Skip to content

Instantly share code, notes, and snippets.

@hisashiyamaguchi

hisashiyamaguchi/orcaARMTemplate.json

Created December 4, 2022 20:59
Show Gist options
  • Save hisashiyamaguchi/e0a3d041d78a1baf74aa5042712431e4 to your computer and use it in GitHub Desktop.
Save hisashiyamaguchi/e0a3d041d78a1baf74aa5042712431e4 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
orcaARMTemplate.json
{
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"subscriptionsToOnboard": {
"type": "array",
"defaultValue": [
"5a7e9c2f-cc2f-4c79-a44f-79add00ec7d4"
],
"metadata": {
"description": "A list of subscription Ids (GUID format)."
}
},
"managementGroupsToOnboard": {
"type": "array",
"defaultValue": [],
"metadata": {
"description": "A list of management groups Ids to onboard."
}
},
"mode": {
"type": "string",
"defaultValue": "SaaS",
"allowedValues": [
"SaaS",
"Orca Pod"
],
"metadata": {
"description": "The onboarding mode. Select 'Orca Pod' to run the Side-scanners in the scanned subscriptions."
}
},
"extraTags": {
"type": "object",
"defaultValue": {},
"metadata": {
"description": "Extra tags to apply to every (taggable) resource that is provisioned by the template."
}
}
},
"variables": {
"inAccount": "[equals(parameters('mode'), 'Orca Pod')]",
"subscriptionsToOnboard": "[parameters('subscriptionsToOnboard')]",
"mspOfferName": "OrcaSecurity",
"mspOfferDescription": "Orca Security Service",
"orcaVendorTenantId": "489ba1d3-8ff5-4ba3-b331-3290f66b686b",
"orcaAppPrincipalId": "c53a842e-1568-4da4-9438-fda5837d5b5b",
"orcaAppPrincipalIdAtCustomer": "a3c7d925-737b-42b0-b081-8e6745047df1",
"orcaAppDisplayName": "Orca",
"orcaAppRoleIds": [
"acdd72a7-3385-48ef-bd42-f606fba81ae7",
"3e5e47e6-65f7-47ef-90b5-e5dd4d455f24",
"91c1777a-f3dc-4fae-b103-61d183457e46",
"4abbcc35-e782-43d8-92c5-2d3f1bd2253f"
],
"orcaAppDedicatedRgRoleIds": [
"b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"orcaUserPrincipalId": "",
"orcaUserDisplayName": "Orca Admin",
"orcaUserRoleIds": "[variables('orcaAppRoleIds')]",
"orcaUserDedicatedRgRoleIds": "[variables('orcaAppDedicatedRgRoleIds')]",
"dedicatedRgName": "",
"usedDedicatedRgName": "[if(equals(variables('dedicatedRgName'), ''), 'Orca-Security-Not-Created', variables('dedicatedRgName'))]",
"createDedicatedRg": "[not(equals(variables('dedicatedRgName'), ''))]",
"setKeyVaultContributorPermissions": true,
"allowReadAccessKeyVaultKeySecret": false,
"copy": [
{
"name": "appSubscriptionAuthorizations",
"count": "[length(variables('orcaAppRoleIds'))]",
"input": {
"principalId": "[variables('orcaAppPrincipalId')]",
"roleDefinitionId": "[variables('orcaAppRoleIds')[copyIndex('appSubscriptionAuthorizations')]]",
"principalIdDisplayName": "[variables('orcaAppDisplayName')]"
}
},
{
"name": "userSubscriptionAuthorizations",
"count": "[if(equals(variables('orcaUserPrincipalId'), ''), 0, length(variables('orcaUserRoleIds')))]",
"input": {
"principalId": "[variables('orcaUserPrincipalId')]",
"roleDefinitionId": "[variables('orcaUserRoleIds')[copyIndex('userSubscriptionAuthorizations')]]",
"principalIdDisplayName": "[variables('orcaUserDisplayName')]"
}
},
{
"name": "appDedicatedRgAuthorizations",
"count": "[length(variables('orcaAppDedicatedRgRoleIds'))]",
"input": {
"principalId": "[variables('orcaAppPrincipalId')]",
"roleDefinitionId": "[variables('orcaAppDedicatedRgRoleIds')[copyIndex('appDedicatedRgAuthorizations')]]",
"principalIdDisplayName": "[variables('orcaAppDisplayName')]"
}
},
{
"name": "userDedicatedRgAuthorizations",
"count": "[if(equals(variables('orcaUserPrincipalId'), ''), 0, length(variables('orcaUserDedicatedRgRoleIds')))]",
"input": {
"principalId": "[variables('orcaUserPrincipalId')]",
"roleDefinitionId": "[variables('orcaUserDedicatedRgRoleIds')[copyIndex('userDedicatedRgAuthorizations')]]",
"principalIdDisplayName": "[variables('orcaUserDisplayName')]"
}
}
],
"keyVaultContributorAuthorization": [
{
"principalId": "[variables('orcaAppPrincipalId')]",
"roleDefinitionId": "f25e0fa2-a7c8-4377-a976-54943a77a395",
"principalIdDisplayName": "[variables('orcaAppDisplayName')]"
}
],
"conditionalKeyVaultContributorAuthorization": "[if(variables('setKeyVaultContributorPermissions'), variables('keyVaultContributorAuthorization'), createArray())]",
"subscriptionAuthorizations": "[concat(variables('appSubscriptionAuthorizations'), variables('userSubscriptionAuthorizations'), variables('conditionalKeyVaultContributorAuthorization'))]",
"dedicatedRgAuthorizations": "[concat(variables('appDedicatedRgAuthorizations'), variables('userDedicatedRgAuthorizations'))]",
"location": "[deployment().location]",
"innerTemplate": {
"$schema": "https://schema.management.azure.com/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"orcaSpId": {
"type": "string",
"metadata": {
"description": "The principal to assign the role to."
