search

Azure / ALZ-Bicep

This repository contains the Azure Landing Zones (ALZ) Bicep modules that help deliver and deploy the Azure Landing Zone conceptual architecture in a modular approach. https://aka.ms/alz/docs
MIT License
728 stars 485 forks source link

Use notScopes with alzDefaults not working #772

Closed msundman78 closed 2 months ago

msundman78 commented 2 months ago

Let us know the feedback or general question

I wanted to exclude a MgmtGroup using notScopes in the Deploy-ASC-Monitoring alzDefault Policy module by editing:

_infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_ascmonitoring.tmpl.json

{
  "name": "Deploy-ASC-Monitoring",
  "type": "Microsoft.Authorization/policyAssignments",
  "apiVersion": "2019-09-01",
  "properties": {
    "description": "Enable Monitoring in Microsoft Defender for Cloud.",
    "displayName": "Enable Monitoring in Microsoft Defender for Cloud",
    "notScopes": ["/providers/Microsoft.Management/managementGroups/led-sandbox"],
    "parameters": {},
    },
    "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8",
    "scope": null,
    "enforcementMode": "Default"
  },
  "location": null,
  "identity": {
    "type": "None"
  }
}

However, the notScopes property is passed on to the modPolicyAssignmentIntRootDeployAscMonitoring module in alzDefaultPolicyAssignments.bicep, so I had to also add this line to get it working:

parPolicyAssignmentNotScopes: varPolicyAssignmentDeployASCMonitoring.libDefinition.properties.notScopes

// Module - Policy Assignment - Deploy-ASC-Monitoring
module modPolicyAssignmentIntRootDeployAscMonitoring '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployASCMonitoring.libDefinition.name)) {
  scope: managementGroup(varManagementGroupIds.intRoot)
  name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployAscMonitoring
  params: {
    parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployASCMonitoring.definitionId
    parPolicyAssignmentName: varPolicyAssignmentDeployASCMonitoring.libDefinition.name
    parPolicyAssignmentDisplayName: varPolicyAssignmentDeployASCMonitoring.libDefinition.properties.displayName
    parPolicyAssignmentDescription: varPolicyAssignmentDeployASCMonitoring.libDefinition.properties.description
    parPolicyAssignmentParameters: varPolicyAssignmentDeployASCMonitoring.libDefinition.properties.parameters
    parPolicyAssignmentNotScopes: varPolicyAssignmentDeployASCMonitoring.libDefinition.properties.notScopes
    parPolicyAssignmentIdentityType: varPolicyAssignmentDeployASCMonitoring.libDefinition.identity.type
    parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployASCMonitoring.libDefinition.properties.enforcementMode
    parTelemetryOptOut: parTelemetryOptOut
  }
}

Shouldn't this parameter always be passed along to all Policy Assignment modules used by alzDefaults so we only have to edit the parameter files for the policy?

Code of Conduct

oZakari commented 2 months ago

Hey @msundman78, I appreciate you bringing this up. However, as alzDefaultPolicyAssignments is our opinionated approach for handling policy for the ALZ architecture and is in alignment with the Enterprise-Scale repo in terms of the assignment scopes, I think we will these out for this particular module at this point in time.