + "type": "Microsoft.Common.DropDown", + "label": "Policy Assignment", + "placeholder": "", + "defaultValue": "NIST SP 800-53", + "toolTip": "DoD IL5 is only available in AzureUsGovernment and will switch to NISTRev4 if tried in AzureCloud.", + "multiselect": false, + "selectAll": false, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "defaultDescription": "Select one of the bundled built-in policy assignments.", "constraints": { - "required": "[steps('compliance').defenderSection.deployDefender]", - "validations": [ + "allowedValues": [ { - "regex": "^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*$", - "message": "Provide a valid e-mail address" + "label": "NIST SP 800-53 Rev4", + "description": "The US National Institute of Standards and Technology (NIST) publishes a catalog of security and privacy controls, Special Publication (SP) 800-53, for all federal information systems in the United States (except those related to national security).", + "value": "NISTRev4" + }, + { + "label": "NIST SP 800-53 Rev5", + "description": "The US National Institute of Standards and Technology (NIST) publishes a catalog of security and privacy controls, Special Publication (SP) 800-53, for all federal information systems in the United States (except those related to national security).", + "value": "NISTRev5" + }, + { + "label": "DoD IL5", + "description": "The Defense Information Systems Agency (DISA) is an agency of the US Department of Defense (DoD) that is responsible for developing and maintaining the DoD Cloud Computing Security Requirements Guide (SRG). These policies are only available for AzureUsGovernment and will switch to NISTRev4 if tried in AzureCloud.", + "value": "IL5" + }, + { + "label": "CMMC", + "description": "The Cybersecurity Maturity Model Certification (CMMC) is a new framework developed by the US Department of Defense (DoD) that requires formal third-party audits of defense industrial base (DIB) contractor cybersecurity practices.", + "value": "CMMC" } ] }, - "visible": "[steps('compliance').defenderSection.deployDefender]" + "visible": "[steps('compliance').policySection.deployPolicy]" } ] }, { "name": "sentinelSection", - "label": "Enable Azure Sentinel", + "label": "Enable Microsoft Sentinel", "type": "Microsoft.Common.Section", "elements": [ { "name": "sentinelSectionDetailsText", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Mission Landing Zone can activate Azure Sentinel for the Log Analytics Workspace it deploys." + "text": "MLZ can deploy Microsoft Sentinel to the Log Analytics Workspace, for its Security information and event management (SIEM) and Security orchestration, automation, and response (SOAR).", + "link": { + "label": "Learn more about Microsoft Sentinel", + "uri": "https://learn.microsoft.com/en-us/azure/sentinel/overview" + } } }, { "name": "sentinelOptionalDetailsText", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Enabling Azure Sentinel is optional, but recommended." + "text": "Please note further configuration of Sentinel is required to take advantage of threat detection, log retention and response capabilities." } }, { "name": "deploySentinel", "type": "Microsoft.Common.CheckBox", - "label": "Enable Azure Sentinel?", - "toolTip": "Check here to enable Azure Sentinel Center for the Log Analytics Workspace Mission Landing Zone deploys.", + "label": "Enable Microsoft Sentinel?", + "toolTip": "Check here to enable Microsoft Sentinel for your landing zone.", "constraints": { "required": false } @@ -1053,7 +1166,8 @@ "subscriptionId": "[steps('basics').hubSection.hubSubscriptionId]", "parameters": { "bastionHostSubnetAddressPrefix": "[steps('remoteAccess').azureBastionSubnetSection.bastionSubnetAddressCidrRange]", - "deployDefender": "[steps('compliance').defenderSection.deployDefender]", + "defenderSkuTier": "[if(steps('compliance').defenderSection.deployDefender, 'Standard', 'Free')]", + "deployDefenderPlans": "[steps('compliance').defenderSection.deployDefenderPlans]", "deployIdentity": "[steps('basics').identitySection.deployIdentity]", "deployNetworkWatcher": "[empty(filter(steps('networking').networkWatchersApi.value, (item) => equals(item.location, steps('basics').locationSection.location.name)))]", "deployPolicy": "[steps('compliance').policySection.deployPolicy]", diff --git a/src/bicep/mlz.bicep b/src/bicep/mlz.bicep index bf7ee22cc..2250ff126 100644 --- a/src/bicep/mlz.bicep +++ b/src/bicep/mlz.bicep @@ -415,21 +415,43 @@ param deployPolicy bool = false @description('[NISTRev4/NISTRev5/IL5/CMMC] Built-in policy assignments to assign, it defaults to "NISTRev4". IL5 