}
},
"roleDefName": {
"type": "string",
"metadata": {
"description": "Role definition name."
}
},
"dedicatedRgName": {
"type": "string",
"metadata": {
"description": "Name of the dedicated resource group. May not be empty, even if `createDedicatedRg` is false."
}
},
"extraTags": {
"type": "object",
"defaultValue": {},
"metadata": {
"description": "Additional tags to apply to all generate resources (that can be tagged)."
}
}
},
"variables": {
"ContributorRoleDefinitionId": "[[resourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]"
},
"resources": [
{
"type": "Microsoft.Resources/resourceGroups",
"apiVersion": "2021-04-01",
"name": "[[parameters('dedicatedRgName')]",
"location": "[[deployment().location]",
"tags": "[[union(createObject('orca-role', 'dedicated-scanner-resource-group'), parameters('extraTags'))]",
"properties": {}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2019-10-01",
"name": "[[concat(substring(deployment().name, 17, min(10, length(deployment().name))), '-DedicatedRg-', deployment().location)]",
"resourceGroup": "[[parameters('dedicatedRgName')]",
"dependsOn": [
"[[parameters('dedicatedRgName')]"
],
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2020-04-01-preview",
"name": "[[guid(subscription().id, parameters('dedicatedRgName'), 'dedicated-resource-group')]",
"properties": {
"roleDefinitionId": "[[variables('ContributorRoleDefinitionId')]",
"principalId": "[[parameters('orcaSpId')]",
"principalType": "ServicePrincipal"
}
}
]
}
}
}
]
},
"hasManagementGroupsToOnboard": "[not(empty(parameters('managementGroupsToOnboard')))]",
"hasSubscriptionToOnboard": "[not(empty(parameters('subscriptionsToOnboard')))]",
"lighthouseOnboarding": false
},
"resources": [
{
"condition": "[and(variables('lighthouseOnboarding'), variables('hasSubscriptionToOnboard'), not(variables('inAccount')))]",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "[concat('OrcaLH', '-', variables('subscriptionsToOnboard')[copyIndex()], '-', deployment().location)]",
"location": "[variables('location')]",
"copy": {
"name": "subscriptionIterator",
"count": "[length(variables('subscriptionsToOnboard'))]",
"mode": "Parallel"
},
"subscriptionId": "[variables('subscriptionsToOnboard')[copyIndex()]]",
"properties": {
"mode": "Incremental",
"expressionEvaluationOptions": {
"scope": "inner"
},
"parameters": {
"mspOfferName": {
"value": "[variables('mspOfferName')]"
},
"mspOfferDescription": {
"value": "[variables('mspOfferDescription')]"
},
"orcaVendorTenantId": {
"value": "[variables('orcaVendorTenantId')]"
},
"subscriptionAuthorizations": {
"value": "[variables('subscriptionAuthorizations')]"
},
"dedicatedRgAuthorizations": {
"value": "[variables('dedicatedRgAuthorizations')]"
},
"dedicatedRgName": {
"value": "[variables('usedDedicatedRgName')]"
},
"createDedicatedRg": {
"value": "[variables('createDedicatedRg')]"
},
"location": {
"value": "[variables('location')]"
},
"extraTags": {
"value": "[parameters('extraTags')]"
}
},
"templateLink": {
"uri": "https://app.us.orcasecurity.io/api/onboarding/azure/template?type=lighthouse_subscription"
}
}
},
{
"condition": "[and(variables('hasManagementGroupsToOnboard'), not(variables('inAccount')))]",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "orca-top-level-management-groups-onboarding",
"location": "[variables('location')]",
"properties": {
"mode": "Incremental",
"expressionEvaluationOptions": {
"scope": "inner"
},
"parameters": {
"orcaSpId": {
"value": "[variables('orcaAppPrincipalIdAtCustomer')]"
},
"keyVaultWritePermissions": {
"value": "[variables('setKeyVaultContributorPermissions')]"
},
"allowReadAccessKeyVaultKeySecret": {
"value": "[variables('allowReadAccessKeyVaultKeySecret')]"
},
"dedicatedRgName": {
