diff --git a/policyDefinitions/Managed Identity/assign-cross-subscription-user-assigned-managed-identity-to-virtual-machine-scale-set/azurepolicy.json b/policyDefinitions/Managed Identity/assign-cross-subscription-user-assigned-managed-identity-to-virtual-machine-scale-set/azurepolicy.json new file mode 100644 index 00000000..29c5fad9 --- /dev/null +++ b/policyDefinitions/Managed Identity/assign-cross-subscription-user-assigned-managed-identity-to-virtual-machine-scale-set/azurepolicy.json @@ -0,0 +1,407 @@ +{ + "name": "7a38a53e-958c-50af-acca-fe2785e0cf7c", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Assign Cross Subscription User-Assigned Managed Identity to Virtual Machine Scale Set", + "mode": "Indexed", + "description": "Assign User-Assigned Managed Identity that can be located in a different subscription to Virtual Machine Scale Set. Adapted from built-in /providers/Microsoft.Authorization/policyDefinitions/516187d4-ef64-4a1b-ad6b-a7348502976c. This policy is meant to be assigned at Management Group Level, otherwise you must assign manualy the permissions (Microsoft.Authorization/locks/write + Microsoft.Resources/deployments/* + */read) to the Policy Managed Idenity on the cross subscription UAMI.", + "metadata": { + "version": "1.0.0", + "category": "Managed Identity" + }, + "parameters": { + "bringYourOwnUserAssignedManagedIdentity": { + "type": "Boolean", + "metadata": { + "displayName": "Bring Your Own User-Assigned Identity", + "description": "Enable this to use your pre-created user-assigned managed identity. The pre-created identity MUST exist within the subscription otherwise the policy deployment will fail. If enabled, ensure that the User-Assigned Identity Name and Identity Resource Group Name parameters match the pre-created identity. If not enabled, the policy will create per subscription, per resource user-assigned managed identities in a new resource group named 'Built-In-Identity-RG'." + }, + "allowedValues": [ + true, + false + ] + }, + "userAssignedIdentityName": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Name", + "description": "The name of the pre-created user-assigned managed identity." + }, + "defaultValue": "" + }, + "identityResourceGroup": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Resource Group Name", + "description": "The resource group in which the pre-created user-assigned managed identity resides." + }, + "defaultValue": "" + }, + "identitySubscription": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Subscription ID", + "description": "The Subscription id of the pre-created user-assigned managed identity." + }, + "defaultValue": "" + }, + "builtInIdentityResourceGroupLocation": { + "type": "String", + "metadata": { + "displayName": "Built-In-Identity-RG Location", + "description": "The location of the resource group 'Built-In-Identity-RG' created by the policy. This parameter is only used when 'Bring Your Own User Assigned Identity' parameter is false." + }, + "defaultValue": "eastus" + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "The effect determines what happens when the policy rule is evaluated to match." + }, + "allowedValues": [ + "AuditIfNotExists", + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Compute/virtualMachineScaleSets" + }, + { + "value": "[requestContext().apiVersion]", + "greaterOrEquals": "2018-10-01" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Compute/virtualMachineScaleSets", + "name": "[field('name')]", + "evaluationDelay": "AfterProvisioning", + "deploymentScope": "subscription", + "existenceCondition": { + "anyOf": [ + { + "allOf": [ + { + "field": "identity.type", + "contains": "UserAssigned" + }, + { + "field": "identity.userAssignedIdentities", + "containsKey": "[if(parameters('bringYourOwnUserAssignedManagedIdentity'), concat('/subscriptions/', parameters('identitySubscription'), '/resourceGroups/', trim(parameters('identityResourceGroup')), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', trim(parameters('userAssignedIdentityName'))), concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/Built-In-Identity-RG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/Built-In-Identity-', field('location')))]" + } + ] + }, + { + "allOf": [ + { + "field": "identity.type", + "equals": "UserAssigned" + }, + { + "value": "[string(length(field('identity.userAssignedIdentities')))]", + "equals": "1" + } + ] + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", + "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9" + ], + "deployment": { + "location": "eastus", + "properties": { + "mode": "incremental", + "parameters": { + "bringYourOwnUserAssignedManagedIdentity": { + "value": "[parameters('bringYourOwnUserAssignedManagedIdentity')]" + }, + "location": { + "value": "[field('location')]" + }, + "uaName": { + "value": "[if(parameters('bringYourOwnUserAssignedManagedIdentity'), parameters('userAssignedIdentityName'), 'Built-In-Identity')]" + }, + "identityResourceGroup": { + "value": "[if(parameters('bringYourOwnUserAssignedManagedIdentity'), parameters('identityResourceGroup'), 'Built-In-Identity-RG')]" + }, + "identitySubscription": { + "value": "[if(parameters('bringYourOwnUserAssignedManagedIdentity'), parameters('identitySubscription'), subscription().subscriptionId )]" + }, + "builtInIdentityResourceGroupLocation": { + "value": "[parameters('builtInIdentityResourceGroupLocation')]" + }, + "vmName": { + "value": "[field('name')]" + }, + "vmResourceGroup": { + "value": "[resourceGroup().name]" + }, + "resourceId": { + "value": "[field('id')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.1", + "parameters": { + "bringYourOwnUserAssignedManagedIdentity": { + "type": "bool" + }, + "location": { + "type": "string" + }, + "uaName": { + "type": "string" + }, + "identityResourceGroup": { + "type": "string" + }, + "identitySubscription": { + "type": "string" + }, + "builtInIdentityResourceGroupLocation": { + "type": "string" + }, + "vmName": { + "type": "string" + }, + "vmResourceGroup": { + "type": "string" + }, + "resourceId": { + "type": "string" + } + }, + "variables": { + "uaNameWithLocation": "[concat(parameters('uaName'),'-', parameters('location'))]", + "precreatedUaId": "[concat('/subscriptions/', trim(parameters('identitySubscription')), '/resourceGroups/', trim(parameters('identityResourceGroup')), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', trim(parameters('uaName')))]", + "autocreatedUaId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', trim(parameters('identityResourceGroup')), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', trim(parameters('uaName')), '-', parameters('location'))]", + "deployUALockName": "[concat('deployUALock-', uniqueString(deployment().name))]", + "deployUAName": "[concat('deployUA-', uniqueString(deployment().name))]", + "deployGetResourceProperties": "[concat('deployGetResourceProperties-', uniqueString(deployment().name))]", + "deployAssignUAName": "[concat('deployAssignUA-', uniqueString(deployment().name))]" + }, + "resources": [ + { + "condition": "[not(parameters('bringYourOwnUserAssignedManagedIdentity'))]", + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2020-06-01", + "name": "[parameters('identityResourceGroup')]", + "location": "[parameters('builtInIdentityResourceGroupLocation')]" + }, + { + "condition": "[parameters('bringYourOwnUserAssignedManagedIdentity')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[variables('deployUALockName')]", + "resourceGroup": "[parameters('identityResourceGroup')]", + "subscriptionId": "[parameters('identitySubscription')]", + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "uaName": { + "value": "[parameters('uaName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "uaName": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Authorization/locks", + "apiVersion": "2016-09-01", + "name": "[concat('CanNotDeleteLock-', parameters('uaName'))]", + "scope": "[concat('Microsoft.ManagedIdentity/userAssignedIdentities/', parameters('uaName'))]", + "properties": { + "level": "CanNotDelete", + "notes": "Please do not delete this User-Assigned Identity since extensions enabled by Azure Policy are relying on their existence." + } + } + ] + } + } + }, + { + "condition": "[not(parameters('bringYourOwnUserAssignedManagedIdentity'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[variables('deployUAName')]", + "resourceGroup": "[parameters('identityResourceGroup')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/resourceGroups', parameters('identityResourceGroup'))]" + ], + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "uaName": { + "value": "[variables('uaNameWithLocation')]" + }, + "location": { + "value": "[parameters('location')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "uaName": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.ManagedIdentity/userAssignedIdentities", + "name": "[parameters('uaName')]", + "apiVersion": "2018-11-30", + "location": "[parameters('location')]" + }, + { + "type": "Microsoft.ManagedIdentity/userAssignedIdentities/providers/locks", + "apiVersion": "2016-09-01", + "name": "[concat(parameters('uaName'), '/Microsoft.Authorization/', 'CanNotDeleteLock-', parameters('uaName'))]", + "dependsOn": [ + "[parameters('uaName')]" + ], + "properties": { + "level": "CanNotDelete", + "notes": "Please do not delete this User-Assigned Identity since extensions enabled by Azure Policy are relying on their existence." + } + } + ] + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[variables('deployGetResourceProperties')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/resourceGroups', parameters('identityResourceGroup'))]", + "[variables('deployUAName')]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [], + "outputs": { + "resource": { + "type": "object", + "value": "[reference(parameters('resourceId'), '2019-07-01', 'Full')]" + } + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat(variables('deployAssignUAName'))]", + "resourceGroup": "[parameters('vmResourceGroup')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/resourceGroups', parameters('identityResourceGroup'))]", + "[variables('deployUAName')]", + "[variables('deployGetResourceProperties')]" + ], + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "uaId": { + "value": "[if(parameters('bringYourOwnUserAssignedManagedIdentity'), variables('precreatedUaId'), variables('autocreatedUaId'))]" + }, + "vmName": { + "value": "[parameters('vmName')]" + }, + "location": { + "value": "[parameters('location')]" + }, + "identityType": { + "value": "[if(contains(reference(variables('deployGetResourceProperties')).outputs.resource.value, 'identity'), reference(variables('deployGetResourceProperties')).outputs.resource.value.identity.type, '')]" + }, + "userAssignedIdentities": { + "value": "[if(and(contains(reference(variables('deployGetResourceProperties')).outputs.resource.value, 'identity'), contains(reference(variables('deployGetResourceProperties')).outputs.resource.value.identity, 'userAssignedIdentities')), reference(variables('deployGetResourceProperties')).outputs.resource.value.identity.userAssignedIdentities, createObject())]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "uaId": { + "type": "string" + }, + "vmName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "identityType": { + "type": "string" + }, + "userAssignedIdentities": { + "type": "object" + } + }, + "variables": { + "identityTypeValue": "[if(contains(parameters('identityType'), 'SystemAssigned'), 'SystemAssigned,UserAssigned', 'UserAssigned')]", + "userAssignedIdentitiesValue": "[union(parameters('userAssignedIdentities'), createObject(parameters('uaId'), createObject()))]", + "resourceWithSingleUAI": "[and(equals(parameters('identityType'), 'UserAssigned'), equals(string(length(parameters('userAssignedIdentities'))), '1'))]" + }, + "resources": [ + { + "condition": "[not(variables('resourceWithSingleUAI'))]", + "apiVersion": "2019-07-01", + "type": "Microsoft.Compute/virtualMachineScaleSets", + "name": "[parameters('vmName')]", + "location": "[parameters('location')]", + "identity": { + "type": "[variables('identityTypeValue')]", + "userAssignedIdentities": "[variables('userAssignedIdentitiesValue')]" + } + } + ] + } + } + } + ] + } + } + } + } + } + } + } + } \ No newline at end of file diff --git a/policyDefinitions/Managed Identity/assign-cross-subscription-user-assigned-managed-identity-to-virtual-machine-scale-set/azurepolicy.parameters.json b/policyDefinitions/Managed Identity/assign-cross-subscription-user-assigned-managed-identity-to-virtual-machine-scale-set/azurepolicy.parameters.json new file mode 100644 index 00000000..32a81b03 --- /dev/null +++ b/policyDefinitions/Managed Identity/assign-cross-subscription-user-assigned-managed-identity-to-virtual-machine-scale-set/azurepolicy.parameters.json @@ -0,0 +1,58 @@ +{ + "bringYourOwnUserAssignedManagedIdentity": { + "type": "Boolean", + "metadata": { + "displayName": "Bring Your Own User-Assigned Identity", + "description": "Enable this to use your pre-created user-assigned managed identity. The pre-created identity MUST exist within the subscription otherwise the policy deployment will fail. If enabled, ensure that the User-Assigned Identity Name and Identity Resource Group Name parameters match the pre-created identity. If not enabled, the policy will create per subscription, per resource user-assigned managed identities in a new resource group named 'Built-In-Identity-RG'." + }, + "allowedValues": [ + true, + false + ] + }, + "userAssignedIdentityName": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Name", + "description": "The name of the pre-created user-assigned managed identity." + }, + "defaultValue": "" + }, + "identityResourceGroup": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Resource Group Name", + "description": "The resource group in which the pre-created user-assigned managed identity resides." + }, + "defaultValue": "" + }, + "identitySubscription": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Subscription ID", + "description": "The Subscription id of the pre-created user-assigned managed identity." + }, + "defaultValue": "" + }, + "builtInIdentityResourceGroupLocation": { + "type": "String", + "metadata": { + "displayName": "Built-In-Identity-RG Location", + "description": "The location of the resource group 'Built-In-Identity-RG' created by the policy. This parameter is only used when 'Bring Your Own User Assigned Identity' parameter is false." + }, + "defaultValue": "eastus" + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "The effect determines what happens when the policy rule is evaluated to match." + }, + "allowedValues": [ + "AuditIfNotExists", + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + } +} \ No newline at end of file diff --git a/policyDefinitions/Managed Identity/assign-cross-subscription-user-assigned-managed-identity-to-virtual-machine-scale-set/azurepolicy.rules.json b/policyDefinitions/Managed Identity/assign-cross-subscription-user-assigned-managed-identity-to-virtual-machine-scale-set/azurepolicy.rules.json new file mode 100644 index 00000000..cb8081ee --- /dev/null +++ b/policyDefinitions/Managed Identity/assign-cross-subscription-user-assigned-managed-identity-to-virtual-machine-scale-set/azurepolicy.rules.json @@ -0,0 +1,336 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Compute/virtualMachineScaleSets" + }, + { + "value": "[requestContext().apiVersion]", + "greaterOrEquals": "2018-10-01" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Compute/virtualMachineScaleSets", + "name": "[field('name')]", + "evaluationDelay": "AfterProvisioning", + "deploymentScope": "subscription", + "existenceCondition": { + "anyOf": [ + { + "allOf": [ + { + "field": "identity.type", + "contains": "UserAssigned" + }, + { + "field": "identity.userAssignedIdentities", + "containsKey": "[if(parameters('bringYourOwnUserAssignedManagedIdentity'), concat('/subscriptions/', parameters('identitySubscription'), '/resourceGroups/', trim(parameters('identityResourceGroup')), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', trim(parameters('userAssignedIdentityName'))), concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/Built-In-Identity-RG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/Built-In-Identity-', field('location')))]" + } + ] + }, + { + "allOf": [ + { + "field": "identity.type", + "equals": "UserAssigned" + }, + { + "value": "[string(length(field('identity.userAssignedIdentities')))]", + "equals": "1" + } + ] + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", + "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9" + ], + "deployment": { + "location": "eastus", + "properties": { + "mode": "incremental", + "parameters": { + "bringYourOwnUserAssignedManagedIdentity": { + "value": "[parameters('bringYourOwnUserAssignedManagedIdentity')]" + }, + "location": { + "value": "[field('location')]" + }, + "uaName": { + "value": "[if(parameters('bringYourOwnUserAssignedManagedIdentity'), parameters('userAssignedIdentityName'), 'Built-In-Identity')]" + }, + "identityResourceGroup": { + "value": "[if(parameters('bringYourOwnUserAssignedManagedIdentity'), parameters('identityResourceGroup'), 'Built-In-Identity-RG')]" + }, + "identitySubscription": { + "value": "[if(parameters('bringYourOwnUserAssignedManagedIdentity'), parameters('identitySubscription'), subscription().subscriptionId )]" + }, + "builtInIdentityResourceGroupLocation": { + "value": "[parameters('builtInIdentityResourceGroupLocation')]" + }, + "vmName": { + "value": "[field('name')]" + }, + "vmResourceGroup": { + "value": "[resourceGroup().name]" + }, + "resourceId": { + "value": "[field('id')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.1", + "parameters": { + "bringYourOwnUserAssignedManagedIdentity": { + "type": "bool" + }, + "location": { + "type": "string" + }, + "uaName": { + "type": "string" + }, + "identityResourceGroup": { + "type": "string" + }, + "identitySubscription": { + "type": "string" + }, + "builtInIdentityResourceGroupLocation": { + "type": "string" + }, + "vmName": { + "type": "string" + }, + "vmResourceGroup": { + "type": "string" + }, + "resourceId": { + "type": "string" + } + }, + "variables": { + "uaNameWithLocation": "[concat(parameters('uaName'),'-', parameters('location'))]", + "precreatedUaId": "[concat('/subscriptions/', trim(parameters('identitySubscription')), '/resourceGroups/', trim(parameters('identityResourceGroup')), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', trim(parameters('uaName')))]", + "autocreatedUaId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', trim(parameters('identityResourceGroup')), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', trim(parameters('uaName')), '-', parameters('location'))]", + "deployUALockName": "[concat('deployUALock-', uniqueString(deployment().name))]", + "deployUAName": "[concat('deployUA-', uniqueString(deployment().name))]", + "deployGetResourceProperties": "[concat('deployGetResourceProperties-', uniqueString(deployment().name))]", + "deployAssignUAName": "[concat('deployAssignUA-', uniqueString(deployment().name))]" + }, + "resources": [ + { + "condition": "[not(parameters('bringYourOwnUserAssignedManagedIdentity'))]", + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2020-06-01", + "name": "[parameters('identityResourceGroup')]", + "location": "[parameters('builtInIdentityResourceGroupLocation')]" + }, + { + "condition": "[parameters('bringYourOwnUserAssignedManagedIdentity')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[variables('deployUALockName')]", + "resourceGroup": "[parameters('identityResourceGroup')]", + "subscriptionId": "[parameters('identitySubscription')]", + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "uaName": { + "value": "[parameters('uaName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "uaName": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Authorization/locks", + "apiVersion": "2016-09-01", + "name": "[concat('CanNotDeleteLock-', parameters('uaName'))]", + "scope": "[concat('Microsoft.ManagedIdentity/userAssignedIdentities/', parameters('uaName'))]", + "properties": { + "level": "CanNotDelete", + "notes": "Please do not delete this User-Assigned Identity since extensions enabled by Azure Policy are relying on their existence." + } + } + ] + } + } + }, + { + "condition": "[not(parameters('bringYourOwnUserAssignedManagedIdentity'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[variables('deployUAName')]", + "resourceGroup": "[parameters('identityResourceGroup')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/resourceGroups', parameters('identityResourceGroup'))]" + ], + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "uaName": { + "value": "[variables('uaNameWithLocation')]" + }, + "location": { + "value": "[parameters('location')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "uaName": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.ManagedIdentity/userAssignedIdentities", + "name": "[parameters('uaName')]", + "apiVersion": "2018-11-30", + "location": "[parameters('location')]" + }, + { + "type": "Microsoft.ManagedIdentity/userAssignedIdentities/providers/locks", + "apiVersion": "2016-09-01", + "name": "[concat(parameters('uaName'), '/Microsoft.Authorization/', 'CanNotDeleteLock-', parameters('uaName'))]", + "dependsOn": [ + "[parameters('uaName')]" + ], + "properties": { + "level": "CanNotDelete", + "notes": "Please do not delete this User-Assigned Identity since extensions enabled by Azure Policy are relying on their existence." + } + } + ] + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[variables('deployGetResourceProperties')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/resourceGroups', parameters('identityResourceGroup'))]", + "[variables('deployUAName')]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [], + "outputs": { + "resource": { + "type": "object", + "value": "[reference(parameters('resourceId'), '2019-07-01', 'Full')]" + } + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat(variables('deployAssignUAName'))]", + "resourceGroup": "[parameters('vmResourceGroup')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/resourceGroups', parameters('identityResourceGroup'))]", + "[variables('deployUAName')]", + "[variables('deployGetResourceProperties')]" + ], + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "uaId": { + "value": "[if(parameters('bringYourOwnUserAssignedManagedIdentity'), variables('precreatedUaId'), variables('autocreatedUaId'))]" + }, + "vmName": { + "value": "[parameters('vmName')]" + }, + "location": { + "value": "[parameters('location')]" + }, + "identityType": { + "value": "[if(contains(reference(variables('deployGetResourceProperties')).outputs.resource.value, 'identity'), reference(variables('deployGetResourceProperties')).outputs.resource.value.identity.type, '')]" + }, + "userAssignedIdentities": { + "value": "[if(and(contains(reference(variables('deployGetResourceProperties')).outputs.resource.value, 'identity'), contains(reference(variables('deployGetResourceProperties')).outputs.resource.value.identity, 'userAssignedIdentities')), reference(variables('deployGetResourceProperties')).outputs.resource.value.identity.userAssignedIdentities, createObject())]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "uaId": { + "type": "string" + }, + "vmName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "identityType": { + "type": "string" + }, + "userAssignedIdentities": { + "type": "object" + } + }, + "variables": { + "identityTypeValue": "[if(contains(parameters('identityType'), 'SystemAssigned'), 'SystemAssigned,UserAssigned', 'UserAssigned')]", + "userAssignedIdentitiesValue": "[union(parameters('userAssignedIdentities'), createObject(parameters('uaId'), createObject()))]", + "resourceWithSingleUAI": "[and(equals(parameters('identityType'), 'UserAssigned'), equals(string(length(parameters('userAssignedIdentities'))), '1'))]" + }, + "resources": [ + { + "condition": "[not(variables('resourceWithSingleUAI'))]", + "apiVersion": "2019-07-01", + "type": "Microsoft.Compute/virtualMachineScaleSets", + "name": "[parameters('vmName')]", + "location": "[parameters('location')]", + "identity": { + "type": "[variables('identityTypeValue')]", + "userAssignedIdentities": "[variables('userAssignedIdentitiesValue')]" + } + } + ] + } + } + } + ] + } + } + } + } + } +} \ No newline at end of file diff --git a/policyDefinitions/Managed Identity/assign-cross-subscription-user-assigned-managed-identity-to-virtual-machines/azurepolicy.json b/policyDefinitions/Managed Identity/assign-cross-subscription-user-assigned-managed-identity-to-virtual-machines/azurepolicy.json new file mode 100644 index 00000000..961df3ef --- /dev/null +++ b/policyDefinitions/Managed Identity/assign-cross-subscription-user-assigned-managed-identity-to-virtual-machines/azurepolicy.json @@ -0,0 +1,407 @@ +{ + "name": "e2464615-862b-5b44-901b-df87360c25ee", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Assign Cross Subscription User-Assigned Managed Identity to Virtual Machines", + "mode": "Indexed", + "description": "Assign User-Assigned Managed Identity that can be located in a different subscription to Virtual Machines. Adapted from built-in /providers/Microsoft.Authorization/policyDefinitions/d367bd60-64ca-4364-98ea-276775bddd94. This policy is meant to be assigned at Management Group Level, otherwise you must assign manualy the permissions (Microsoft.Authorization/locks/write + Microsoft.Resources/deployments/* + */read) to the Policy Managed Idenity on the cross subscription UAMI.", + "metadata": { + "version": "1.0.0", + "category": "Managed Identity" + }, + "parameters": { + "bringYourOwnUserAssignedManagedIdentity": { + "type": "Boolean", + "metadata": { + "displayName": "Bring Your Own User-Assigned Identity", + "description": "Enable this to use your pre-created user-assigned managed identity. The pre-created identity MUST exist within the subscription otherwise the policy deployment will fail. If enabled, ensure that the User-Assigned Identity Name and Identity Resource Group Name parameters match the pre-created identity. If not enabled, the policy will create per subscription, per resource user-assigned managed identities in a new resource group named 'Built-In-Identity-RG'." + }, + "allowedValues": [ + true, + false + ] + }, + "userAssignedIdentityName": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Name", + "description": "The name of the pre-created user-assigned managed identity." + }, + "defaultValue": "" + }, + "identityResourceGroup": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Resource Group Name", + "description": "The resource group in which the pre-created user-assigned managed identity resides." + }, + "defaultValue": "" + }, + "identitySubscription": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Subscription ID", + "description": "The Subscription id of the pre-created user-assigned managed identity." + }, + "defaultValue": "" + }, + "builtInIdentityResourceGroupLocation": { + "type": "String", + "metadata": { + "displayName": "Built-In-Identity-RG Location", + "description": "The location of the resource group 'Built-In-Identity-RG' created by the policy. This parameter is only used when 'Bring Your Own User Assigned Identity' parameter is false." + }, + "defaultValue": "eastus" + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "The effect determines what happens when the policy rule is evaluated to match." + }, + "allowedValues": [ + "AuditIfNotExists", + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Compute/virtualMachines" + }, + { + "value": "[requestContext().apiVersion]", + "greaterOrEquals": "2018-10-01" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Compute/virtualMachines", + "name": "[field('name')]", + "evaluationDelay": "AfterProvisioning", + "deploymentScope": "subscription", + "existenceCondition": { + "anyOf": [ + { + "allOf": [ + { + "field": "identity.type", + "contains": "UserAssigned" + }, + { + "field": "identity.userAssignedIdentities", + "containsKey": "[if(parameters('bringYourOwnUserAssignedManagedIdentity'), concat('/subscriptions/', parameters('identitySubscription'), '/resourceGroups/', trim(parameters('identityResourceGroup')), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', trim(parameters('userAssignedIdentityName'))), concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/Built-In-Identity-RG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/Built-In-Identity-', field('location')))]" + } + ] + }, + { + "allOf": [ + { + "field": "identity.type", + "equals": "UserAssigned" + }, + { + "value": "[string(length(field('identity.userAssignedIdentities')))]", + "equals": "1" + } + ] + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", + "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9" + ], + "deployment": { + "location": "eastus", + "properties": { + "mode": "incremental", + "parameters": { + "bringYourOwnUserAssignedManagedIdentity": { + "value": "[parameters('bringYourOwnUserAssignedManagedIdentity')]" + }, + "location": { + "value": "[field('location')]" + }, + "uaName": { + "value": "[if(parameters('bringYourOwnUserAssignedManagedIdentity'), parameters('userAssignedIdentityName'), 'Built-In-Identity')]" + }, + "identityResourceGroup": { + "value": "[if(parameters('bringYourOwnUserAssignedManagedIdentity'), parameters('identityResourceGroup'), 'Built-In-Identity-RG')]" + }, + "identitySubscription": { + "value": "[if(parameters('bringYourOwnUserAssignedManagedIdentity'), parameters('identitySubscription'), subscription().subscriptionId )]" + }, + "builtInIdentityResourceGroupLocation": { + "value": "[parameters('builtInIdentityResourceGroupLocation')]" + }, + "vmName": { + "value": "[field('name')]" + }, + "vmResourceGroup": { + "value": "[resourceGroup().name]" + }, + "resourceId": { + "value": "[field('id')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.1", + "parameters": { + "bringYourOwnUserAssignedManagedIdentity": { + "type": "bool" + }, + "location": { + "type": "string" + }, + "uaName": { + "type": "string" + }, + "identityResourceGroup": { + "type": "string" + }, + "identitySubscription": { + "type": "string" + }, + "builtInIdentityResourceGroupLocation": { + "type": "string" + }, + "vmName": { + "type": "string" + }, + "vmResourceGroup": { + "type": "string" + }, + "resourceId": { + "type": "string" + } + }, + "variables": { + "uaNameWithLocation": "[concat(parameters('uaName'),'-', parameters('location'))]", + "precreatedUaId": "[concat('/subscriptions/', trim(parameters('identitySubscription')), '/resourceGroups/', trim(parameters('identityResourceGroup')), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', trim(parameters('uaName')))]", + "autocreatedUaId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', trim(parameters('identityResourceGroup')), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', trim(parameters('uaName')), '-', parameters('location'))]", + "deployUALockName": "[concat('deployUALock-', uniqueString(deployment().name))]", + "deployUAName": "[concat('deployUA-', uniqueString(deployment().name))]", + "deployGetResourceProperties": "[concat('deployGetResourceProperties-', uniqueString(deployment().name))]", + "deployAssignUAName": "[concat('deployAssignUA-', uniqueString(deployment().name))]" + }, + "resources": [ + { + "condition": "[not(parameters('bringYourOwnUserAssignedManagedIdentity'))]", + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2020-06-01", + "name": "[parameters('identityResourceGroup')]", + "location": "[parameters('builtInIdentityResourceGroupLocation')]" + }, + { + "condition": "[parameters('bringYourOwnUserAssignedManagedIdentity')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[variables('deployUALockName')]", + "resourceGroup": "[parameters('identityResourceGroup')]", + "subscriptionId": "[parameters('identitySubscription')]", + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "uaName": { + "value": "[parameters('uaName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "uaName": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Authorization/locks", + "apiVersion": "2016-09-01", + "name": "[concat('CanNotDeleteLock-', parameters('uaName'))]", + "scope": "[concat('Microsoft.ManagedIdentity/userAssignedIdentities/', parameters('uaName'))]", + "properties": { + "level": "CanNotDelete", + "notes": "Please do not delete this User-Assigned Identity since extensions enabled by Azure Policy are relying on their existence." + } + } + ] + } + } + }, + { + "condition": "[not(parameters('bringYourOwnUserAssignedManagedIdentity'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[variables('deployUAName')]", + "resourceGroup": "[parameters('identityResourceGroup')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/resourceGroups', parameters('identityResourceGroup'))]" + ], + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "uaName": { + "value": "[variables('uaNameWithLocation')]" + }, + "location": { + "value": "[parameters('location')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "uaName": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.ManagedIdentity/userAssignedIdentities", + "name": "[parameters('uaName')]", + "apiVersion": "2018-11-30", + "location": "[parameters('location')]" + }, + { + "type": "Microsoft.ManagedIdentity/userAssignedIdentities/providers/locks", + "apiVersion": "2016-09-01", + "name": "[concat(parameters('uaName'), '/Microsoft.Authorization/', 'CanNotDeleteLock-', parameters('uaName'))]", + "dependsOn": [ + "[parameters('uaName')]" + ], + "properties": { + "level": "CanNotDelete", + "notes": "Please do not delete this User-Assigned Identity since extensions enabled by Azure Policy are relying on their existence." + } + } + ] + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[variables('deployGetResourceProperties')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/resourceGroups', parameters('identityResourceGroup'))]", + "[variables('deployUAName')]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [], + "outputs": { + "resource": { + "type": "object", + "value": "[reference(parameters('resourceId'), '2019-07-01', 'Full')]" + } + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat(variables('deployAssignUAName'))]", + "resourceGroup": "[parameters('vmResourceGroup')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/resourceGroups', parameters('identityResourceGroup'))]", + "[variables('deployUAName')]", + "[variables('deployGetResourceProperties')]" + ], + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "uaId": { + "value": "[if(parameters('bringYourOwnUserAssignedManagedIdentity'), variables('precreatedUaId'), variables('autocreatedUaId'))]" + }, + "vmName": { + "value": "[parameters('vmName')]" + }, + "location": { + "value": "[parameters('location')]" + }, + "identityType": { + "value": "[if(contains(reference(variables('deployGetResourceProperties')).outputs.resource.value, 'identity'), reference(variables('deployGetResourceProperties')).outputs.resource.value.identity.type, '')]" + }, + "userAssignedIdentities": { + "value": "[if(and(contains(reference(variables('deployGetResourceProperties')).outputs.resource.value, 'identity'), contains(reference(variables('deployGetResourceProperties')).outputs.resource.value.identity, 'userAssignedIdentities')), reference(variables('deployGetResourceProperties')).outputs.resource.value.identity.userAssignedIdentities, createObject())]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "uaId": { + "type": "string" + }, + "vmName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "identityType": { + "type": "string" + }, + "userAssignedIdentities": { + "type": "object" + } + }, + "variables": { + "identityTypeValue": "[if(contains(parameters('identityType'), 'SystemAssigned'), 'SystemAssigned,UserAssigned', 'UserAssigned')]", + "userAssignedIdentitiesValue": "[union(parameters('userAssignedIdentities'), createObject(parameters('uaId'), createObject()))]", + "resourceWithSingleUAI": "[and(equals(parameters('identityType'), 'UserAssigned'), equals(string(length(parameters('userAssignedIdentities'))), '1'))]" + }, + "resources": [ + { + "condition": "[not(variables('resourceWithSingleUAI'))]", + "apiVersion": "2019-07-01", + "type": "Microsoft.Compute/virtualMachines", + "name": "[parameters('vmName')]", + "location": "[parameters('location')]", + "identity": { + "type": "[variables('identityTypeValue')]", + "userAssignedIdentities": "[variables('userAssignedIdentitiesValue')]" + } + } + ] + } + } + } + ] + } + } + } + } + } + } + } + } \ No newline at end of file diff --git a/policyDefinitions/Managed Identity/assign-cross-subscription-user-assigned-managed-identity-to-virtual-machines/azurepolicy.parameters.json b/policyDefinitions/Managed Identity/assign-cross-subscription-user-assigned-managed-identity-to-virtual-machines/azurepolicy.parameters.json new file mode 100644 index 00000000..32a81b03 --- /dev/null +++ b/policyDefinitions/Managed Identity/assign-cross-subscription-user-assigned-managed-identity-to-virtual-machines/azurepolicy.parameters.json @@ -0,0 +1,58 @@ +{ + "bringYourOwnUserAssignedManagedIdentity": { + "type": "Boolean", + "metadata": { + "displayName": "Bring Your Own User-Assigned Identity", + "description": "Enable this to use your pre-created user-assigned managed identity. The pre-created identity MUST exist within the subscription otherwise the policy deployment will fail. If enabled, ensure that the User-Assigned Identity Name and Identity Resource Group Name parameters match the pre-created identity. If not enabled, the policy will create per subscription, per resource user-assigned managed identities in a new resource group named 'Built-In-Identity-RG'." + }, + "allowedValues": [ + true, + false + ] + }, + "userAssignedIdentityName": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Name", + "description": "The name of the pre-created user-assigned managed identity." + }, + "defaultValue": "" + }, + "identityResourceGroup": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Resource Group Name", + "description": "The resource group in which the pre-created user-assigned managed identity resides." + }, + "defaultValue": "" + }, + "identitySubscription": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Subscription ID", + "description": "The Subscription id of the pre-created user-assigned managed identity." + }, + "defaultValue": "" + }, + "builtInIdentityResourceGroupLocation": { + "type": "String", + "metadata": { + "displayName": "Built-In-Identity-RG Location", + "description": "The location of the resource group 'Built-In-Identity-RG' created by the policy. This parameter is only used when 'Bring Your Own User Assigned Identity' parameter is false." + }, + "defaultValue": "eastus" + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "The effect determines what happens when the policy rule is evaluated to match." + }, + "allowedValues": [ + "AuditIfNotExists", + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + } +} \ No newline at end of file diff --git a/policyDefinitions/Managed Identity/assign-cross-subscription-user-assigned-managed-identity-to-virtual-machines/azurepolicy.rules.json b/policyDefinitions/Managed Identity/assign-cross-subscription-user-assigned-managed-identity-to-virtual-machines/azurepolicy.rules.json new file mode 100644 index 00000000..adf780b0 --- /dev/null +++ b/policyDefinitions/Managed Identity/assign-cross-subscription-user-assigned-managed-identity-to-virtual-machines/azurepolicy.rules.json @@ -0,0 +1,336 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Compute/virtualMachines" + }, + { + "value": "[requestContext().apiVersion]", + "greaterOrEquals": "2018-10-01" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Compute/virtualMachines", + "name": "[field('name')]", + "evaluationDelay": "AfterProvisioning", + "deploymentScope": "subscription", + "existenceCondition": { + "anyOf": [ + { + "allOf": [ + { + "field": "identity.type", + "contains": "UserAssigned" + }, + { + "field": "identity.userAssignedIdentities", + "containsKey": "[if(parameters('bringYourOwnUserAssignedManagedIdentity'), concat('/subscriptions/', parameters('identitySubscription'), '/resourceGroups/', trim(parameters('identityResourceGroup')), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', trim(parameters('userAssignedIdentityName'))), concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/Built-In-Identity-RG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/Built-In-Identity-', field('location')))]" + } + ] + }, + { + "allOf": [ + { + "field": "identity.type", + "equals": "UserAssigned" + }, + { + "value": "[string(length(field('identity.userAssignedIdentities')))]", + "equals": "1" + } + ] + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", + "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9" + ], + "deployment": { + "location": "eastus", + "properties": { + "mode": "incremental", + "parameters": { + "bringYourOwnUserAssignedManagedIdentity": { + "value": "[parameters('bringYourOwnUserAssignedManagedIdentity')]" + }, + "location": { + "value": "[field('location')]" + }, + "uaName": { + "value": "[if(parameters('bringYourOwnUserAssignedManagedIdentity'), parameters('userAssignedIdentityName'), 'Built-In-Identity')]" + }, + "identityResourceGroup": { + "value": "[if(parameters('bringYourOwnUserAssignedManagedIdentity'), parameters('identityResourceGroup'), 'Built-In-Identity-RG')]" + }, + "identitySubscription": { + "value": "[if(parameters('bringYourOwnUserAssignedManagedIdentity'), parameters('identitySubscription'), subscription().subscriptionId )]" + }, + "builtInIdentityResourceGroupLocation": { + "value": "[parameters('builtInIdentityResourceGroupLocation')]" + }, + "vmName": { + "value": "[field('name')]" + }, + "vmResourceGroup": { + "value": "[resourceGroup().name]" + }, + "resourceId": { + "value": "[field('id')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.1", + "parameters": { + "bringYourOwnUserAssignedManagedIdentity": { + "type": "bool" + }, + "location": { + "type": "string" + }, + "uaName": { + "type": "string" + }, + "identityResourceGroup": { + "type": "string" + }, + "identitySubscription": { + "type": "string" + }, + "builtInIdentityResourceGroupLocation": { + "type": "string" + }, + "vmName": { + "type": "string" + }, + "vmResourceGroup": { + "type": "string" + }, + "resourceId": { + "type": "string" + } + }, + "variables": { + "uaNameWithLocation": "[concat(parameters('uaName'),'-', parameters('location'))]", + "precreatedUaId": "[concat('/subscriptions/', trim(parameters('identitySubscription')), '/resourceGroups/', trim(parameters('identityResourceGroup')), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', trim(parameters('uaName')))]", + "autocreatedUaId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', trim(parameters('identityResourceGroup')), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', trim(parameters('uaName')), '-', parameters('location'))]", + "deployUALockName": "[concat('deployUALock-', uniqueString(deployment().name))]", + "deployUAName": "[concat('deployUA-', uniqueString(deployment().name))]", + "deployGetResourceProperties": "[concat('deployGetResourceProperties-', uniqueString(deployment().name))]", + "deployAssignUAName": "[concat('deployAssignUA-', uniqueString(deployment().name))]" + }, + "resources": [ + { + "condition": "[not(parameters('bringYourOwnUserAssignedManagedIdentity'))]", + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2020-06-01", + "name": "[parameters('identityResourceGroup')]", + "location": "[parameters('builtInIdentityResourceGroupLocation')]" + }, + { + "condition": "[parameters('bringYourOwnUserAssignedManagedIdentity')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[variables('deployUALockName')]", + "resourceGroup": "[parameters('identityResourceGroup')]", + "subscriptionId": "[parameters('identitySubscription')]", + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "uaName": { + "value": "[parameters('uaName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "uaName": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Authorization/locks", + "apiVersion": "2016-09-01", + "name": "[concat('CanNotDeleteLock-', parameters('uaName'))]", + "scope": "[concat('Microsoft.ManagedIdentity/userAssignedIdentities/', parameters('uaName'))]", + "properties": { + "level": "CanNotDelete", + "notes": "Please do not delete this User-Assigned Identity since extensions enabled by Azure Policy are relying on their existence." + } + } + ] + } + } + }, + { + "condition": "[not(parameters('bringYourOwnUserAssignedManagedIdentity'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[variables('deployUAName')]", + "resourceGroup": "[parameters('identityResourceGroup')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/resourceGroups', parameters('identityResourceGroup'))]" + ], + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "uaName": { + "value": "[variables('uaNameWithLocation')]" + }, + "location": { + "value": "[parameters('location')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "uaName": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.ManagedIdentity/userAssignedIdentities", + "name": "[parameters('uaName')]", + "apiVersion": "2018-11-30", + "location": "[parameters('location')]" + }, + { + "type": "Microsoft.ManagedIdentity/userAssignedIdentities/providers/locks", + "apiVersion": "2016-09-01", + "name": "[concat(parameters('uaName'), '/Microsoft.Authorization/', 'CanNotDeleteLock-', parameters('uaName'))]", + "dependsOn": [ + "[parameters('uaName')]" + ], + "properties": { + "level": "CanNotDelete", + "notes": "Please do not delete this User-Assigned Identity since extensions enabled by Azure Policy are relying on their existence." + } + } + ] + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[variables('deployGetResourceProperties')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/resourceGroups', parameters('identityResourceGroup'))]", + "[variables('deployUAName')]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [], + "outputs": { + "resource": { + "type": "object", + "value": "[reference(parameters('resourceId'), '2019-07-01', 'Full')]" + } + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat(variables('deployAssignUAName'))]", + "resourceGroup": "[parameters('vmResourceGroup')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/resourceGroups', parameters('identityResourceGroup'))]", + "[variables('deployUAName')]", + "[variables('deployGetResourceProperties')]" + ], + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "uaId": { + "value": "[if(parameters('bringYourOwnUserAssignedManagedIdentity'), variables('precreatedUaId'), variables('autocreatedUaId'))]" + }, + "vmName": { + "value": "[parameters('vmName')]" + }, + "location": { + "value": "[parameters('location')]" + }, + "identityType": { + "value": "[if(contains(reference(variables('deployGetResourceProperties')).outputs.resource.value, 'identity'), reference(variables('deployGetResourceProperties')).outputs.resource.value.identity.type, '')]" + }, + "userAssignedIdentities": { + "value": "[if(and(contains(reference(variables('deployGetResourceProperties')).outputs.resource.value, 'identity'), contains(reference(variables('deployGetResourceProperties')).outputs.resource.value.identity, 'userAssignedIdentities')), reference(variables('deployGetResourceProperties')).outputs.resource.value.identity.userAssignedIdentities, createObject())]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "uaId": { + "type": "string" + }, + "vmName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "identityType": { + "type": "string" + }, + "userAssignedIdentities": { + "type": "object" + } + }, + "variables": { + "identityTypeValue": "[if(contains(parameters('identityType'), 'SystemAssigned'), 'SystemAssigned,UserAssigned', 'UserAssigned')]", + "userAssignedIdentitiesValue": "[union(parameters('userAssignedIdentities'), createObject(parameters('uaId'), createObject()))]", + "resourceWithSingleUAI": "[and(equals(parameters('identityType'), 'UserAssigned'), equals(string(length(parameters('userAssignedIdentities'))), '1'))]" + }, + "resources": [ + { + "condition": "[not(variables('resourceWithSingleUAI'))]", + "apiVersion": "2019-07-01", + "type": "Microsoft.Compute/virtualMachines", + "name": "[parameters('vmName')]", + "location": "[parameters('location')]", + "identity": { + "type": "[variables('identityTypeValue')]", + "userAssignedIdentities": "[variables('userAssignedIdentitiesValue')]" + } + } + ] + } + } + } + ] + } + } + } + } + } +} \ No newline at end of file diff --git a/policyDefinitions/Monitoring/configure-ama-on-linux-vm-with-cross-subscription-uami/azurepolicy.json b/policyDefinitions/Monitoring/configure-ama-on-linux-vm-with-cross-subscription-uami/azurepolicy.json new file mode 100644 index 00000000..29bcd9aa --- /dev/null +++ b/policyDefinitions/Monitoring/configure-ama-on-linux-vm-with-cross-subscription-uami/azurepolicy.json @@ -0,0 +1,584 @@ +{ + "name": "2bf130ac-424c-570d-aadf-3cd38fbf1157", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Configure Linux virtual machines to run AMA with cross subscription user-assigned managed identity-based authentication", + "mode": "Indexed", + "description": "Adapted from built-in /providers/Microsoft.Authorization/policyDefinitions/ae8a10e6-19d6-44a3-a02d-a2bdfc707742 with minimal changes to support a cross subscription UAMI. This policy is meant to be assigned at Management Group Level, if you don't do this then you must assign manualy the permissions */read to the Policy Managed Idenity on the cross subscription UAMI.Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS.", + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy." + }, + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "bringYourOwnUserAssignedManagedIdentity": { + "type": "Boolean", + "metadata": { + "displayName": "Bring Your Own User-Assigned Managed Identity", + "description": "If set to true, Azure Monitor Agent will use the user-assigned managed identity specified via the 'User-Assigned Managed Identity ...' parameters for authentication. Otherwise, Azure Monitor Agent will use the user-assigned managed identity /subscriptions//resourceGroups/built-in-identity-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/built-in-identity- for authentication." + }, + "allowedValues": [ + false, + true + ] + }, + "userAssignedManagedIdentityName": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Name", + "description": "The name of the user-assigned managed identity which Azure Monitor Agent will use for authentication when 'Bring Your Own User-Assigned Managed Identity' is set to true." + }, + "defaultValue": "" + }, + "userAssignedManagedIdentityResourceGroup": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Resource Group", + "description": "The resource group of the user-assigned managed identity which Azure Monitor Agent will use for authentication when 'Bring Your Own User-Assigned Managed Identity' is set to true." + }, + "defaultValue": "" + }, + "userAssignedManagedIdentitySubscription": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Subscription Id", + "description": "The subscription id of the user-assigned managed identity which Azure Monitor Agent will use for authentication when 'Bring Your Own User-Assigned Managed Identity' is set to true." + }, + "defaultValue": "" + }, + "scopeToSupportedImages": { + "type": "Boolean", + "metadata": { + "displayName": "Scope Policy to Azure Monitor Agent-Supported Operating Systems", + "description": "If set to true, the policy will apply only to virtual machines with supported operating systems. Otherwise, the policy will apply to all virtual machine resources in the assignment scope. For supported operating systems, see https://aka.ms/AMAOverview." + }, + "allowedValues": [ + true, + false + ], + "defaultValue": true + }, + "listOfLinuxImageIdToInclude": { + "type": "Array", + "metadata": { + "displayName": "Additional Virtual Machine Images", + "description": "List of virtual machine images that have supported Linux OS to add to scope. Example values: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'" + }, + "defaultValue": [] + }, + "allowedLocations": { + "type": "Array", + "metadata": { + "displayName": "Allowed Virtual Machine Locations", + "description": "List of Allowed Virtual Machine Locations" + }, + "defaultValue": [ + "australiacentral", + "australiaeast", + "australiasoutheast", + "brazilsouth", + "canadacentral", + "canadaeast", + "centralindia", + "centralus", + "eastasia", + "eastus2euap", + "eastus", + "eastus2", + "francecentral", + "germanywestcentral", + "japaneast", + "japanwest", + "jioindiawest", + "koreacentral", + "koreasouth", + "northcentralus", + "northeurope", + "norwayeast", + "southafricanorth", + "southcentralus", + "southeastasia", + "southindia", + "switzerlandnorth", + "uaenorth", + "uksouth", + "ukwest", + "westcentralus", + "westeurope", + "westindia", + "westus", + "westus2", + "chinaeast", + "chinaeast2", + "chinaeast3", + "chinanorth", + "chinanorth2", + "chinanorth3", + "usgovarizona", + "usgovtexas", + "usgovvirginia", + "usdodeast", + "usdodcentral" + ] + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Compute/virtualMachines" + }, + { + "field": "location", + "in": "[parameters('allowedLocations')]" + }, + { + "anyOf": [ + { + "allOf": [ + { + "value": "[parameters('scopeToSupportedImages')]", + "equals": false + }, + { + "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType", + "like": "Linux*" + } + ] + }, + { + "field": "Microsoft.Compute/imageId", + "in": "[parameters('listOfLinuxImageIdToInclude')]" + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "RedHat" + }, + { + "field": "Microsoft.Compute/imageOffer", + "in": [ + "RHEL", + "RHEL-ARM64", + "RHEL-BYOS", + "RHEL-HA", + "RHEL-SAP", + "RHEL-SAP-APPS", + "RHEL-SAP-HA" + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageSku", + "like": "7*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "8*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "rhel-lvm7*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "rhel-lvm8*" + } + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "SUSE" + }, + { + "anyOf": [ + { + "allOf": [ + { + "field": "Microsoft.Compute/imageOffer", + "in": [ + "SLES", + "SLES-HPC", + "SLES-HPC-Priority", + "SLES-SAP", + "SLES-SAP-BYOS", + "SLES-Priority", + "SLES-BYOS", + "SLES-SAPCAL", + "SLES-Standard" + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageSku", + "like": "12*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "15*" + } + ] + } + ] + }, + { + "allOf": [ + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageOffer", + "like": "sles-12*" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "sles-15*" + } + ] + }, + { + "field": "Microsoft.Compute/imageSku", + "in": [ + "gen1", + "gen2" + ] + } + ] + } + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "Canonical" + }, + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageOffer", + "equals": "UbuntuServer" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "0001-com-ubuntu-server-*" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "0001-com-ubuntu-pro-*" + } + ] + }, + { + "field": "Microsoft.Compute/imageSku", + "in": [ + "14.04.0-lts", + "14.04.1-lts", + "14.04.2-lts", + "14.04.3-lts", + "14.04.4-lts", + "14.04.5-lts", + "16_04_0-lts-gen2", + "16_04-lts-gen2", + "16.04-lts", + "16.04.0-lts", + "18_04-lts-arm64", + "18_04-lts-gen2", + "18.04-lts", + "20_04-lts-arm64", + "20_04-lts-gen2", + "20_04-lts", + "22_04-lts-gen2", + "22_04-lts", + "pro-16_04-lts-gen2", + "pro-16_04-lts", + "pro-18_04-lts-gen2", + "pro-18_04-lts", + "pro-20_04-lts-gen2", + "pro-20_04-lts", + "pro-22_04-lts-gen2", + "pro-22_04-lts" + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "Oracle" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "Oracle-Linux" + }, + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageSku", + "like": "7*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "8*" + } + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "OpenLogic" + }, + { + "field": "Microsoft.Compute/imageOffer", + "in": [ + "CentOS", + "Centos-LVM", + "CentOS-SRIOV" + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageSku", + "like": "6*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "7*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "8*" + } + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "cloudera" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "cloudera-centos-os" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "7*" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "almalinux" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "almalinux" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "8*" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "ctrliqinc1648673227698" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "rocky-8*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "rocky-8*" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "credativ" + }, + { + "field": "Microsoft.Compute/imageOffer", + "in": [ + "Debian" + ] + }, + { + "field": "Microsoft.Compute/imageSku", + "equals": "9" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "Debian" + }, + { + "field": "Microsoft.Compute/imageOffer", + "in": [ + "debian-10", + "debian-11" + ] + }, + { + "field": "Microsoft.Compute/imageSku", + "in": [ + "10", + "10-gen2", + "11", + "11-gen2" + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "microsoftcblmariner" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "cbl-mariner" + }, + { + "field": "Microsoft.Compute/imageSku", + "in": [ + "1-gen2", + "cbl-mariner-1", + "cbl-mariner-2", + "cbl-mariner-2-arm64", + "cbl-mariner-2-gen2" + ] + } + ] + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Compute/virtualMachines/extensions", + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c" + ], + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Compute/virtualMachines/extensions/type", + "equals": "AzureMonitorLinuxAgent" + }, + { + "field": "Microsoft.Compute/virtualMachines/extensions/publisher", + "equals": "Microsoft.Azure.Monitor" + }, + { + "field": "Microsoft.Compute/virtualMachines/extensions/provisioningState", + "equals": "Succeeded" + } + ] + }, + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "vmName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "userAssignedManagedIdentity": { + "type": "string" + } + }, + "variables": { + "extensionName": "AzureMonitorLinuxAgent", + "extensionPublisher": "Microsoft.Azure.Monitor", + "extensionTypeHandlerVersion": "1.29", + "extensionType": "AzureMonitorLinuxAgent" + }, + "resources": [ + { + "name": "[concat(parameters('vmName'), '/', variables('extensionName'))]", + "type": "Microsoft.Compute/virtualMachines/extensions", + "location": "[parameters('location')]", + "apiVersion": "2019-07-01", + "properties": { + "publisher": "[variables('extensionPublisher')]", + "type": "[variables('extensionType')]", + "typeHandlerVersion": "[variables('extensionTypeHandlerVersion')]", + "autoUpgradeMinorVersion": true, + "enableAutomaticUpgrade": true, + "settings": { + "authentication": { + "managedIdentity": { + "identifier-name": "mi_res_id", + "identifier-value": "[parameters('userAssignedManagedIdentity')]" + } + } + } + } + } + ] + }, + "parameters": { + "vmName": { + "value": "[field('name')]" + }, + "location": { + "value": "[field('location')]" + }, + "userAssignedManagedIdentity": { + "value": "[if(parameters('bringYourOwnUserAssignedManagedIdentity'), concat('/subscriptions/', parameters('userAssignedManagedIdentitySubscription'), '/resourceGroups/', parameters('userAssignedManagedIdentityResourceGroup'), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', parameters('userAssignedManagedIdentityName')), concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/built-in-identity-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/built-in-identity-', field('location')))]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/policyDefinitions/Monitoring/configure-ama-on-linux-vm-with-cross-subscription-uami/azurepolicy.parameters.json b/policyDefinitions/Monitoring/configure-ama-on-linux-vm-with-cross-subscription-uami/azurepolicy.parameters.json new file mode 100644 index 00000000..a2ec89dd --- /dev/null +++ b/policyDefinitions/Monitoring/configure-ama-on-linux-vm-with-cross-subscription-uami/azurepolicy.parameters.json @@ -0,0 +1,124 @@ +{ + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy." + }, + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "bringYourOwnUserAssignedManagedIdentity": { + "type": "Boolean", + "metadata": { + "displayName": "Bring Your Own User-Assigned Managed Identity", + "description": "If set to true, Azure Monitor Agent will use the user-assigned managed identity specified via the 'User-Assigned Managed Identity ...' parameters for authentication. Otherwise, Azure Monitor Agent will use the user-assigned managed identity /subscriptions//resourceGroups/built-in-identity-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/built-in-identity- for authentication." + }, + "allowedValues": [ + false, + true + ] + }, + "userAssignedManagedIdentityName": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Name", + "description": "The name of the user-assigned managed identity which Azure Monitor Agent will use for authentication when 'Bring Your Own User-Assigned Managed Identity' is set to true." + }, + "defaultValue": "" + }, + "userAssignedManagedIdentityResourceGroup": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Resource Group", + "description": "The resource group of the user-assigned managed identity which Azure Monitor Agent will use for authentication when 'Bring Your Own User-Assigned Managed Identity' is set to true." + }, + "defaultValue": "" + }, + "userAssignedManagedIdentitySubscription": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Subscription Id", + "description": "The subscription id of the user-assigned managed identity which Azure Monitor Agent will use for authentication when 'Bring Your Own User-Assigned Managed Identity' is set to true." + }, + "defaultValue": "" + }, + "scopeToSupportedImages": { + "type": "Boolean", + "metadata": { + "displayName": "Scope Policy to Azure Monitor Agent-Supported Operating Systems", + "description": "If set to true, the policy will apply only to virtual machines with supported operating systems. Otherwise, the policy will apply to all virtual machine resources in the assignment scope. For supported operating systems, see https://aka.ms/AMAOverview." + }, + "allowedValues": [ + true, + false + ], + "defaultValue": true + }, + "listOfLinuxImageIdToInclude": { + "type": "Array", + "metadata": { + "displayName": "Additional Virtual Machine Images", + "description": "List of virtual machine images that have supported Linux OS to add to scope. Example values: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'" + }, + "defaultValue": [] + }, + "allowedLocations": { + "type": "Array", + "metadata": { + "displayName": "Allowed Virtual Machine Locations", + "description": "List of Allowed Virtual Machine Locations" + }, + "defaultValue": [ + "australiacentral", + "australiaeast", + "australiasoutheast", + "brazilsouth", + "canadacentral", + "canadaeast", + "centralindia", + "centralus", + "eastasia", + "eastus2euap", + "eastus", + "eastus2", + "francecentral", + "germanywestcentral", + "japaneast", + "japanwest", + "jioindiawest", + "koreacentral", + "koreasouth", + "northcentralus", + "northeurope", + "norwayeast", + "southafricanorth", + "southcentralus", + "southeastasia", + "southindia", + "switzerlandnorth", + "uaenorth", + "uksouth", + "ukwest", + "westcentralus", + "westeurope", + "westindia", + "westus", + "westus2", + "chinaeast", + "chinaeast2", + "chinaeast3", + "chinanorth", + "chinanorth2", + "chinanorth3", + "usgovarizona", + "usgovtexas", + "usgovvirginia", + "usdodeast", + "usdodcentral" + ] + } +} \ No newline at end of file diff --git a/policyDefinitions/Monitoring/configure-ama-on-linux-vm-with-cross-subscription-uami/azurepolicy.rules.json b/policyDefinitions/Monitoring/configure-ama-on-linux-vm-with-cross-subscription-uami/azurepolicy.rules.json new file mode 100644 index 00000000..3facdfeb --- /dev/null +++ b/policyDefinitions/Monitoring/configure-ama-on-linux-vm-with-cross-subscription-uami/azurepolicy.rules.json @@ -0,0 +1,447 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Compute/virtualMachines" + }, + { + "field": "location", + "in": "[parameters('allowedLocations')]" + }, + { + "anyOf": [ + { + "allOf": [ + { + "value": "[parameters('scopeToSupportedImages')]", + "equals": false + }, + { + "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType", + "like": "Linux*" + } + ] + }, + { + "field": "Microsoft.Compute/imageId", + "in": "[parameters('listOfLinuxImageIdToInclude')]" + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "RedHat" + }, + { + "field": "Microsoft.Compute/imageOffer", + "in": [ + "RHEL", + "RHEL-ARM64", + "RHEL-BYOS", + "RHEL-HA", + "RHEL-SAP", + "RHEL-SAP-APPS", + "RHEL-SAP-HA" + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageSku", + "like": "7*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "8*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "rhel-lvm7*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "rhel-lvm8*" + } + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "SUSE" + }, + { + "anyOf": [ + { + "allOf": [ + { + "field": "Microsoft.Compute/imageOffer", + "in": [ + "SLES", + "SLES-HPC", + "SLES-HPC-Priority", + "SLES-SAP", + "SLES-SAP-BYOS", + "SLES-Priority", + "SLES-BYOS", + "SLES-SAPCAL", + "SLES-Standard" + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageSku", + "like": "12*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "15*" + } + ] + } + ] + }, + { + "allOf": [ + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageOffer", + "like": "sles-12*" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "sles-15*" + } + ] + }, + { + "field": "Microsoft.Compute/imageSku", + "in": [ + "gen1", + "gen2" + ] + } + ] + } + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "Canonical" + }, + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageOffer", + "equals": "UbuntuServer" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "0001-com-ubuntu-server-*" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "0001-com-ubuntu-pro-*" + } + ] + }, + { + "field": "Microsoft.Compute/imageSku", + "in": [ + "14.04.0-lts", + "14.04.1-lts", + "14.04.2-lts", + "14.04.3-lts", + "14.04.4-lts", + "14.04.5-lts", + "16_04_0-lts-gen2", + "16_04-lts-gen2", + "16.04-lts", + "16.04.0-lts", + "18_04-lts-arm64", + "18_04-lts-gen2", + "18.04-lts", + "20_04-lts-arm64", + "20_04-lts-gen2", + "20_04-lts", + "22_04-lts-gen2", + "22_04-lts", + "pro-16_04-lts-gen2", + "pro-16_04-lts", + "pro-18_04-lts-gen2", + "pro-18_04-lts", + "pro-20_04-lts-gen2", + "pro-20_04-lts", + "pro-22_04-lts-gen2", + "pro-22_04-lts" + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "Oracle" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "Oracle-Linux" + }, + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageSku", + "like": "7*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "8*" + } + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "OpenLogic" + }, + { + "field": "Microsoft.Compute/imageOffer", + "in": [ + "CentOS", + "Centos-LVM", + "CentOS-SRIOV" + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageSku", + "like": "6*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "7*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "8*" + } + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "cloudera" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "cloudera-centos-os" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "7*" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "almalinux" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "almalinux" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "8*" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "ctrliqinc1648673227698" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "rocky-8*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "rocky-8*" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "credativ" + }, + { + "field": "Microsoft.Compute/imageOffer", + "in": [ + "Debian" + ] + }, + { + "field": "Microsoft.Compute/imageSku", + "equals": "9" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "Debian" + }, + { + "field": "Microsoft.Compute/imageOffer", + "in": [ + "debian-10", + "debian-11" + ] + }, + { + "field": "Microsoft.Compute/imageSku", + "in": [ + "10", + "10-gen2", + "11", + "11-gen2" + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "microsoftcblmariner" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "cbl-mariner" + }, + { + "field": "Microsoft.Compute/imageSku", + "in": [ + "1-gen2", + "cbl-mariner-1", + "cbl-mariner-2", + "cbl-mariner-2-arm64", + "cbl-mariner-2-gen2" + ] + } + ] + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Compute/virtualMachines/extensions", + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c" + ], + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Compute/virtualMachines/extensions/type", + "equals": "AzureMonitorLinuxAgent" + }, + { + "field": "Microsoft.Compute/virtualMachines/extensions/publisher", + "equals": "Microsoft.Azure.Monitor" + }, + { + "field": "Microsoft.Compute/virtualMachines/extensions/provisioningState", + "equals": "Succeeded" + } + ] + }, + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "vmName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "userAssignedManagedIdentity": { + "type": "string" + } + }, + "variables": { + "extensionName": "AzureMonitorLinuxAgent", + "extensionPublisher": "Microsoft.Azure.Monitor", + "extensionTypeHandlerVersion": "1.29", + "extensionType": "AzureMonitorLinuxAgent" + }, + "resources": [ + { + "name": "[concat(parameters('vmName'), '/', variables('extensionName'))]", + "type": "Microsoft.Compute/virtualMachines/extensions", + "location": "[parameters('location')]", + "apiVersion": "2019-07-01", + "properties": { + "publisher": "[variables('extensionPublisher')]", + "type": "[variables('extensionType')]", + "typeHandlerVersion": "[variables('extensionTypeHandlerVersion')]", + "autoUpgradeMinorVersion": true, + "enableAutomaticUpgrade": true, + "settings": { + "authentication": { + "managedIdentity": { + "identifier-name": "mi_res_id", + "identifier-value": "[parameters('userAssignedManagedIdentity')]" + } + } + } + } + } + ] + }, + "parameters": { + "vmName": { + "value": "[field('name')]" + }, + "location": { + "value": "[field('location')]" + }, + "userAssignedManagedIdentity": { + "value": "[if(parameters('bringYourOwnUserAssignedManagedIdentity'), concat('/subscriptions/', parameters('userAssignedManagedIdentitySubscription'), '/resourceGroups/', parameters('userAssignedManagedIdentityResourceGroup'), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', parameters('userAssignedManagedIdentityName')), concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/built-in-identity-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/built-in-identity-', field('location')))]" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/policyDefinitions/Monitoring/configure-ama-on-linux-vmss-with-cross-subscription-uami/azurepolicy.json b/policyDefinitions/Monitoring/configure-ama-on-linux-vmss-with-cross-subscription-uami/azurepolicy.json new file mode 100644 index 00000000..0013afb6 --- /dev/null +++ b/policyDefinitions/Monitoring/configure-ama-on-linux-vmss-with-cross-subscription-uami/azurepolicy.json @@ -0,0 +1,584 @@ +{ + "name": "8d6bad71-c21b-5e56-b083-b239434aa82e", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Configure Linux virtual machine scale sets to run Azure Monitor Agent with cross subscription user-assigned managed identity-based authentication", + "mode": "Indexed", + "description": "Adapted from built-in /providers/Microsoft.Authorization/policyDefinitions/59c3d93f-900b-4827-a8bd-562e7b956e7c with minimal changes to support a cross subscription UAMI. This policy is meant to be assigned at Management Group Level, otherwise you must assign manualy the permissions */read to the Policy Managed Idenity on the cross subscription UAMI. Automate the deployment of Azure Monitor Agent extension on your Linux VMSS for collecting telemetry data from the guest OS.", + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy." + }, + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "bringYourOwnUserAssignedManagedIdentity": { + "type": "Boolean", + "metadata": { + "displayName": "Bring Your Own User-Assigned Managed Identity", + "description": "If set to true, Azure Monitor Agent will use the user-assigned managed identity specified via the 'User-Assigned Managed Identity ...' parameters for authentication. Otherwise, Azure Monitor Agent will use the user-assigned managed identity /subscriptions//resourceGroups/built-in-identity-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/built-in-identity- for authentication." + }, + "allowedValues": [ + false, + true + ] + }, + "userAssignedManagedIdentityName": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Name", + "description": "The name of the user-assigned managed identity which Azure Monitor Agent will use for authentication when 'Bring Your Own User-Assigned Managed Identity' is set to true." + }, + "defaultValue": "" + }, + "userAssignedManagedIdentityResourceGroup": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Resource Group", + "description": "The resource group of the user-assigned managed identity which Azure Monitor Agent will use for authentication when 'Bring Your Own User-Assigned Managed Identity' is set to true." + }, + "defaultValue": "" + }, + "userAssignedManagedIdentitySubscription": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Subscription Id", + "description": "The subscription id of the user-assigned managed identity which Azure Monitor Agent will use for authentication when 'Bring Your Own User-Assigned Managed Identity' is set to true." + }, + "defaultValue": "" + }, + "scopeToSupportedImages": { + "type": "Boolean", + "metadata": { + "displayName": "Scope Policy to Azure Monitor Agent-Supported Operating Systems", + "description": "If set to true, the policy will apply only to virtual machine scale sets with supported operating systems. Otherwise, the policy will apply to all virtual machine scale set resources in the assignment scope. For supported operating systems, see https://aka.ms/AMAOverview." + }, + "allowedValues": [ + true, + false + ], + "defaultValue": true + }, + "listOfLinuxImageIdToInclude": { + "type": "Array", + "metadata": { + "displayName": "Additional Virtual Machine Images", + "description": "List of virtual machine images that have supported Linux OS to add to scope. Example values: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'" + }, + "defaultValue": [] + }, + "allowedLocations": { + "type": "Array", + "metadata": { + "displayName": "Allowed Virtual Machine Locations", + "description": "List of Allowed Virtual Machine Locations" + }, + "defaultValue": [ + "australiacentral", + "australiaeast", + "australiasoutheast", + "brazilsouth", + "canadacentral", + "canadaeast", + "centralindia", + "centralus", + "eastasia", + "eastus2euap", + "eastus", + "eastus2", + "francecentral", + "germanywestcentral", + "japaneast", + "japanwest", + "jioindiawest", + "koreacentral", + "koreasouth", + "northcentralus", + "northeurope", + "norwayeast", + "southafricanorth", + "southcentralus", + "southeastasia", + "southindia", + "switzerlandnorth", + "uaenorth", + "uksouth", + "ukwest", + "westcentralus", + "westeurope", + "westindia", + "westus", + "westus2", + "chinaeast", + "chinaeast2", + "chinaeast3", + "chinanorth", + "chinanorth2", + "chinanorth3", + "usgovarizona", + "usgovtexas", + "usgovvirginia", + "usdodeast", + "usdodcentral" + ] + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Compute/virtualMachineScaleSets" + }, + { + "field": "location", + "in": "[parameters('allowedLocations')]" + }, + { + "anyOf": [ + { + "allOf": [ + { + "value": "[parameters('scopeToSupportedImages')]", + "equals": false + }, + { + "field": "Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.storageProfile.osDisk.osType", + "like": "Linux*" + } + ] + }, + { + "field": "Microsoft.Compute/imageId", + "in": "[parameters('listOfLinuxImageIdToInclude')]" + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "RedHat" + }, + { + "field": "Microsoft.Compute/imageOffer", + "in": [ + "RHEL", + "RHEL-ARM64", + "RHEL-BYOS", + "RHEL-HA", + "RHEL-SAP", + "RHEL-SAP-APPS", + "RHEL-SAP-HA" + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageSku", + "like": "7*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "8*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "rhel-lvm7*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "rhel-lvm8*" + } + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "SUSE" + }, + { + "anyOf": [ + { + "allOf": [ + { + "field": "Microsoft.Compute/imageOffer", + "in": [ + "SLES", + "SLES-HPC", + "SLES-HPC-Priority", + "SLES-SAP", + "SLES-SAP-BYOS", + "SLES-Priority", + "SLES-BYOS", + "SLES-SAPCAL", + "SLES-Standard" + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageSku", + "like": "12*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "15*" + } + ] + } + ] + }, + { + "allOf": [ + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageOffer", + "like": "sles-12*" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "sles-15*" + } + ] + }, + { + "field": "Microsoft.Compute/imageSku", + "in": [ + "gen1", + "gen2" + ] + } + ] + } + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "Canonical" + }, + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageOffer", + "equals": "UbuntuServer" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "0001-com-ubuntu-server-*" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "0001-com-ubuntu-pro-*" + } + ] + }, + { + "field": "Microsoft.Compute/imageSku", + "in": [ + "14.04.0-lts", + "14.04.1-lts", + "14.04.2-lts", + "14.04.3-lts", + "14.04.4-lts", + "14.04.5-lts", + "16_04_0-lts-gen2", + "16_04-lts-gen2", + "16.04-lts", + "16.04.0-lts", + "18_04-lts-arm64", + "18_04-lts-gen2", + "18.04-lts", + "20_04-lts-arm64", + "20_04-lts-gen2", + "20_04-lts", + "22_04-lts-gen2", + "22_04-lts", + "pro-16_04-lts-gen2", + "pro-16_04-lts", + "pro-18_04-lts-gen2", + "pro-18_04-lts", + "pro-20_04-lts-gen2", + "pro-20_04-lts", + "pro-22_04-lts-gen2", + "pro-22_04-lts" + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "Oracle" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "Oracle-Linux" + }, + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageSku", + "like": "7*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "8*" + } + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "OpenLogic" + }, + { + "field": "Microsoft.Compute/imageOffer", + "in": [ + "CentOS", + "Centos-LVM", + "CentOS-SRIOV" + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageSku", + "like": "6*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "7*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "8*" + } + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "cloudera" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "cloudera-centos-os" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "7*" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "almalinux" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "almalinux" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "8*" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "ctrliqinc1648673227698" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "rocky-8*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "rocky-8*" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "credativ" + }, + { + "field": "Microsoft.Compute/imageOffer", + "in": [ + "Debian" + ] + }, + { + "field": "Microsoft.Compute/imageSku", + "equals": "9" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "Debian" + }, + { + "field": "Microsoft.Compute/imageOffer", + "in": [ + "debian-10", + "debian-11" + ] + }, + { + "field": "Microsoft.Compute/imageSku", + "in": [ + "10", + "10-gen2", + "11", + "11-gen2" + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "microsoftcblmariner" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "cbl-mariner" + }, + { + "field": "Microsoft.Compute/imageSku", + "in": [ + "1-gen2", + "cbl-mariner-1", + "cbl-mariner-2", + "cbl-mariner-2-arm64", + "cbl-mariner-2-gen2" + ] + } + ] + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Compute/virtualMachineScaleSets/extensions", + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c" + ], + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/type", + "equals": "AzureMonitorLinuxAgent" + }, + { + "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/publisher", + "equals": "Microsoft.Azure.Monitor" + }, + { + "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/provisioningState", + "equals": "Succeeded" + } + ] + }, + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "vmName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "userAssignedManagedIdentity": { + "type": "string" + } + }, + "variables": { + "extensionName": "AzureMonitorLinuxAgent", + "extensionPublisher": "Microsoft.Azure.Monitor", + "extensionTypeHandlerVersion": "1.29", + "extensionType": "AzureMonitorLinuxAgent" + }, + "resources": [ + { + "name": "[concat(parameters('vmName'), '/', variables('extensionName'))]", + "type": "Microsoft.Compute/virtualMachineScaleSets/extensions", + "location": "[parameters('location')]", + "apiVersion": "2019-07-01", + "properties": { + "publisher": "[variables('extensionPublisher')]", + "type": "[variables('extensionType')]", + "autoUpgradeMinorVersion": true, + "typeHandlerVersion": "[variables('extensionTypeHandlerVersion')]", + "enableAutomaticUpgrade": true, + "settings": { + "authentication": { + "managedIdentity": { + "identifier-name": "mi_res_id", + "identifier-value": "[parameters('userAssignedManagedIdentity')]" + } + } + } + } + } + ] + }, + "parameters": { + "vmName": { + "value": "[field('name')]" + }, + "location": { + "value": "[field('location')]" + }, + "userAssignedManagedIdentity": { + "value": "[if(parameters('bringYourOwnUserAssignedManagedIdentity'), concat('/subscriptions/', parameters('userAssignedManagedIdentitySubscription'), '/resourceGroups/', parameters('userAssignedManagedIdentityResourceGroup'), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', parameters('userAssignedManagedIdentityName')), concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/built-in-identity-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/built-in-identity-', field('location')))]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/policyDefinitions/Monitoring/configure-ama-on-linux-vmss-with-cross-subscription-uami/azurepolicy.parameters.json b/policyDefinitions/Monitoring/configure-ama-on-linux-vmss-with-cross-subscription-uami/azurepolicy.parameters.json new file mode 100644 index 00000000..cfc27a43 --- /dev/null +++ b/policyDefinitions/Monitoring/configure-ama-on-linux-vmss-with-cross-subscription-uami/azurepolicy.parameters.json @@ -0,0 +1,124 @@ +{ + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy." + }, + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "bringYourOwnUserAssignedManagedIdentity": { + "type": "Boolean", + "metadata": { + "displayName": "Bring Your Own User-Assigned Managed Identity", + "description": "If set to true, Azure Monitor Agent will use the user-assigned managed identity specified via the 'User-Assigned Managed Identity ...' parameters for authentication. Otherwise, Azure Monitor Agent will use the user-assigned managed identity /subscriptions//resourceGroups/built-in-identity-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/built-in-identity- for authentication." + }, + "allowedValues": [ + false, + true + ] + }, + "userAssignedManagedIdentityName": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Name", + "description": "The name of the user-assigned managed identity which Azure Monitor Agent will use for authentication when 'Bring Your Own User-Assigned Managed Identity' is set to true." + }, + "defaultValue": "" + }, + "userAssignedManagedIdentityResourceGroup": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Resource Group", + "description": "The resource group of the user-assigned managed identity which Azure Monitor Agent will use for authentication when 'Bring Your Own User-Assigned Managed Identity' is set to true." + }, + "defaultValue": "" + }, + "userAssignedManagedIdentitySubscription": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Subscription Id", + "description": "The subscription id of the user-assigned managed identity which Azure Monitor Agent will use for authentication when 'Bring Your Own User-Assigned Managed Identity' is set to true." + }, + "defaultValue": "" + }, + "scopeToSupportedImages": { + "type": "Boolean", + "metadata": { + "displayName": "Scope Policy to Azure Monitor Agent-Supported Operating Systems", + "description": "If set to true, the policy will apply only to virtual machine scale sets with supported operating systems. Otherwise, the policy will apply to all virtual machine scale set resources in the assignment scope. For supported operating systems, see https://aka.ms/AMAOverview." + }, + "allowedValues": [ + true, + false + ], + "defaultValue": true + }, + "listOfLinuxImageIdToInclude": { + "type": "Array", + "metadata": { + "displayName": "Additional Virtual Machine Images", + "description": "List of virtual machine images that have supported Linux OS to add to scope. Example values: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'" + }, + "defaultValue": [] + }, + "allowedLocations": { + "type": "Array", + "metadata": { + "displayName": "Allowed Virtual Machine Locations", + "description": "List of Allowed Virtual Machine Locations" + }, + "defaultValue": [ + "australiacentral", + "australiaeast", + "australiasoutheast", + "brazilsouth", + "canadacentral", + "canadaeast", + "centralindia", + "centralus", + "eastasia", + "eastus2euap", + "eastus", + "eastus2", + "francecentral", + "germanywestcentral", + "japaneast", + "japanwest", + "jioindiawest", + "koreacentral", + "koreasouth", + "northcentralus", + "northeurope", + "norwayeast", + "southafricanorth", + "southcentralus", + "southeastasia", + "southindia", + "switzerlandnorth", + "uaenorth", + "uksouth", + "ukwest", + "westcentralus", + "westeurope", + "westindia", + "westus", + "westus2", + "chinaeast", + "chinaeast2", + "chinaeast3", + "chinanorth", + "chinanorth2", + "chinanorth3", + "usgovarizona", + "usgovtexas", + "usgovvirginia", + "usdodeast", + "usdodcentral" + ] + } +} \ No newline at end of file diff --git a/policyDefinitions/Monitoring/configure-ama-on-linux-vmss-with-cross-subscription-uami/azurepolicy.rules.json b/policyDefinitions/Monitoring/configure-ama-on-linux-vmss-with-cross-subscription-uami/azurepolicy.rules.json new file mode 100644 index 00000000..aeab0546 --- /dev/null +++ b/policyDefinitions/Monitoring/configure-ama-on-linux-vmss-with-cross-subscription-uami/azurepolicy.rules.json @@ -0,0 +1,447 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Compute/virtualMachineScaleSets" + }, + { + "field": "location", + "in": "[parameters('allowedLocations')]" + }, + { + "anyOf": [ + { + "allOf": [ + { + "value": "[parameters('scopeToSupportedImages')]", + "equals": false + }, + { + "field": "Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.storageProfile.osDisk.osType", + "like": "Linux*" + } + ] + }, + { + "field": "Microsoft.Compute/imageId", + "in": "[parameters('listOfLinuxImageIdToInclude')]" + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "RedHat" + }, + { + "field": "Microsoft.Compute/imageOffer", + "in": [ + "RHEL", + "RHEL-ARM64", + "RHEL-BYOS", + "RHEL-HA", + "RHEL-SAP", + "RHEL-SAP-APPS", + "RHEL-SAP-HA" + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageSku", + "like": "7*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "8*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "rhel-lvm7*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "rhel-lvm8*" + } + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "SUSE" + }, + { + "anyOf": [ + { + "allOf": [ + { + "field": "Microsoft.Compute/imageOffer", + "in": [ + "SLES", + "SLES-HPC", + "SLES-HPC-Priority", + "SLES-SAP", + "SLES-SAP-BYOS", + "SLES-Priority", + "SLES-BYOS", + "SLES-SAPCAL", + "SLES-Standard" + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageSku", + "like": "12*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "15*" + } + ] + } + ] + }, + { + "allOf": [ + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageOffer", + "like": "sles-12*" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "sles-15*" + } + ] + }, + { + "field": "Microsoft.Compute/imageSku", + "in": [ + "gen1", + "gen2" + ] + } + ] + } + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "Canonical" + }, + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageOffer", + "equals": "UbuntuServer" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "0001-com-ubuntu-server-*" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "0001-com-ubuntu-pro-*" + } + ] + }, + { + "field": "Microsoft.Compute/imageSku", + "in": [ + "14.04.0-lts", + "14.04.1-lts", + "14.04.2-lts", + "14.04.3-lts", + "14.04.4-lts", + "14.04.5-lts", + "16_04_0-lts-gen2", + "16_04-lts-gen2", + "16.04-lts", + "16.04.0-lts", + "18_04-lts-arm64", + "18_04-lts-gen2", + "18.04-lts", + "20_04-lts-arm64", + "20_04-lts-gen2", + "20_04-lts", + "22_04-lts-gen2", + "22_04-lts", + "pro-16_04-lts-gen2", + "pro-16_04-lts", + "pro-18_04-lts-gen2", + "pro-18_04-lts", + "pro-20_04-lts-gen2", + "pro-20_04-lts", + "pro-22_04-lts-gen2", + "pro-22_04-lts" + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "Oracle" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "Oracle-Linux" + }, + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageSku", + "like": "7*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "8*" + } + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "OpenLogic" + }, + { + "field": "Microsoft.Compute/imageOffer", + "in": [ + "CentOS", + "Centos-LVM", + "CentOS-SRIOV" + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageSku", + "like": "6*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "7*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "8*" + } + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "cloudera" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "cloudera-centos-os" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "7*" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "almalinux" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "almalinux" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "8*" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "ctrliqinc1648673227698" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "rocky-8*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "rocky-8*" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "credativ" + }, + { + "field": "Microsoft.Compute/imageOffer", + "in": [ + "Debian" + ] + }, + { + "field": "Microsoft.Compute/imageSku", + "equals": "9" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "Debian" + }, + { + "field": "Microsoft.Compute/imageOffer", + "in": [ + "debian-10", + "debian-11" + ] + }, + { + "field": "Microsoft.Compute/imageSku", + "in": [ + "10", + "10-gen2", + "11", + "11-gen2" + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "microsoftcblmariner" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "cbl-mariner" + }, + { + "field": "Microsoft.Compute/imageSku", + "in": [ + "1-gen2", + "cbl-mariner-1", + "cbl-mariner-2", + "cbl-mariner-2-arm64", + "cbl-mariner-2-gen2" + ] + } + ] + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Compute/virtualMachineScaleSets/extensions", + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c" + ], + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/type", + "equals": "AzureMonitorLinuxAgent" + }, + { + "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/publisher", + "equals": "Microsoft.Azure.Monitor" + }, + { + "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/provisioningState", + "equals": "Succeeded" + } + ] + }, + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "vmName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "userAssignedManagedIdentity": { + "type": "string" + } + }, + "variables": { + "extensionName": "AzureMonitorLinuxAgent", + "extensionPublisher": "Microsoft.Azure.Monitor", + "extensionTypeHandlerVersion": "1.29", + "extensionType": "AzureMonitorLinuxAgent" + }, + "resources": [ + { + "name": "[concat(parameters('vmName'), '/', variables('extensionName'))]", + "type": "Microsoft.Compute/virtualMachineScaleSets/extensions", + "location": "[parameters('location')]", + "apiVersion": "2019-07-01", + "properties": { + "publisher": "[variables('extensionPublisher')]", + "type": "[variables('extensionType')]", + "autoUpgradeMinorVersion": true, + "typeHandlerVersion": "[variables('extensionTypeHandlerVersion')]", + "enableAutomaticUpgrade": true, + "settings": { + "authentication": { + "managedIdentity": { + "identifier-name": "mi_res_id", + "identifier-value": "[parameters('userAssignedManagedIdentity')]" + } + } + } + } + } + ] + }, + "parameters": { + "vmName": { + "value": "[field('name')]" + }, + "location": { + "value": "[field('location')]" + }, + "userAssignedManagedIdentity": { + "value": "[if(parameters('bringYourOwnUserAssignedManagedIdentity'), concat('/subscriptions/', parameters('userAssignedManagedIdentitySubscription'), '/resourceGroups/', parameters('userAssignedManagedIdentityResourceGroup'), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', parameters('userAssignedManagedIdentityName')), concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/built-in-identity-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/built-in-identity-', field('location')))]" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/policyDefinitions/Monitoring/configure-ama-on-windows-vm-with-cross-subscription-uami/azurepolicy.json b/policyDefinitions/Monitoring/configure-ama-on-windows-vm-with-cross-subscription-uami/azurepolicy.json new file mode 100644 index 00000000..cbe5774f --- /dev/null +++ b/policyDefinitions/Monitoring/configure-ama-on-windows-vm-with-cross-subscription-uami/azurepolicy.json @@ -0,0 +1,435 @@ +{ + "name": "bdffab46-452d-5c4d-aacb-bdf9e45fd363", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Configure Windows virtual machines to run AMA with cross subscription user-assigned managed identity-based authentication", + "mode": "Indexed", + "description": "Adapted from built-in /providers/Microsoft.Authorization/policyDefinitions/637125fd-7c39-4b94-bb0a-d331faf333a9 with minimal changes to support a cross subscription UAMI. This policy is meant to be assigned at Management Group Level, if you don't do this then you must assign manualy the permissions */read to the Policy Managed Idenity on the cross subscription UAMI. Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS.", + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy." + }, + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "bringYourOwnUserAssignedManagedIdentity": { + "type": "Boolean", + "metadata": { + "displayName": "Bring Your Own User-Assigned Managed Identity", + "description": "If set to true, Azure Monitor Agent will use the user-assigned managed identity specified via the 'User-Assigned Managed Identity ...' parameters for authentication. Otherwise, Azure Monitor Agent will use the user-assigned managed identity /subscriptions//resourceGroups/built-in-identity-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/built-in-identity- for authentication." + }, + "allowedValues": [ + false, + true + ] + }, + "userAssignedManagedIdentityName": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Name", + "description": "The name of the user-assigned managed identity which Azure Monitor Agent will use for authentication when 'Bring Your Own User-Assigned Managed Identity' is set to true." + }, + "defaultValue": "" + }, + "userAssignedManagedIdentityResourceGroup": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Resource Group", + "description": "The resource group of the user-assigned managed identity which Azure Monitor Agent will use for authentication when 'Bring Your Own User-Assigned Managed Identity' is set to true." + }, + "defaultValue": "" + }, + "userAssignedManagedIdentitySubscription": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Subscription Id", + "description": "The subscription id of the user-assigned managed identity which Azure Monitor Agent will use for authentication when 'Bring Your Own User-Assigned Managed Identity' is set to true." + }, + "defaultValue": "" + }, + "scopeToSupportedImages": { + "type": "Boolean", + "metadata": { + "displayName": "Scope Policy to Azure Monitor Agent-Supported Operating Systems", + "description": "If set to true, the policy will apply only to virtual machines with supported operating systems. Otherwise, the policy will apply to all virtual machine resources in the assignment scope. For supported operating systems, see https://aka.ms/AMAOverview." + }, + "allowedValues": [ + true, + false + ], + "defaultValue": true + }, + "listOfWindowsImageIdToInclude": { + "type": "Array", + "metadata": { + "displayName": "Additional Virtual Machine Images", + "description": "List of virtual machine images that have supported Windows OS to add to scope. Example values: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'" + }, + "defaultValue": [] + }, + "allowedLocations": { + "type": "Array", + "metadata": { + "displayName": "Allowed Virtual Machine Locations", + "description": "List of Allowed Virtual Machine Locations" + }, + "defaultValue": [ + "australiacentral", + "australiaeast", + "australiasoutheast", + "brazilsouth", + "canadacentral", + "canadaeast", + "centralindia", + "centralus", + "eastasia", + "eastus2euap", + "eastus", + "eastus2", + "francecentral", + "germanywestcentral", + "japaneast", + "japanwest", + "jioindiawest", + "koreacentral", + "koreasouth", + "northcentralus", + "northeurope", + "norwayeast", + "southafricanorth", + "southcentralus", + "southeastasia", + "southindia", + "switzerlandnorth", + "uaenorth", + "uksouth", + "ukwest", + "westcentralus", + "westeurope", + "westindia", + "westus", + "westus2", + "chinaeast", + "chinaeast2", + "chinaeast3", + "chinanorth", + "chinanorth2", + "chinanorth3", + "usgovarizona", + "usgovtexas", + "usgovvirginia", + "usdodeast", + "usdodcentral" + ] + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Compute/virtualMachines" + }, + { + "field": "location", + "in": "[parameters('allowedLocations')]" + }, + { + "anyOf": [ + { + "allOf": [ + { + "value": "[parameters('scopeToSupportedImages')]", + "equals": false + }, + { + "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType", + "like": "Windows*" + } + ] + }, + { + "field": "Microsoft.Compute/imageId", + "in": "[parameters('listOfWindowsImageIdToInclude')]" + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftWindowsServer" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "WindowsServer" + }, + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageSku", + "like": "2008-R2-SP1*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "2012-*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "2016-*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "2019-*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "2022-*" + } + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftWindowsServer" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "WindowsServerSemiAnnual" + }, + { + "field": "Microsoft.Compute/imageSKU", + "in": [ + "Datacenter-Core-1709-smalldisk", + "Datacenter-Core-1709-with-Containers-smalldisk", + "Datacenter-Core-1803-with-Containers-smalldisk" + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftWindowsServerHPCPack" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "WindowsServerHPCPack" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftSQLServer" + }, + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageOffer", + "like": "*-WS2022" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "*-WS2022-BYOL" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "*-WS2019" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "*-WS2019-BYOL" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "*-WS2016" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "*-WS2016-BYOL" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "*-WS2012R2" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "*-WS2012R2-BYOL" + } + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftRServer" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "MLServer-WS2016" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftVisualStudio" + }, + { + "field": "Microsoft.Compute/imageOffer", + "in": [ + "VisualStudio", + "Windows" + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftDynamicsAX" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "Dynamics" + }, + { + "field": "Microsoft.Compute/imageSKU", + "equals": "Pre-Req-AX7-Onebox-U8" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "microsoft-ads" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "windows-data-science-vm" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftWindowsDesktop" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "Windows-1*" + } + ] + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Compute/virtualMachines/extensions", + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c" + ], + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Compute/virtualMachines/extensions/type", + "equals": "AzureMonitorWindowsAgent" + }, + { + "field": "Microsoft.Compute/virtualMachines/extensions/publisher", + "equals": "Microsoft.Azure.Monitor" + }, + { + "field": "Microsoft.Compute/virtualMachines/extensions/provisioningState", + "equals": "Succeeded" + } + ] + }, + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "vmName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "userAssignedManagedIdentity": { + "type": "string" + } + }, + "variables": { + "extensionName": "AzureMonitorWindowsAgent", + "extensionPublisher": "Microsoft.Azure.Monitor", + "extensionType": "AzureMonitorWindowsAgent", + "extensionTypeHandlerVersion": "1.2" + }, + "resources": [ + { + "name": "[concat(parameters('vmName'), '/', variables('extensionName'))]", + "type": "Microsoft.Compute/virtualMachines/extensions", + "location": "[parameters('location')]", + "apiVersion": "2019-07-01", + "properties": { + "publisher": "[variables('extensionPublisher')]", + "type": "[variables('extensionType')]", + "typeHandlerVersion": "[variables('extensionTypeHandlerVersion')]", + "autoUpgradeMinorVersion": true, + "enableAutomaticUpgrade": true, + "settings": { + "authentication": { + "managedIdentity": { + "identifier-name": "mi_res_id", + "identifier-value": "[parameters('userAssignedManagedIdentity')]" + } + } + } + } + } + ] + }, + "parameters": { + "vmName": { + "value": "[field('name')]" + }, + "location": { + "value": "[field('location')]" + }, + "userAssignedManagedIdentity": { + "value": "[if(parameters('bringYourOwnUserAssignedManagedIdentity'), concat('/subscriptions/', parameters('userAssignedManagedIdentitySubscription'), '/resourceGroups/', parameters('userAssignedManagedIdentityResourceGroup'), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', parameters('userAssignedManagedIdentityName')), concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/built-in-identity-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/built-in-identity-', field('location')))]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/policyDefinitions/Monitoring/configure-ama-on-windows-vm-with-cross-subscription-uami/azurepolicy.parameters.json b/policyDefinitions/Monitoring/configure-ama-on-windows-vm-with-cross-subscription-uami/azurepolicy.parameters.json new file mode 100644 index 00000000..21f84ce5 --- /dev/null +++ b/policyDefinitions/Monitoring/configure-ama-on-windows-vm-with-cross-subscription-uami/azurepolicy.parameters.json @@ -0,0 +1,124 @@ +{ + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy." + }, + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "bringYourOwnUserAssignedManagedIdentity": { + "type": "Boolean", + "metadata": { + "displayName": "Bring Your Own User-Assigned Managed Identity", + "description": "If set to true, Azure Monitor Agent will use the user-assigned managed identity specified via the 'User-Assigned Managed Identity ...' parameters for authentication. Otherwise, Azure Monitor Agent will use the user-assigned managed identity /subscriptions//resourceGroups/built-in-identity-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/built-in-identity- for authentication." + }, + "allowedValues": [ + false, + true + ] + }, + "userAssignedManagedIdentityName": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Name", + "description": "The name of the user-assigned managed identity which Azure Monitor Agent will use for authentication when 'Bring Your Own User-Assigned Managed Identity' is set to true." + }, + "defaultValue": "" + }, + "userAssignedManagedIdentityResourceGroup": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Resource Group", + "description": "The resource group of the user-assigned managed identity which Azure Monitor Agent will use for authentication when 'Bring Your Own User-Assigned Managed Identity' is set to true." + }, + "defaultValue": "" + }, + "userAssignedManagedIdentitySubscription": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Subscription Id", + "description": "The subscription id of the user-assigned managed identity which Azure Monitor Agent will use for authentication when 'Bring Your Own User-Assigned Managed Identity' is set to true." + }, + "defaultValue": "" + }, + "scopeToSupportedImages": { + "type": "Boolean", + "metadata": { + "displayName": "Scope Policy to Azure Monitor Agent-Supported Operating Systems", + "description": "If set to true, the policy will apply only to virtual machines with supported operating systems. Otherwise, the policy will apply to all virtual machine resources in the assignment scope. For supported operating systems, see https://aka.ms/AMAOverview." + }, + "allowedValues": [ + true, + false + ], + "defaultValue": true + }, + "listOfWindowsImageIdToInclude": { + "type": "Array", + "metadata": { + "displayName": "Additional Virtual Machine Images", + "description": "List of virtual machine images that have supported Windows OS to add to scope. Example values: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'" + }, + "defaultValue": [] + }, + "allowedLocations": { + "type": "Array", + "metadata": { + "displayName": "Allowed Virtual Machine Locations", + "description": "List of Allowed Virtual Machine Locations" + }, + "defaultValue": [ + "australiacentral", + "australiaeast", + "australiasoutheast", + "brazilsouth", + "canadacentral", + "canadaeast", + "centralindia", + "centralus", + "eastasia", + "eastus2euap", + "eastus", + "eastus2", + "francecentral", + "germanywestcentral", + "japaneast", + "japanwest", + "jioindiawest", + "koreacentral", + "koreasouth", + "northcentralus", + "northeurope", + "norwayeast", + "southafricanorth", + "southcentralus", + "southeastasia", + "southindia", + "switzerlandnorth", + "uaenorth", + "uksouth", + "ukwest", + "westcentralus", + "westeurope", + "westindia", + "westus", + "westus2", + "chinaeast", + "chinaeast2", + "chinaeast3", + "chinanorth", + "chinanorth2", + "chinanorth3", + "usgovarizona", + "usgovtexas", + "usgovvirginia", + "usdodeast", + "usdodcentral" + ] + } +} \ No newline at end of file diff --git a/policyDefinitions/Monitoring/configure-ama-on-windows-vm-with-cross-subscription-uami/azurepolicy.rules.json b/policyDefinitions/Monitoring/configure-ama-on-windows-vm-with-cross-subscription-uami/azurepolicy.rules.json new file mode 100644 index 00000000..490ae89f --- /dev/null +++ b/policyDefinitions/Monitoring/configure-ama-on-windows-vm-with-cross-subscription-uami/azurepolicy.rules.json @@ -0,0 +1,298 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Compute/virtualMachines" + }, + { + "field": "location", + "in": "[parameters('allowedLocations')]" + }, + { + "anyOf": [ + { + "allOf": [ + { + "value": "[parameters('scopeToSupportedImages')]", + "equals": false + }, + { + "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType", + "like": "Windows*" + } + ] + }, + { + "field": "Microsoft.Compute/imageId", + "in": "[parameters('listOfWindowsImageIdToInclude')]" + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftWindowsServer" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "WindowsServer" + }, + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageSku", + "like": "2008-R2-SP1*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "2012-*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "2016-*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "2019-*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "2022-*" + } + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftWindowsServer" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "WindowsServerSemiAnnual" + }, + { + "field": "Microsoft.Compute/imageSKU", + "in": [ + "Datacenter-Core-1709-smalldisk", + "Datacenter-Core-1709-with-Containers-smalldisk", + "Datacenter-Core-1803-with-Containers-smalldisk" + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftWindowsServerHPCPack" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "WindowsServerHPCPack" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftSQLServer" + }, + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageOffer", + "like": "*-WS2022" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "*-WS2022-BYOL" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "*-WS2019" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "*-WS2019-BYOL" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "*-WS2016" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "*-WS2016-BYOL" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "*-WS2012R2" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "*-WS2012R2-BYOL" + } + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftRServer" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "MLServer-WS2016" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftVisualStudio" + }, + { + "field": "Microsoft.Compute/imageOffer", + "in": [ + "VisualStudio", + "Windows" + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftDynamicsAX" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "Dynamics" + }, + { + "field": "Microsoft.Compute/imageSKU", + "equals": "Pre-Req-AX7-Onebox-U8" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "microsoft-ads" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "windows-data-science-vm" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftWindowsDesktop" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "Windows-1*" + } + ] + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Compute/virtualMachines/extensions", + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c" + ], + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Compute/virtualMachines/extensions/type", + "equals": "AzureMonitorWindowsAgent" + }, + { + "field": "Microsoft.Compute/virtualMachines/extensions/publisher", + "equals": "Microsoft.Azure.Monitor" + }, + { + "field": "Microsoft.Compute/virtualMachines/extensions/provisioningState", + "equals": "Succeeded" + } + ] + }, + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "vmName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "userAssignedManagedIdentity": { + "type": "string" + } + }, + "variables": { + "extensionName": "AzureMonitorWindowsAgent", + "extensionPublisher": "Microsoft.Azure.Monitor", + "extensionType": "AzureMonitorWindowsAgent", + "extensionTypeHandlerVersion": "1.2" + }, + "resources": [ + { + "name": "[concat(parameters('vmName'), '/', variables('extensionName'))]", + "type": "Microsoft.Compute/virtualMachines/extensions", + "location": "[parameters('location')]", + "apiVersion": "2019-07-01", + "properties": { + "publisher": "[variables('extensionPublisher')]", + "type": "[variables('extensionType')]", + "typeHandlerVersion": "[variables('extensionTypeHandlerVersion')]", + "autoUpgradeMinorVersion": true, + "enableAutomaticUpgrade": true, + "settings": { + "authentication": { + "managedIdentity": { + "identifier-name": "mi_res_id", + "identifier-value": "[parameters('userAssignedManagedIdentity')]" + } + } + } + } + } + ] + }, + "parameters": { + "vmName": { + "value": "[field('name')]" + }, + "location": { + "value": "[field('location')]" + }, + "userAssignedManagedIdentity": { + "value": "[if(parameters('bringYourOwnUserAssignedManagedIdentity'), concat('/subscriptions/', parameters('userAssignedManagedIdentitySubscription'), '/resourceGroups/', parameters('userAssignedManagedIdentityResourceGroup'), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', parameters('userAssignedManagedIdentityName')), concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/built-in-identity-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/built-in-identity-', field('location')))]" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/policyDefinitions/Monitoring/configure-ama-on-windows-vmss-with-cross-subscription-uami/azurepolicy.json b/policyDefinitions/Monitoring/configure-ama-on-windows-vmss-with-cross-subscription-uami/azurepolicy.json new file mode 100644 index 00000000..0560a3fc --- /dev/null +++ b/policyDefinitions/Monitoring/configure-ama-on-windows-vmss-with-cross-subscription-uami/azurepolicy.json @@ -0,0 +1,435 @@ +{ + "name": "6eef296d-6e58-5404-acb0-a102bd5f0ee6", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Configure Windows VMSS to run AMA with cross subscription user-assigned managed identity-based authentication", + "mode": "Indexed", + "description": "Adapted from built-in /providers/Microsoft.Authorization/policyDefinitions/98569e20-8f32-4f31-bf34-0e91590ae9d3 with minimal changes to support a cross subscription UAMI. This policy is meant to be assigned at Management Group Level, otherwise you must assign manualy the permissions */read to the Policy Managed Idenity on the cross subscription UAMI.Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS.", + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy." + }, + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "bringYourOwnUserAssignedManagedIdentity": { + "type": "Boolean", + "metadata": { + "displayName": "Bring Your Own User-Assigned Managed Identity", + "description": "If set to true, Azure Monitor Agent will use the user-assigned managed identity specified via the 'User-Assigned Managed Identity ...' parameters for authentication. Otherwise, Azure Monitor Agent will use the user-assigned managed identity /subscriptions//resourceGroups/built-in-identity-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/built-in-identity- for authentication." + }, + "allowedValues": [ + false, + true + ] + }, + "userAssignedManagedIdentityName": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Name", + "description": "The name of the user-assigned managed identity which Azure Monitor Agent will use for authentication when 'Bring Your Own User-Assigned Managed Identity' is set to true." + }, + "defaultValue": "" + }, + "userAssignedManagedIdentityResourceGroup": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Resource Group", + "description": "The resource group of the user-assigned managed identity which Azure Monitor Agent will use for authentication when 'Bring Your Own User-Assigned Managed Identity' is set to true." + }, + "defaultValue": "" + }, + "userAssignedManagedIdentitySubscription": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Subscription Id", + "description": "The subscription id of the user-assigned managed identity which Azure Monitor Agent will use for authentication when 'Bring Your Own User-Assigned Managed Identity' is set to true." + }, + "defaultValue": "" + }, + "scopeToSupportedImages": { + "type": "Boolean", + "metadata": { + "displayName": "Scope Policy to Azure Monitor Agent-Supported Operating Systems", + "description": "If set to true, the policy will apply only to virtual machine scale sets with supported operating systems. Otherwise, the policy will apply to all virtual machine scale set resources in the assignment scope. For supported operating systems, see https://aka.ms/AMAOverview." + }, + "allowedValues": [ + true, + false + ], + "defaultValue": true + }, + "listOfWindowsImageIdToInclude": { + "type": "Array", + "metadata": { + "displayName": "Additional Virtual Machine Images", + "description": "List of virtual machine images that have supported Windows OS to add to scope. Example values: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'" + }, + "defaultValue": [] + }, + "allowedLocations": { + "type": "Array", + "metadata": { + "displayName": "Allowed Virtual Machine Locations", + "description": "List of Allowed Virtual Machine Locations" + }, + "defaultValue": [ + "australiacentral", + "australiaeast", + "australiasoutheast", + "brazilsouth", + "canadacentral", + "canadaeast", + "centralindia", + "centralus", + "eastasia", + "eastus2euap", + "eastus", + "eastus2", + "francecentral", + "germanywestcentral", + "japaneast", + "japanwest", + "jioindiawest", + "koreacentral", + "koreasouth", + "northcentralus", + "northeurope", + "norwayeast", + "southafricanorth", + "southcentralus", + "southeastasia", + "southindia", + "switzerlandnorth", + "uaenorth", + "uksouth", + "ukwest", + "westcentralus", + "westeurope", + "westindia", + "westus", + "westus2", + "chinaeast", + "chinaeast2", + "chinaeast3", + "chinanorth", + "chinanorth2", + "chinanorth3", + "usgovarizona", + "usgovtexas", + "usgovvirginia", + "usdodeast", + "usdodcentral" + ] + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Compute/virtualMachineScaleSets" + }, + { + "field": "location", + "in": "[parameters('allowedLocations')]" + }, + { + "anyOf": [ + { + "allOf": [ + { + "value": "[parameters('scopeToSupportedImages')]", + "equals": false + }, + { + "field": "Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.storageProfile.osDisk.osType", + "like": "Windows*" + } + ] + }, + { + "field": "Microsoft.Compute/imageId", + "in": "[parameters('listOfWindowsImageIdToInclude')]" + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftWindowsServer" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "WindowsServer" + }, + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageSku", + "like": "2008-R2-SP1*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "2012-*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "2016-*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "2019-*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "2022-*" + } + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftWindowsServer" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "WindowsServerSemiAnnual" + }, + { + "field": "Microsoft.Compute/imageSKU", + "in": [ + "Datacenter-Core-1709-smalldisk", + "Datacenter-Core-1709-with-Containers-smalldisk", + "Datacenter-Core-1803-with-Containers-smalldisk" + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftWindowsServerHPCPack" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "WindowsServerHPCPack" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftSQLServer" + }, + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageOffer", + "like": "*-WS2022" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "*-WS2022-BYOL" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "*-WS2019" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "*-WS2019-BYOL" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "*-WS2016" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "*-WS2016-BYOL" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "*-WS2012R2" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "*-WS2012R2-BYOL" + } + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftRServer" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "MLServer-WS2016" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftVisualStudio" + }, + { + "field": "Microsoft.Compute/imageOffer", + "in": [ + "VisualStudio", + "Windows" + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftDynamicsAX" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "Dynamics" + }, + { + "field": "Microsoft.Compute/imageSKU", + "equals": "Pre-Req-AX7-Onebox-U8" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "microsoft-ads" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "windows-data-science-vm" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftWindowsDesktop" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "Windows-1*" + } + ] + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Compute/virtualMachineScaleSets/extensions", + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c" + ], + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/type", + "equals": "AzureMonitorWindowsAgent" + }, + { + "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/publisher", + "equals": "Microsoft.Azure.Monitor" + }, + { + "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/provisioningState", + "equals": "Succeeded" + } + ] + }, + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "vmName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "userAssignedManagedIdentity": { + "type": "string" + } + }, + "variables": { + "extensionName": "AzureMonitorWindowsAgent", + "extensionPublisher": "Microsoft.Azure.Monitor", + "extensionType": "AzureMonitorWindowsAgent", + "extensionTypeHandlerVersion": "1.2" + }, + "resources": [ + { + "name": "[concat(parameters('vmName'), '/', variables('extensionName'))]", + "type": "Microsoft.Compute/virtualMachineScaleSets/extensions", + "location": "[parameters('location')]", + "apiVersion": "2019-07-01", + "properties": { + "publisher": "[variables('extensionPublisher')]", + "type": "[variables('extensionType')]", + "typeHandlerVersion": "[variables('extensionTypeHandlerVersion')]", + "autoUpgradeMinorVersion": true, + "enableAutomaticUpgrade": true, + "settings": { + "authentication": { + "managedIdentity": { + "identifier-name": "mi_res_id", + "identifier-value": "[parameters('userAssignedManagedIdentity')]" + } + } + } + } + } + ] + }, + "parameters": { + "vmName": { + "value": "[field('name')]" + }, + "location": { + "value": "[field('location')]" + }, + "userAssignedManagedIdentity": { + "value": "[if(parameters('bringYourOwnUserAssignedManagedIdentity'), concat('/subscriptions/', parameters('userAssignedManagedIdentitySubscription'), '/resourceGroups/', parameters('userAssignedManagedIdentityResourceGroup'), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', parameters('userAssignedManagedIdentityName')), concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/built-in-identity-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/built-in-identity-', field('location')))]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/policyDefinitions/Monitoring/configure-ama-on-windows-vmss-with-cross-subscription-uami/azurepolicy.parameters.json b/policyDefinitions/Monitoring/configure-ama-on-windows-vmss-with-cross-subscription-uami/azurepolicy.parameters.json new file mode 100644 index 00000000..01843422 --- /dev/null +++ b/policyDefinitions/Monitoring/configure-ama-on-windows-vmss-with-cross-subscription-uami/azurepolicy.parameters.json @@ -0,0 +1,124 @@ +{ + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy." + }, + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "bringYourOwnUserAssignedManagedIdentity": { + "type": "Boolean", + "metadata": { + "displayName": "Bring Your Own User-Assigned Managed Identity", + "description": "If set to true, Azure Monitor Agent will use the user-assigned managed identity specified via the 'User-Assigned Managed Identity ...' parameters for authentication. Otherwise, Azure Monitor Agent will use the user-assigned managed identity /subscriptions//resourceGroups/built-in-identity-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/built-in-identity- for authentication." + }, + "allowedValues": [ + false, + true + ] + }, + "userAssignedManagedIdentityName": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Name", + "description": "The name of the user-assigned managed identity which Azure Monitor Agent will use for authentication when 'Bring Your Own User-Assigned Managed Identity' is set to true." + }, + "defaultValue": "" + }, + "userAssignedManagedIdentityResourceGroup": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Resource Group", + "description": "The resource group of the user-assigned managed identity which Azure Monitor Agent will use for authentication when 'Bring Your Own User-Assigned Managed Identity' is set to true." + }, + "defaultValue": "" + }, + "userAssignedManagedIdentitySubscription": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Subscription Id", + "description": "The subscription id of the user-assigned managed identity which Azure Monitor Agent will use for authentication when 'Bring Your Own User-Assigned Managed Identity' is set to true." + }, + "defaultValue": "" + }, + "scopeToSupportedImages": { + "type": "Boolean", + "metadata": { + "displayName": "Scope Policy to Azure Monitor Agent-Supported Operating Systems", + "description": "If set to true, the policy will apply only to virtual machine scale sets with supported operating systems. Otherwise, the policy will apply to all virtual machine scale set resources in the assignment scope. For supported operating systems, see https://aka.ms/AMAOverview." + }, + "allowedValues": [ + true, + false + ], + "defaultValue": true + }, + "listOfWindowsImageIdToInclude": { + "type": "Array", + "metadata": { + "displayName": "Additional Virtual Machine Images", + "description": "List of virtual machine images that have supported Windows OS to add to scope. Example values: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'" + }, + "defaultValue": [] + }, + "allowedLocations": { + "type": "Array", + "metadata": { + "displayName": "Allowed Virtual Machine Locations", + "description": "List of Allowed Virtual Machine Locations" + }, + "defaultValue": [ + "australiacentral", + "australiaeast", + "australiasoutheast", + "brazilsouth", + "canadacentral", + "canadaeast", + "centralindia", + "centralus", + "eastasia", + "eastus2euap", + "eastus", + "eastus2", + "francecentral", + "germanywestcentral", + "japaneast", + "japanwest", + "jioindiawest", + "koreacentral", + "koreasouth", + "northcentralus", + "northeurope", + "norwayeast", + "southafricanorth", + "southcentralus", + "southeastasia", + "southindia", + "switzerlandnorth", + "uaenorth", + "uksouth", + "ukwest", + "westcentralus", + "westeurope", + "westindia", + "westus", + "westus2", + "chinaeast", + "chinaeast2", + "chinaeast3", + "chinanorth", + "chinanorth2", + "chinanorth3", + "usgovarizona", + "usgovtexas", + "usgovvirginia", + "usdodeast", + "usdodcentral" + ] + } +} \ No newline at end of file diff --git a/policyDefinitions/Monitoring/configure-ama-on-windows-vmss-with-cross-subscription-uami/azurepolicy.rules.json b/policyDefinitions/Monitoring/configure-ama-on-windows-vmss-with-cross-subscription-uami/azurepolicy.rules.json new file mode 100644 index 00000000..0b13c745 --- /dev/null +++ b/policyDefinitions/Monitoring/configure-ama-on-windows-vmss-with-cross-subscription-uami/azurepolicy.rules.json @@ -0,0 +1,298 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Compute/virtualMachineScaleSets" + }, + { + "field": "location", + "in": "[parameters('allowedLocations')]" + }, + { + "anyOf": [ + { + "allOf": [ + { + "value": "[parameters('scopeToSupportedImages')]", + "equals": false + }, + { + "field": "Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.storageProfile.osDisk.osType", + "like": "Windows*" + } + ] + }, + { + "field": "Microsoft.Compute/imageId", + "in": "[parameters('listOfWindowsImageIdToInclude')]" + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftWindowsServer" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "WindowsServer" + }, + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageSku", + "like": "2008-R2-SP1*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "2012-*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "2016-*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "2019-*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "2022-*" + } + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftWindowsServer" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "WindowsServerSemiAnnual" + }, + { + "field": "Microsoft.Compute/imageSKU", + "in": [ + "Datacenter-Core-1709-smalldisk", + "Datacenter-Core-1709-with-Containers-smalldisk", + "Datacenter-Core-1803-with-Containers-smalldisk" + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftWindowsServerHPCPack" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "WindowsServerHPCPack" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftSQLServer" + }, + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageOffer", + "like": "*-WS2022" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "*-WS2022-BYOL" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "*-WS2019" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "*-WS2019-BYOL" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "*-WS2016" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "*-WS2016-BYOL" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "*-WS2012R2" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "*-WS2012R2-BYOL" + } + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftRServer" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "MLServer-WS2016" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftVisualStudio" + }, + { + "field": "Microsoft.Compute/imageOffer", + "in": [ + "VisualStudio", + "Windows" + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftDynamicsAX" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "Dynamics" + }, + { + "field": "Microsoft.Compute/imageSKU", + "equals": "Pre-Req-AX7-Onebox-U8" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "microsoft-ads" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "windows-data-science-vm" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftWindowsDesktop" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "Windows-1*" + } + ] + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Compute/virtualMachineScaleSets/extensions", + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c" + ], + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/type", + "equals": "AzureMonitorWindowsAgent" + }, + { + "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/publisher", + "equals": "Microsoft.Azure.Monitor" + }, + { + "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/provisioningState", + "equals": "Succeeded" + } + ] + }, + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "vmName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "userAssignedManagedIdentity": { + "type": "string" + } + }, + "variables": { + "extensionName": "AzureMonitorWindowsAgent", + "extensionPublisher": "Microsoft.Azure.Monitor", + "extensionType": "AzureMonitorWindowsAgent", + "extensionTypeHandlerVersion": "1.2" + }, + "resources": [ + { + "name": "[concat(parameters('vmName'), '/', variables('extensionName'))]", + "type": "Microsoft.Compute/virtualMachineScaleSets/extensions", + "location": "[parameters('location')]", + "apiVersion": "2019-07-01", + "properties": { + "publisher": "[variables('extensionPublisher')]", + "type": "[variables('extensionType')]", + "typeHandlerVersion": "[variables('extensionTypeHandlerVersion')]", + "autoUpgradeMinorVersion": true, + "enableAutomaticUpgrade": true, + "settings": { + "authentication": { + "managedIdentity": { + "identifier-name": "mi_res_id", + "identifier-value": "[parameters('userAssignedManagedIdentity')]" + } + } + } + } + } + ] + }, + "parameters": { + "vmName": { + "value": "[field('name')]" + }, + "location": { + "value": "[field('location')]" + }, + "userAssignedManagedIdentity": { + "value": "[if(parameters('bringYourOwnUserAssignedManagedIdentity'), concat('/subscriptions/', parameters('userAssignedManagedIdentitySubscription'), '/resourceGroups/', parameters('userAssignedManagedIdentityResourceGroup'), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', parameters('userAssignedManagedIdentityName')), concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/built-in-identity-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/built-in-identity-', field('location')))]" + } + } + } + } + } + } +} \ No newline at end of file