How to enable Adaptive Application controls in Azure using Terraform

Question

I have the following recommendation from Microsoft Defender for Cloud

Adaptive application controls for defining safe applications should be enabled on your machines

I did go through the article - https://charbelnemnom.com/enable-adaptive-application-controls-in-azure-security-center and understood.

I want to enable this through Terraform rather than manually. I'm not sure where to begin.

Answer 1

There is another approach to enable Adaptive Application Control (AAC) for Azure VM's using Azure built in Policy.

Adaptive Application Control (AAC) is a feature of Azure Policy that allows you to control which applications are allowed to run on Azure Virtual Machines. Enabling AAC requires creating and assigning a default policy definition for the feature. like below.

Azure Portal > Policy > Definitions.

ARM Template.

{
"properties": {
"displayName": "Adaptive application controls for defining safe applications should be enabled on your machines",

"policyType": "BuiltIn",

"mode": "All",


    "metadata": {
    "version": "3.0.0",
    "category": "Security Center"
    },
    "parameters": {
    "effect": {
    "type": "String",
    "metadata": {
    "displayName": "Effect",
    "description": "Enable or disable the execution of the policy"
    },
    "allowedValues": [
    "AuditIfNotExists",
    "Disabled"
    ],
    "defaultValue": "AuditIfNotExists"
    }
    },
    "policyRule": {
    "if": {
    "field": "type",
    "in": [
    "Microsoft.Compute/virtualMachines",
    "Microsoft.ClassicCompute/virtualMachines"
    ]
    },
    "then": {
    "effect": "[parameters('effect')]",
    "details": {
    
    "type": "Microsoft.Security/assessments",
    
    "name": "35f45c95-xxxx-xxxx-891f-8390d1de5828",
    "existenceCondition": {
    
    "field": "Microsoft.Security/assessments/status.code",
    
    "in": [
        "NotApplicable",
    "Healthy"
    ]
    }
    }
    }
    }
    },
    "id": "/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-xxxxxxxxx-64b11cf66adc", 
    "type": "Microsoft.Authorization/policyDefinitions", 
    "name": "47a6b606-xxxx-xxx-8bb7-64b11cf66adc"
    }

Assign the policy to scope level, like below.

Assign the built in Azure Policy by using Terraform. Like below.

provider "azurerm" {
    features {}
  }

  terraform { 
  required_providers { 
      azurerm = { 
          source = "hashicorp/azurerm"
          version = ">= 2.96.0" 
      } 
  } 
  }

You can fetch the Policy Definition ID, like below.

resource "azurerm_subscription_policy_assignment" "auditvms" { 
  name = "Adaptive application controls for defining safe applications should be enabled on your machines" 
  subscription_id = "<Subscription_ID>"
  policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d" 
  description = "Shows all virtual machines not using managed disks" 
  display_name = "Audit VMs without managed disks assignment" 
  }

Referance: Create a policy assignment to identify non-compliant resources using Terraform.