Merge pull request #23 from ndergal1/ndergal/fix/custom-role-for-indi…

…vidual-subscriptions Modify assignable scope of existing custom role cs-website-reader
CrowdStrike · Jan 21, 2025 · a43a2db · a43a2db
2 parents 3007562 + e35e06f
commit a43a2db
Show file tree

Hide file tree

Showing 9 changed files with 156 additions and 72 deletions.
diff --git a/README.md b/README.md
diff --git a/cs-deployment-managementGroup.bicep b/cs-deployment-managementGroup.bicep
@@ -43,7 +43,7 @@ param falconClientSecret string
   'US-2'
   'EU-1'
 ])
-param falconCloudRegion string = 'US-1'
+param falconCloudRegion string
 
 @description('Use an existing Application Registration. Defaults to false.')
 param useExistingAppRegistration bool = false

diff --git a/cs-deployment-subscription.bicep b/cs-deployment-subscription.bicep
@@ -43,7 +43,7 @@ param defaultSubscriptionId string
   'US-2'
   'EU-1'
 ])
-param falconCloudRegion string = 'US-1'
+param falconCloudRegion string
 
 @description('Use an existing Application Registration. Defaults to false.')
 param useExistingAppRegistration bool = false
@@ -106,6 +106,7 @@ module iomAzureSubscription 'modules/iom/azureSubscription.bicep' = if (deployIO
     falconClientId: falconClientId
     falconClientSecret: falconClientSecret
     falconCloudRegion: falconCloudRegion
+    defaultSubscriptionId: defaultSubscriptionId
     useExistingAppRegistration: useExistingAppRegistration
     grantAppRegistrationAdminConsent: grantAppRegistrationAdminConsent
     azureClientId: useExistingAppRegistration ? '' : azureClientId

diff --git a/modules/iom/azureManagementGroupRoleAssignment.bicep b/modules/iom/azureManagementGroupRoleAssignment.bicep
@@ -13,7 +13,7 @@ param azurePrincipalId string
 @description('Type of the Principal. Defaults to ServicePrincipal.')
 param azurePrincipalType string = 'ServicePrincipal'
 
-param customRole object = {
+var customRole = {
   roleName: 'cs-website-reader'
   roleDescription: 'CrowdStrike custom role to allow read access to App Service and Function.'
   roleActions: [

diff --git a/modules/iom/azureRoleDefinitionAssignableScope.bicep b/modules/iom/azureRoleDefinitionAssignableScope.bicep
@@ -0,0 +1,9 @@
+targetScope = 'subscription'
+
+param customRoleName string
+
+resource existingCustomRoleDefinition 'Microsoft.Authorization/roleDefinitions@2022-04-01' existing = {
+  name: guid(customRoleName, subscription().id)
+}
+
+output assignableScopes array = existingCustomRoleDefinition.properties.assignableScopes
diff --git a/modules/iom/azureSubscription.bicep b/modules/iom/azureSubscription.bicep
@@ -31,6 +31,9 @@ param falconClientId string
 @secure()
 param falconClientSecret string
 
+@description('Subscription Id of the default Azure Subscription.')
+param defaultSubscriptionId string = subscription().id
+
 @description('Falcon cloud region.')
 @allowed([
   'US-1'
@@ -118,12 +121,27 @@ module azureAppRegistrationUpdate 'azureAppRegistration.bicep' = if (!useExistin
   ]
 }
 
+/* Define required permissions at Azure Subscription scope */
+module azureSubscriptionExistingRoleDefinition 'azureSubscriptionExistingRoleDefinition.bicep' = if (assignAzureSubscriptionPermissions && (subscription().subscriptionId != defaultSubscriptionId)) {
+  name: '${deploymentNamePrefix}-azureSubscriptionExistingRoleDefinition-${deploymentNameSuffix}'
+  scope: subscription(defaultSubscriptionId)
+  params: {
+    subscriptionId: subscription().id
+  }
+}
+
+/* Define required permissions at Azure Subscription scope */
+module azureSubscriptionRoleDefinition 'azureSubscriptionRoleDefinition.bicep' = if (assignAzureSubscriptionPermissions && (subscription().subscriptionId == defaultSubscriptionId)) {
+  name: '${deploymentNamePrefix}-azureSubscriptionRoleDefinition-${deploymentNameSuffix}'
+}
+
 /* Assign required permissions on Azure Subscription */
 module azureSubscriptionRoleAssignment 'azureSubscriptionRoleAssignment.bicep' = if (assignAzureSubscriptionPermissions) {
   name: '${deploymentNamePrefix}-azureSubscriptionRoleAssignment-${deploymentNameSuffix}'
   params: {
     azurePrincipalType: azurePrincipalType
     azurePrincipalId: useExistingAppRegistration ? azurePrincipalId : azureAppRegistration.outputs.servicePrincipalId
+    customRoleDefinitionId: subscription().subscriptionId == defaultSubscriptionId ? azureSubscriptionRoleDefinition.outputs.customRoleDefinitionId : azureSubscriptionExistingRoleDefinition.outputs.customRoleDefinitionId
   }
 }
 