"value": "[variables('usedDedicatedRgName')]"
},
"managementGroupsToOnboard": {
"value": "[parameters('managementGroupsToOnboard')]"
},
"innerTemplate": {
"value": "[variables('innerTemplate')]"
},
"createDedicatedRg": {
"value": "[variables('createDedicatedRg')]"
},
"extraTags": {
"value": "[parameters('extraTags')]"
}
},
"templateLink": {
"uri": "https://app.us.orcasecurity.io/api/onboarding/azure/template?type=mgmt_group"
}
}
},
{
"condition": "[and(variables('hasSubscriptionToOnboard'), not(variables('inAccount')))]",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "[concat('Orca', '-', variables('subscriptionsToOnboard')[copyIndex()], '-', deployment().location)]",
"location": "[variables('location')]",
"copy": {
"name": "subscriptionIterator",
"count": "[length(variables('subscriptionsToOnboard'))]",
"mode": "Parallel"
},
"subscriptionId": "[variables('subscriptionsToOnboard')[copyIndex()]]",
"properties": {
"mode": "Incremental",
"expressionEvaluationOptions": {
"scope": "inner"
},
"parameters": {
"orcaSpId": {
"value": "[variables('orcaAppPrincipalIdAtCustomer')]"
},
"allowReadAccessKeyVaultKeySecret": {
"value": "[variables('allowReadAccessKeyVaultKeySecret')]"
},
"keyVaultWritePermissions": {
"value": "[variables('setKeyVaultContributorPermissions')]"
},
"location": {
"value": "[variables('location')]"
},
"dedicatedRgName": {
"value": "[variables('usedDedicatedRgName')]"
},
"createDedicatedRg": {
"value": "[variables('createDedicatedRg')]"
},
"extraTags": {
"value": "[parameters('extraTags')]"
}
},
"templateLink": {
"uri": "https://app.us.orcasecurity.io/api/onboarding/azure/template?type=subscription"
}
}
},
{
"condition": "[and(variables('hasManagementGroupsToOnboard'), variables('inAccount'))]",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "orca-top-level-management-groups-onboarding-inaccount",
"location": "[variables('location')]",
"properties": {
"mode": "Incremental",
"expressionEvaluationOptions": {
"scope": "inner"
},
"parameters": {
"orcaSpId": {
"value": "[variables('orcaAppPrincipalIdAtCustomer')]"
},
"dedicatedRgName": {
"value": "[variables('usedDedicatedRgName')]"
},
"allowReadAccessKeyVaultKeySecret": {
"value": "[variables('allowReadAccessKeyVaultKeySecret')]"
},
"managementGroupsToOnboard": {
"value": "[parameters('managementGroupsToOnboard')]"
},
"innerTemplate": {
"value": "[variables('innerTemplate')]"
},
"extraTags": {
"value": "[parameters('extraTags')]"
}
},
"templateLink": {
"uri": "https://app.us.orcasecurity.io/api/onboarding/azure/template?type=mgmt_group&inaccount=true"
}
}
},
{
"condition": "[and(variables('hasSubscriptionToOnboard'), variables('inAccount'))]",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "[concat('OrcaIA', '-', variables('subscriptionsToOnboard')[copyIndex()], '-', deployment().location)]",
"location": "[variables('location')]",
"copy": {
"name": "subscriptionIterator",
"count": "[length(variables('subscriptionsToOnboard'))]",
"mode": "Parallel"
},
"subscriptionId": "[variables('subscriptionsToOnboard')[copyIndex()]]",
"properties": {
"mode": "Incremental",
"expressionEvaluationOptions": {
"scope": "inner"
},
"parameters": {
"orcaSpId": {
"value": "[variables('orcaAppPrincipalIdAtCustomer')]"
},
"allowReadAccessKeyVaultKeySecret": {
"value": "[variables('allowReadAccessKeyVaultKeySecret')]"
},
"keyVaultAutoUpdate": {
"value": "[variables('setKeyVaultContributorPermissions')]"
},
"dedicatedRgName": {
"value": "[variables('usedDedicatedRgName')]"
},
"extraTags": {
"value": "[parameters('extraTags')]"
}
},
"templateLink": {
"uri": "https://app.us.orcasecurity.io/api/onboarding/azure/template?type=inaccount"
}
}
}
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment