Use built-in policy for Cosmos DB for Defender Plan (#232)

* Use built-in policy for Cosmos DB for Defender Plan * Add branch config * Remove branch config
2022-04-01 22:49:44 -04:00 · 2022-04-01 22:49:44 -04:00 · 3ce2cf875b
--- a/policy/custom/definitions/policy/DefenderForCloud-Deploy-DefenderPlan-CosmosDB/azurepolicy.config.json
+++ b/policy/custom/definitions/policy/DefenderForCloud-Deploy-DefenderPlan-CosmosDB/azurepolicy.config.json
@ -1,4 +0,0 @@
-{
- "name": "Configure Microsoft Defender for Cosmos DB to be enabled",
- "mode": "all"
-}
--- a/policy/custom/definitions/policy/DefenderForCloud-Deploy-DefenderPlan-CosmosDB/azurepolicy.parameters.json
+++ b/policy/custom/definitions/policy/DefenderForCloud-Deploy-DefenderPlan-CosmosDB/azurepolicy.parameters.json
@ -1,26 +0,0 @@
-{
-    "pricingTier": {
-        "type": "string",
-        "metadata": {
-            "displayName": "Azure Defender pricing tier",
-            "description": "Azure Defender pricing tier"
-        },
-        "allowedValues": [
-            "Standard",
-            "Free"
-        ],
-        "defaultValue": "Standard"
-    },
-    "effect": {
-        "type": "string",
-        "metadata": {
-            "displayName": "Effect",
-            "description": "Enable or disable the execution of the policy"
-        },
-        "allowedValues": [
-            "DeployIfNotExists",
-            "Disabled"
-        ],
-        "defaultValue": "DeployIfNotExists"
-    }
-}
--- a/policy/custom/definitions/policy/DefenderForCloud-Deploy-DefenderPlan-CosmosDB/azurepolicy.rules.json
+++ b/policy/custom/definitions/policy/DefenderForCloud-Deploy-DefenderPlan-CosmosDB/azurepolicy.rules.json
@ -1,69 +0,0 @@
-{
- "if": {
-     "allOf": [
-         {
-             "field": "type",
-             "equals": "Microsoft.Resources/subscriptions"
-         }
-     ]
- },
- "then": {
-     "effect": "[parameters('effect')]",
-     "details": {
-         "type": "Microsoft.Security/pricings",
-         "name": "CosmosDbs",
-         "deploymentScope": "Subscription",
-         "existenceScope": "Subscription",
-         "roleDefinitionIds": [
-             "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd"
-         ],
-         "existenceCondition": {
-             "allOf": [
-                 {
-                     "field": "Microsoft.Security/pricings/pricingTier",
-                     "equals": "[parameters('pricingTier')]"
-                 },
-                 {
-                     "field": "type",
-                     "equals": "Microsoft.Security/pricings"
-                 }
-             ]
-         },
-         "deployment": {
-             "location": "canadacentral",
-             "properties": {
-                 "mode": "incremental",
-                 "parameters": {
-                     "pricingTier": {
-                         "value": "[parameters('pricingTier')]"
-                     }
-                 },
-                 "template": {
-                     "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
-                     "contentVersion": "1.0.0.0",
-                     "parameters": {
-                         "pricingTier": {
-                             "type": "string",
-                             "metadata": {
-                                 "description": "Azure Defender pricing tier"
-                             }
-                         }
-                     },
-                     "variables": {},
-                     "resources": [
-                         {
-                             "type": "Microsoft.Security/pricings",
-                             "apiVersion": "2018-06-01",
-                             "name": "CosmosDbs",
-                             "properties": {
-                                 "pricingTier": "[parameters('pricingTier')]"
-                             }
-                         }
-                     ],
-                     "outputs": {}
-                 }
-             }
-         }
-     }
- }
-}
--- a/policy/custom/definitions/policyset/DefenderForCloud.bicep
+++ b/policy/custom/definitions/policyset/DefenderForCloud.bicep
@ -9,11 +9,6 @@

 targetScope = 'managementGroup'

-@description('Management Group scope for the policy definition.')
-param policyDefinitionManagementGroupId string
-
-var customPolicyDefinitionMgScope = tenantResourceId('Microsoft.Management/managementGroups', policyDefinitionManagementGroupId)
-
 resource ascAzureDefender 'Microsoft.Authorization/policySetDefinitions@2020-03-01' = {
  name: 'custom-enable-azure-defender'
  properties: {
@ -173,8 +168,8 @@ resource ascAzureDefender 'Microsoft.Authorization/policySetDefinitions@2020-03-
        groupNames: [
          'EXTRA'
        ]
-        policyDefinitionId: extensionResourceId(customPolicyDefinitionMgScope, 'Microsoft.Authorization/policyDefinitions', 'DefenderForCloud-Deploy-DefenderPlan-CosmosDB')
-        policyDefinitionReferenceId: toLower(replace('Configure Microsoft Defender for Cosmos DB to be enabled', ' ', '-'))
+        policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542'
+        policyDefinitionReferenceId: toLower(replace('Configure Microsoft Defender for Azure Cosmos DB to be enabled', ' ', '-'))
        parameters: {}
      }
    ]
--- a/policy/custom/definitions/policyset/DefenderForCloud.parameters.json
+++ b/policy/custom/definitions/policyset/DefenderForCloud.parameters.json
@ -1,9 +1,5 @@
 {
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
    "contentVersion": "1.0.0.0",
-    "parameters": {
-        "policyDefinitionManagementGroupId": {
-            "value": "{{var-topLevelManagementGroupName}}"
-        }
-    }
+    "parameters": {}
 }