diff --git a/modules/iom/azureSubscriptionExistingRoleDefinition.bicep b/modules/iom/azureSubscriptionExistingRoleDefinition.bicep
@@ -0,0 +1,45 @@
+targetScope = 'subscription'
+
+/*
+  This Bicep template adds the subscription as an assignable scope on the required permissions to enable CrowdStrike
+  Indicator of Misconfiguration (IOM)
+  Copyright (c) 2024 CrowdStrike, Inc.
+*/
+
+@description('Subscription Id of the targeted Azure Subscription.')
+param subscriptionId string
+
+var customRole = {
+  roleName: 'cs-website-reader'
+  roleDescription: 'CrowdStrike custom role to allow read access to App Service and Function.'
+  roleActions: [
+    'Microsoft.Web/sites/Read'
+    'Microsoft.Web/sites/config/Read'
+    'Microsoft.Web/sites/config/list/Action'
+  ]
+}
+
+module assignableScope 'azureRoleDefinitionAssignableScope.bicep' = {
+    name: guid('getAssignableScope',customRole.roleName, subscription().id)
+    params: {
+        customRoleName: customRole.roleName
+      }
+    }
+
+resource modifyExistingCustomRoleDefinition 'Microsoft.Authorization/roleDefinitions@2022-04-01' = {
+  name: guid(customRole.roleName, subscription().id)
+  properties: {
+    assignableScopes: union(assignableScope.outputs.assignableScopes,[subscriptionId])
+    description: customRole.roleDescription
+        permissions: [
+          {
+            actions: customRole.roleActions
+            notActions: []
+          }
+        ]
+        roleName: customRole.roleName
+        type: 'CustomRole'
+  }
+}
+
+output customRoleDefinitionId string = modifyExistingCustomRoleDefinition.id
diff --git a/modules/iom/azureSubscriptionRoleAssignment.bicep b/modules/iom/azureSubscriptionRoleAssignment.bicep
@@ -12,15 +12,7 @@ param azurePrincipalId string
 @description('Type of the Principal. Defaults to ServicePrincipal.')
 param azurePrincipalType string = 'ServicePrincipal'
 
-param customRole object = {
-  roleName: 'cs-website-reader'
-  roleDescription: 'CrowdStrike custom role to allow read access to App Service and Function.'
-  roleActions: [
-    'Microsoft.Web/sites/Read'
-    'Microsoft.Web/sites/config/Read'
-    'Microsoft.Web/sites/config/list/Action'
-  ]
-}
+param customRoleDefinitionId string
 
 var roleDefinitionIds = [
   'acdd72a7-3385-48ef-bd42-f606fba81ae7' // Reader
@@ -29,22 +21,6 @@ var roleDefinitionIds = [
   '7f6c6a51-bcf8-42ba-9220-52d62157d7db' // Azure Kubernetes Service RBAC Reader
 ]
 
-resource customRoleDefinition 'Microsoft.Authorization/roleDefinitions@2022-04-01' = {
-  name: guid(customRole.roleName, subscription().id)
-  properties: {
-    assignableScopes: [subscription().id]
-    description: customRole.roleDescription
-    permissions: [
-      {
-        actions: customRole.roleActions
-        notActions: []
-      }
-    ]
-    roleName: customRole.roleName
-    type: 'CustomRole'
-  }
-}
-
 resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [
   for roleDefinitionId in roleDefinitionIds: {
     name: guid(azurePrincipalId, roleDefinitionId, subscription().id)
@@ -59,12 +35,12 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [
 resource customRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
   name: guid(
     azurePrincipalId,
-    customRoleDefinition.id,
+    customRoleDefinitionId,
     subscription().id
   )
   properties: {
-    roleDefinitionId: customRoleDefinition.id
+    roleDefinitionId: customRoleDefinitionId
     principalId: azurePrincipalId
     principalType: azurePrincipalType
   }
-}
+}
diff --git a/modules/iom/azureSubscriptionRoleDefinition.bicep b/modules/iom/azureSubscriptionRoleDefinition.bicep
@@ -0,0 +1,35 @@
+targetScope = 'subscription'
+
+/*
+  This Bicep template defines the required permissions at Azure Subscription scope to enable CrowdStrike
+  Indicator of Misconfiguration (IOM)
+  Copyright (c) 2024 CrowdStrike, Inc.
+*/
+
+var customRole = {
+  roleName: 'cs-website-reader'
+  roleDescription: 'CrowdStrike custom role to allow read access to App Service and Function.'
+  roleActions: [
+    'Microsoft.Web/sites/Read'
+    'Microsoft.Web/sites/config/Read'
+    'Microsoft.Web/sites/config/list/Action'
+  ]
+}
+
+resource customRoleDefinition 'Microsoft.Authorization/roleDefinitions@2022-04-01' = {
+  name: guid(customRole.roleName, subscription().id,'test')
+  properties: {
+    assignableScopes: [subscription().id]
+    description: customRole.roleDescription
+    permissions: [
+      {
+        actions: customRole.roleActions
+        notActions: []
+      }
+    ]
+    roleName: customRole.roleName
+    type: 'CustomRole'
+  }
+}
+
+output customRoleDefinitionId string = customRoleDefinition.id