59 строки
2.3 KiB
Bicep
59 строки
2.3 KiB
Bicep
// ----------------------------------------------------------------------------------
|
|
// Copyright (c) Microsoft Corporation.
|
|
// Licensed under the MIT license.
|
|
//
|
|
// THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
|
|
// EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES
|
|
// OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
|
|
// ----------------------------------------------------------------------------------
|
|
|
|
targetScope = 'managementGroup'
|
|
|
|
@description('Management Group Id for assignable scope.')
|
|
param assignableMgId string
|
|
|
|
var scope = tenantResourceId('Microsoft.Management/managementGroups', assignableMgId)
|
|
var roleName = 'Custom - Security Operations (SecOps)'
|
|
var roleDescription = 'Security Administrator role with a horizontal view across the entire Azure estate and the Azure Key Vault purge policy.'
|
|
|
|
// Telemetry - Azure customer usage attribution
|
|
// Reference: https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
|
|
var telemetry = json(loadTextContent('../config/telemetry.json'))
|
|
module telemetryCustomerUsageAttribution '../azresources/telemetry/customer-usage-attribution-management-group.bicep' = if (telemetry.customerUsageAttribution.enabled) {
|
|
name: 'pid-${telemetry.customerUsageAttribution.modules.roles}'
|
|
}
|
|
|
|
// Reference: https://docs.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access
|
|
resource roleDefn 'Microsoft.Authorization/roleDefinitions@2018-01-01-preview' = {
|
|
name: guid(roleName)
|
|
scope: managementGroup()
|
|
properties: {
|
|
roleName: roleName
|
|
description: roleDescription
|
|
permissions: [
|
|
{
|
|
actions: [
|
|
'*/read'
|
|
'*/register/action'
|
|
'Microsoft.KeyVault/locations/deletedVaults/purge/action'
|
|
'Microsoft.PolicyInsights/*'
|
|
'Microsoft.Authorization/policyAssignments/*'
|
|
'Microsoft.Authorization/policyDefinitions/*'
|
|
'Microsoft.Authorization/policyExemptions/*'
|
|
'Microsoft.Authorization/policySetDefinitions/*'
|
|
'Microsoft.Insights/alertRules/*'
|
|
'Microsoft.Resources/deployments/*'
|
|
'Microsoft.Security/*'
|
|
'Microsoft.Support/*'
|
|
]
|
|
notActions: []
|
|
dataActions: []
|
|
notDataActions: []
|
|
}
|
|
]
|
|
assignableScopes: [
|
|
scope
|
|
]
|
|
}
|
|
}
|