Enabling Defender for Cloud using Bicep
In this blog post I show you how to enable Defender for Cloud using Bicep
Microsoft Azure Defender is a cloud-based security solution that helps protect Azure resources and workloads running in Azure, on-premises, or in other clouds.
As always I try to make use of the following GitHub repository https://github.com/Azure/ResourceModules/ this is where I go to make use of the hundreds of already written Bicep scripts which I can make use of very quickly.
I start by cloning the repository then lifting the files I need to make what ever I need to deploy work, in this case I want the following folder(s) https://github.com/Azure/ResourceModules/tree/84fe9dfd578a22079b03bbdee3554b9ac51c2dc2/modules/Microsoft.Security/azureSecurityCenter
I store the files in a modules folder.
// Defender for Cloud Details
// Defender for Cloud parameters
param defenderAutoProvision string = 'On'
param defenderAppServicesPricingTier string = 'Standard'
param defenderVirtualMachinesPricingTier string = 'Standard'
param defenderSqlServersPricingTier string = 'Standard'
param defenderStorageAccountsPricingTier string = 'Standard'
param defenderDnsPricingTier string ='Standard'
param defenderArmPricingTier string = 'Standard'
module enableDefenderForCloudOnSubscription 'modules/defenderForCloud.bicep' = {
name: 'defenderForCloud'
params: {
scope: subscription().id
workspaceId: createLogWorkspace.outputs.resourceID
autoProvision: defenderAutoProvision
virtualMachinesPricingTier: defenderVirtualMachinesPricingTier
sqlServersPricingTier: defenderSqlServersPricingTier
storageAccountsPricingTier: defenderStorageAccountsPricingTier
appServicesPricingTier: defenderAppServicesPricingTier
dnsPricingTier: defenderDnsPricingTier
armPricingTier: defenderArmPricingTier
}
}
To run this I run a very small PowerShell script, that contains the following:-
$deploymentID = (New-Guid).Guid
$location = 'westeurope'
az deployment sub create --name $deploymentID
--location $location --template-file ./main-deployment-1.bicep
--parameters location=$location --confirm-with-what-if
--output none
And this will enable Defender for Cloud and you can change the parameters as you like.
If you have questions reach out to me here in the comments below or on twitter.
Don’t forget to subscribe to myYouTube Channel.
[…] Enabling Defender for Cloud using Bicep via Gregor Suttie […]