last sync: 2021-Jul-23 16:37:57 UTC

Azure Policy definition

[Preview]: Configure supported Linux virtual machine scale sets to automatically install the Guest Attestation extension

Name [Preview]: Configure supported Linux virtual machine scale sets to automatically install the Guest Attestation extension
Azure Portal
Id 57c2e3f0-98cf-4c3b-aa6b-e8f70726e74e
Version 1.0.0-preview
details on versioning
Category Security Center
Microsoft docs
Description Configure supported Linux virtual machines scale sets to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation.
Mode Indexed
Type BuiltIn
Preview True
Deprecated FALSE
Effect Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Used RBAC Role
Role Name Role Id
Virtual Machine Contributor 9980e02c-c2be-4d73-94e8-173b1dc7cf3c
History
Date/Time (UTC ymd) (i) Change type Change detail
2021-05-04 14:34:06 add 57c2e3f0-98cf-4c3b-aa6b-e8f70726e74e
Used in Initiatives none
JSON
{
  "properties": {
  "displayName": "[Preview]: Configure supported Linux virtual machine scale sets to automatically install the Guest Attestation extension",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Configure supported Linux virtual machines scale sets to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation.",
    "metadata": {
      "category": "Security Center",
      "version": "1.0.0-preview",
      "preview": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachineScaleSets"
          },
          {
            "anyOf": [
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "Canonical"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "UbuntuServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageSku",
                    "like": "18_04-lts-gen2"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "Canonical"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "0001-com-ubuntu-server-focal"
                  },
                  {
                    "field": "Microsoft.Compute/imageSku",
                    "like": "20_04-lts-gen2"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "RedHat"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "RHEL"
                  },
                  {
                    "field": "Microsoft.Compute/imageSku",
                    "like": "83-gen2"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "SUSE"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "SLES-15-SP2"
                  },
                  {
                    "field": "Microsoft.Compute/imageSku",
                    "like": "gen2"
                  }
                ]
              }
            ]
          },
          {
            "field": "Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.securityProfile.uefiSettings",
            "exists": "true"
          },
          {
            "field": "Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.securityProfile.uefiSettings.vTpmEnabled",
            "equals": "true"
          },
          {
            "field": "Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.securityProfile.uefiSettings.secureBootEnabled",
            "equals": "true"
          }
        ]
      },
      "then": {
      "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Compute/virtualMachineScaleSets/extensions",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/publisher",
                "equals": "Microsoft.Azure.Security.LinuxAttestation"
              },
              {
                "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/type",
                "equals": "GuestAttestation"
              },
              {
                "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/provisioningState",
                "in": [
                  "Succeeded",
                  "Provisioning succeeded"
                ]
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmssName": {
                "value": "[field('name')]"
                },
                "location": {
                "value": "[field('location')]"
                }
              },
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmssName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  }
                },
                "variables": {
                  "extensionName": "GuestAttestation",
                  "extensionPublisher": "Microsoft.Azure.Security.LinuxAttestation",
                  "extensionVersion": "1.0",
                  "maaTenantName": "GuestAttestation",
                  "ascReportingEndpoint": "https://eus2.service.attest.azure.net/",
                  "maaEndpoint": "https://sharedeus2.eus2.attest.azure.net/"
                },
                "resources": [
                  {
                    "type": "Microsoft.Compute/virtualMachineScaleSets/extensions",
                    "apiVersion": "2018-10-01",
                  "name": "[concat(parameters('vmssName'), '/', variables('extensionName'))]",
                  "location": "[parameters('location')]",
                    "properties": {
                    "publisher": "[variables('extensionPublisher')]",
                    "type": "[variables('extensionName')]",
                    "typeHandlerVersion": "[variables('extensionVersion')]",
                      "autoUpgradeMinorVersion": true,
                      "settings": {
                        "AttestationConfig": {
                          "MaaSettings": {
                          "maaEndpoint": "[variables('maaEndpoint')]",
                          "maaTenantName": "[variables('maaTenantName')]"
                          },
                          "AscSettings": {
                          "ascReportingEndpoint": "[variables('ascReportingEndpoint')]",
                            "ascReportingFrequency": ""
                          },
                          "useCustomToken": "false",
                          "disableAlerts": "false"
                        }
                      }
                    }
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/57c2e3f0-98cf-4c3b-aa6b-e8f70726e74e",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "57c2e3f0-98cf-4c3b-aa6b-e8f70726e74e"
}