Fix Defender defaults parity, expose appSubnetDelegation, document Defender for ARM

ricmmartins · ricmmartins · commit 1755f0dc4b07 · 2026-02-22T09:13:37.000-05:00
- Align Defender for Servers/Databases defaults: auto-enable for prod in TF (matches Bicep)
- Expose appSubnetDelegation param in Bicep main and pass to networking module
- Add Defender for ARM to security.md documentation
diff --git a/docs/security.md b/docs/security.md
@@ -13,6 +13,7 @@ Security that protects you without slowing you down. Every recommendation here i
 | Defender for Containers | If running AKS | ~$7/vCPU/month | Runtime threat detection, image vulnerability scanning, Kubernetes audit log monitoring. |
 | Defender for Databases | Prod only | Varies | SQL/Postgres threat detection — alerts on SQL injection, anomalous access, brute force. |
 | Defender for Key Vault | Prod only | ~$0.02/10k transactions | Alerts on unusual access patterns to secrets. Cheap insurance. |
+| Defender for ARM | Both subs | ~$4/sub/month | Detects suspicious control-plane operations (mass deletions, privilege escalation). Always enabled by this landing zone. |
 | Defender for Storage | No | ~$10/month per account | Malware scanning. Skip unless you accept user file uploads. |
 | Defender for App Service | No | ~$15/month per instance | Limited value compared to other plans. Revisit later. |
 | Defender for DNS | No | ~$0.70/million queries | Niche. Only if you suspect DNS exfiltration (you don't). |
diff --git a/infra/bicep/main.bicep b/infra/bicep/main.bicep
@@ -28,6 +28,9 @@ param budgetAlertEmails array
 @description('Deploy VNet and networking resources')
 param deployNetworking bool = true
 
+@description('Service delegation for the app subnet (e.g., Microsoft.Web/serverFarms for App Service, Microsoft.App/environments for Container Apps)')
+param appSubnetDelegation string = 'Microsoft.Web/serverFarms'
+
 @description('Enable Defender for Servers P2 (recommended for prod)')
 param enableDefenderForServers bool = environment == 'prod'
 
@@ -104,6 +107,7 @@ module networking 'modules/networking.bicep' = if (deployNetworking) {
     location: location
     vnetName: 'vnet-${prefix}'
     vnetAddressPrefix: environment == 'prod' ? '10.0.0.0/16' : '10.1.0.0/16'
+    appSubnetDelegation: appSubnetDelegation
     tags: tags
   }
 }
diff --git a/infra/terraform/main.tf b/infra/terraform/main.tf
@@ -102,9 +102,9 @@ module "networking" {
 module "security" {
   source                         = "./modules/security"
   security_contact_email         = var.security_contact_email
-  enable_defender_for_servers    = var.enable_defender_for_servers
+  enable_defender_for_servers    = local.enable_defender_for_servers
   enable_defender_for_containers = var.enable_defender_for_containers
-  enable_defender_for_databases  = var.enable_defender_for_databases
+  enable_defender_for_databases  = local.enable_defender_for_databases
   enable_defender_for_key_vault  = var.enable_defender_for_key_vault
 }
 
diff --git a/infra/terraform/variables.tf b/infra/terraform/variables.tf
@@ -98,21 +98,21 @@ variable "security_contact_email" {
 }
 
 variable "enable_defender_for_servers" {
-  description = "Enable Defender for Servers P2"
+  description = "Enable Defender for Servers P2 (recommended for prod)"
   type        = bool
-  default     = false
+  default     = null
 }
 
 variable "enable_defender_for_containers" {
-  description = "Enable Defender for Containers"
+  description = "Enable Defender for Containers (recommended if running AKS)"
   type        = bool
   default     = false
 }
 
 variable "enable_defender_for_databases" {
-  description = "Enable Defender for Databases"
+  description = "Enable Defender for Databases (recommended for prod)"
   type        = bool
-  default     = false
+  default     = null
 }
 
 variable "enable_defender_for_key_vault" {
@@ -136,6 +136,10 @@ variable "tags" {
 locals {
   prefix = var.prefix != "" ? var.prefix : "${var.company_name}-${var.environment}"
 
+  # Defender defaults: enable Servers and Databases for prod (matches Bicep behavior)
+  enable_defender_for_servers   = var.enable_defender_for_servers != null ? var.enable_defender_for_servers : var.environment == "prod"
+  enable_defender_for_databases = var.enable_defender_for_databases != null ? var.enable_defender_for_databases : var.environment == "prod"
+
   budget_start_date = var.budget_start_date != "" ? var.budget_start_date : formatdate("YYYY-MM-01'T'00:00:00Z", plantimestamp())
 
   vnet_address_prefix = var.vnet_address_prefix != "" ? var.vnet_address_prefix : (var.environment == "prod" ? "10.0.0.0/16" : "10.1.0.0/16")