is only available for AzureUsGovernment and will switch to NISTRev4 if tried in AzureCloud.') param policy string = 'NISTRev4' -// MICROSOFT DEFENDER PARAMETERS +// MICROSOFT DEFENDER FOR CLOUD PARAMETERS @description('When set to "true", enables Microsoft Defender for Cloud for the subscriptions used in the deployment. It defaults to "false".') -param deployDefender bool = false +param deployDefender bool = true @allowed([ 'Standard' 'Free' ]) -@description('[Standard/Free] The SKU for Defender. It defaults to "Standard".') -param defenderSkuTier string = 'Standard' +@description('[Standard/Free] The SKU for Defender. It defaults to "Free".') +param defenderSkuTier string = 'Free' @description('Email address of the contact, in the form of john@doe.com') param emailSecurityContact string = '' +//Allowed Values for paid workload protection Plans. +//Even if the customer wants the free tier, we must specify a plan from this list. This is why we specify VirtualMachines as a default value. +@allowed([ + 'Api' + 'AppServices' + 'Arm' + 'CloudPosture' + //'ContainerRegistry' (deprecated) + 'Containers' + 'CosmosDbs' + //'Dns' (deprecated) + 'KeyVaults' + //'KubernetesService' (deprecated) + 'OpenSourceRelationalDatabases' + 'SqlServers' + 'SqlServerVirtualMachines' + 'StorageAccounts' + 'VirtualMachines' +]) +@description('Paid Workload Protection plans for Defender for Cloud') +param deployDefenderPlans array = ['VirtualMachines'] + var calculatedTags = union(tags, defaultTags) var defaultTags = { resourcePrefix: resourcePrefix @@ -686,5 +708,6 @@ module defenderforClouds 'modules/defenderforClouds.bicep' = if (deployDefender) emailSecurityContact: emailSecurityContact logAnalyticsWorkspaceResourceId: monitoring.outputs.logAnalyticsWorkspaceResourceId networks: logic.outputs.networks + defenderPlans: deployDefenderPlans } } diff --git a/src/bicep/mlz.json b/src/bicep/mlz.json index 6ae441fa5..086452eec 100644 --- a/src/bicep/mlz.json +++ b/src/bicep/mlz.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.25.53.49325", - "templateHash": "17981620544276127215" + "templateHash": "8022445886483285415" } }, "parameters": { @@ -737,20 +737,20 @@ }, "deployDefender": { "type": "bool", - "defaultValue": false, + "defaultValue": true, "metadata": { "description": "When set to \"true\", enables Microsoft Defender for Cloud for the subscriptions used in the deployment. It defaults to \"false\"." } }, "defenderSkuTier": { "type": "string", - "defaultValue": "Standard", + "defaultValue": "Free", "allowedValues": [ "Standard", "Free" ], "metadata": { - "description": "[Standard/Free] The SKU for Defender. It defaults to \"Standard\"." + "description": "[Standard/Free] The SKU for Defender. It defaults to \"Free\"." } }, "emailSecurityContact": { @@ -759,6 +759,29 @@ "metadata": { "description": "Email address of the contact, in the form of john@doe.com" } + }, + "deployDefenderPlans": { + "type": "array", + "defaultValue": [ + "VirtualMachines" + ], + "allowedValues": [ + "Api", + "AppServices", + "Arm", + "CloudPosture", + "Containers", + "CosmosDbs", + "KeyVaults", + "OpenSourceRelationalDatabases", + "SqlServers", + "SqlServerVirtualMachines", + "StorageAccounts", + "VirtualMachines" + ], + "metadata": { + "description": "Paid Workload Protection plans for Defender for Cloud" + } } }, "variables": { @@ -8173,6 +8196,9 @@ }, "networks": { "value": "[reference(subscriptionResourceId('Microsoft.Resources/deployments', format('get-logic-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.networks.value]" + }, + "defenderPlans": { + "value": "[parameters('deployDefenderPlans')]" } }, "template": { @@ -8182,7 +8208,7 @@ "_generator": { "name": "bicep", "version": "0.25.53.49325", - "templateHash": "5518402211723114798" + "templateHash": "1713491053601057220" } }, "parameters": { @@ -8200,6 +8226,12 @@ }, "networks": { "type": "array" + }, + "defenderPlans": { + "type": "array", + "defaultValue": [ + "VirtualMachines" + ] } }, "resources": [ @@ -8228,6 +8260,9 @@ }, "defenderSkuTier": { "value": "[parameters('defenderSkuTier')]" + }, + "defenderPlans": { + "value": "[parameters('defenderPlans')]" } }, "template": { @@ -8237,13 +8272,18 @@ "_generator": { "name": "bicep", "version": "0.25.53.49325", - "templateHash": "3655671661053884718" + "templateHash": "7666181759292759353" } }, "parameters": { - "bundle": { + "defenderPlans": { "type": "array", - "defaultValue": "[if(equals(environment().name, 'AzureCloud'), createArray('Api', 'AppServices', 'Arm', 'CloudPosture', 'Containers', 'CosmosDbs', 'KeyVaults', 'OpenSourceRelationalDatabases', 'SqlServers', 'SqlServerVirtualMachines', 'StorageAccounts', 'VirtualMachines'), if(equals(environment().name, 'AzureUSGovernment'), createArray('Arm', 'Containers', 'OpenSourceRelationalDatabases', 'SqlServers', 'SqlServerVirtualMachines', 'StorageAccounts', 'VirtualMachines'), createArray()))]" + "defaultValue": [ + "VirtualMachines" + ], + "metadata": { + "description": "Defender Paid protection Plans. Even if a customer selects the free sku, at least 1 paid protection plan must be specified." + } }, "enableAutoProvisioning": { "type": "bool", @@ -8273,9 +8313,9 @@ }, "defenderSkuTier": { "type": "string", - "defaultValue": "Standard", + "defaultValue": "Free", "metadata": { - "description": "[Standard/Free] The SKU for Defender. It defaults to \"Standard\"." + "description": "[Standard/Free] The SKU for Defender. It defaults to \"Free\"." } } }, @@ -8286,13 +8326,14 @@ { "copy": { "name": "defenderPricing", - "count": "[length(parameters('bundle'))]", + "count": "[length(parameters('defenderPlans'))]", "mode": "serial", "batchSize": 1 }, + "condition": "[not(empty(parameters('defenderPlans')))]", "type": "Microsoft.Security/pricings", "apiVersion": "2023-01-01", - "name": "[parameters('bundle')[copyIndex()]]", + "name": "[parameters('defenderPlans')[copyIndex()]]", "properties": { "pricingTier": "[parameters('defenderSkuTier')]" } diff --git a/src/bicep/modules/defenderForCloud.bicep b/src/bicep/modules/defenderForCloud.bicep index 0bff8d024..17509fae2 100644 --- a/src/bicep/modules/defenderForCloud.bicep +++ b/src/bicep/modules/defenderForCloud.bicep @@ -5,34 +5,8 @@ Licensed under the MIT License. targetScope = 'subscription' -param bundle array = (environment().name == 'AzureCloud') ? [ - 'Api' - 'AppServices' - 'Arm' - 'CloudPosture' - //'ContainerRegistry' (deprecated) - 'Containers' - 'CosmosDbs' - //'Dns' (deprecated) - 'KeyVaults' - //'KubernetesService' (deprecated) - 'OpenSourceRelationalDatabases' - 'SqlServers' - 'SqlServerVirtualMachines' - 'StorageAccounts' - 'VirtualMachines' -] : (environment().name == 'AzureUSGovernment') ? [ - 'Arm' - //'ContainerRegistry' (deprecated) - 'Containers' - //'Dns' (deprecated) - //'KubernetesService' (deprecated) - 'OpenSourceRelationalDatabases' - 'SqlServers' - 'SqlServerVirtualMachines' - 'StorageAccounts' - 'VirtualMachines' -] : [] +@description('Defender Paid protection Plans. Even if a customer selects the free sku, at least 1 paid protection plan must be specified.') +param defenderPlans array = ['VirtualMachines'] @description('Turn automatic deployment by Defender of the MMA (OMS VM extension) on or off') param enableAutoProvisioning bool = true @@ -47,12 +21,12 @@ param emailSecurityContact string @description('Policy Initiative description field') param policySetDescription string = 'The Microsoft Cloud Security Benchmark initiative represents the policies and controls implementing security recommendations defined in Microsoft Cloud Security Benchmark v2, see https://aka.ms/azsecbm. This also serves as the Microsoft Defender for Cloud default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Microsoft Defender.' -@description('[Standard/Free] The SKU for Defender. It defaults to "Standard".') -param defenderSkuTier string = 'Standard' +@description('[Standard/Free] The SKU for Defender. It defaults to "Free".') +param defenderSkuTier string = 'Free' -// defender +// defender for cloud turn on for both free and standard sku @batchSize(1) -resource defenderPricing 'Microsoft.Security/pricings@2023-01-01' = [for name in bundle: { +resource defenderPricing 'Microsoft.Security/pricings@2023-01-01' = [for name in defenderPlans: if (!empty(defenderPlans)) { name: name properties: { pricingTier: defenderSkuTier diff --git a/src/bicep/modules/defenderforClouds.bicep b/src/bicep/modules/defenderforClouds.bicep index acdced871..c7af49751 100644 --- a/src/bicep/modules/defenderforClouds.bicep +++ b/src/bicep/modules/defenderforClouds.bicep @@ -5,6 +5,7 @@ param deploymentNameSuffix string param emailSecurityContact string param logAnalyticsWorkspaceResourceId string param networks array +param defenderPlans array = ['VirtualMachines'] module defenderForCloud 'defenderForCloud.bicep' = [for network in networks: if (network.deployUniqueResources) { name: 'set-defender-${network.name}-${deploymentNameSuffix}' @@ -13,5 +14,6 @@ module defenderForCloud 'defenderForCloud.bicep' = [for network in networks: if logAnalyticsWorkspaceId: logAnalyticsWorkspaceResourceId emailSecurityContact: emailSecurityContact defenderSkuTier: defenderSkuTier + defenderPlans: defenderPlans } }]