Support Defender Plan for Cosmos DB (Azure#200)

Add CosmosDB Defender Plan and custom policy to deploy Defender Plan for Cosmos DB

Author: SenthuranSivananthan

azresources/security-center/asc.bicep

@@ -50,6 +50,7 @@ var azureDefenderServices = [
   'Arm'
   'AppServices'
   'Containers'
+  'CosmosDbs'
   'Dns'
   'KeyVaults'
   'OpenSourceRelationalDatabases'

policy/custom/definitions/policy/DefenderForCloud-Deploy-DefenderPlan-CosmosDB/azurepolicy.config.json

@@ -0,0 +1,4 @@
+{
+ "name": "Configure Microsoft Defender for Cosmos DB to be enabled",
+ "mode": "all"
+}

policy/custom/definitions/policy/DefenderForCloud-Deploy-DefenderPlan-CosmosDB/azurepolicy.parameters.json

@@ -0,0 +1,26 @@
+{
+    "pricingTier": {
+        "type": "string",
+        "metadata": {
+            "displayName": "Azure Defender pricing tier",
+            "description": "Azure Defender pricing tier"
+        },
+        "allowedValues": [
+            "Standard",
+            "Free"
+        ],
+        "defaultValue": "Standard"
+    },
+    "effect": {
+        "type": "string",
+        "metadata": {
+            "displayName": "Effect",
+            "description": "Enable or disable the execution of the policy"
+        },
+        "allowedValues": [
+            "DeployIfNotExists",
+            "Disabled"
+        ],
+        "defaultValue": "DeployIfNotExists"
+    }
+}

policy/custom/definitions/policy/DefenderForCloud-Deploy-DefenderPlan-CosmosDB/azurepolicy.rules.json

@@ -0,0 +1,69 @@
+{
+ "if": {
+     "allOf": [
+         {
+             "field": "type",
+             "equals": "Microsoft.Resources/subscriptions"
+         }
+     ]
+ },
+ "then": {
+     "effect": "[parameters('effect')]",
+     "details": {
+         "type": "Microsoft.Security/pricings",
+         "name": "CosmosDbs",
+         "deploymentScope": "Subscription",
+         "existenceScope": "Subscription",
+         "roleDefinitionIds": [
+             "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd"
+         ],
+         "existenceCondition": {
+             "allOf": [
+                 {
+                     "field": "Microsoft.Security/pricings/pricingTier",
+                     "equals": "[parameters('pricingTier')]"
+                 },
+                 {
+                     "field": "type",
+                     "equals": "Microsoft.Security/pricings"
+                 }
+             ]
+         },
+         "deployment": {
+             "location": "canadacentral",
+             "properties": {
+                 "mode": "incremental",
+                 "parameters": {
+                     "pricingTier": {
+                         "value": "[parameters('pricingTier')]"
+                     }
+                 },
+                 "template": {
+                     "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+                     "contentVersion": "1.0.0.0",
+                     "parameters": {
+                         "pricingTier": {
+                             "type": "string",
+                             "metadata": {
+                                 "description": "Azure Defender pricing tier"
+                             }
+                         }
+                     },
+                     "variables": {},
+                     "resources": [
+                         {
+                             "type": "Microsoft.Security/pricings",
+                             "apiVersion": "2018-06-01",
+                             "name": "CosmosDbs",
+                             "properties": {
+                                 "pricingTier": "[parameters('pricingTier')]"
+                             }
+                         }
+                     ],
+                     "outputs": {}
+                 }
+             }
+         }
+     }
+ }
+}

policy/custom/definitions/policyset/DefenderForCloud.bicep

@@ -9,6 +9,11 @@
 
 targetScope = 'managementGroup'
 
+@description('Management Group scope for the policy definition.')
+param policyDefinitionManagementGroupId string
+
+var customPolicyDefinitionMgScope = tenantResourceId('Microsoft.Management/managementGroups', policyDefinitionManagementGroupId)
+
 resource ascAzureDefender 'Microsoft.Authorization/policySetDefinitions@2020-03-01' = {
   name: 'custom-enable-azure-defender'
   properties: {
@@ -164,6 +169,14 @@ resource ascAzureDefender 'Microsoft.Authorization/policySetDefinitions@2020-03-
         policyDefinitionReferenceId: toLower(replace('Configure Microsoft Defender for Containers to be enabled', ' ', '-'))
         parameters: {}
       }
+      {
+        groupNames: [
+          'EXTRA'
+        ]
+        policyDefinitionId: extensionResourceId(customPolicyDefinitionMgScope, 'Microsoft.Authorization/policyDefinitions', 'DefenderForCloud-Deploy-DefenderPlan-CosmosDB')
+        policyDefinitionReferenceId: toLower(replace('Configure Microsoft Defender for Cosmos DB to be enabled', ' ', '-'))
+        parameters: {}
+      }
     ]
   }
 }

policy/custom/definitions/policyset/DefenderForCloud.parameters.json

@@ -1,5 +1,9 @@
 {
     "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
     "contentVersion": "1.0.0.0",
-    "parameters": {}
+    "parameters": {
+        "policyDefinitionManagementGroupId": {
+            "value": "{{var-topLevelManagementGroupName}}"
+        }
+    }
 }