fedramp-20x-mcp 0.4.8__py3-none-any.whl

fedramp_20x_mcp/templates/__init__.py

@@ -0,0 +1,75 @@
+"""
+Infrastructure and code templates for FedRAMP 20x evidence collection.
+
+This module provides Bicep, Terraform, and code generation templates
+organized by KSI family (IAM, MLA, AFR, CNA, RPL, SVC).
+"""
+
+from pathlib import Path
+
+# Template directory
+TEMPLATES_DIR = Path(__file__).parent
+
+def load_template(category: str, name: str) -> str:
+    """
+    Load a template file by category and name.
+    
+    Args:
+        category: Template category (bicep, terraform, code)
+        name: Template name (iam, mla, afr, cna, rpl, svc, generic)
+    
+    Returns:
+        Template content as string
+    
+    Raises:
+        FileNotFoundError: If template doesn't exist
+    """
+    template_path = TEMPLATES_DIR / category / f"{name}.txt"
+    
+    if not template_path.exists():
+        raise FileNotFoundError(f"Template not found: {template_path}")
+    
+    return template_path.read_text(encoding='utf-8')
+
+
+def get_infrastructure_template(ksi_family: str, infra_type: str) -> str:
+    """
+    Get infrastructure template for a KSI family.
+    
+    Args:
+        ksi_family: KSI family code (iam, mla, afr, cna, rpl, svc)
+        infra_type: Infrastructure type (bicep, terraform)
+    
+    Returns:
+        Template content wrapped in markdown code blocks
+    """
+    try:
+        template = load_template(infra_type, ksi_family.lower())
+        return template
+    except FileNotFoundError:
+        # Fall back to generic template
+        template = load_template(infra_type, 'generic')
+        return template
+
+
+def get_code_template(ksi_family: str, language: str) -> str:
+    """
+    Get code generation template for a KSI family.
+    
+    Args:
+        ksi_family: KSI family code (iam, mla, afr, cna, rpl, svc)  
+        language: Programming language (python, csharp, powershell)
+    
+    Returns:
+        Code template content
+    """
+    try:
+        # Try family-specific template
+        template_name = f"{ksi_family.lower()}_{language.lower()}"
+        template = load_template('code', template_name)
+        return template
+    except FileNotFoundError:
+        # Fall back to generic template
+        template_name = f"generic_{language.lower()}"
+        template = load_template('code', template_name)
+        return template

fedramp_20x_mcp/templates/bicep/afr.txt

@@ -0,0 +1,33 @@
+## Bicep Template
+
+```bicep
+// main.bicep - Authorization Framework Evidence Collection
+param location string = resourceGroup().location
+
+// Storage for vulnerability scan results and authorization evidence
+resource evidenceStorage 'Microsoft.Storage/storageAccounts@2023-01-01' = {
+  name: 'stfedrampafrevidence'
+  location: location
+  sku: { name: 'Standard_GRS' }
+  properties: {
+    supportsHttpsTrafficOnly: true
+    minimumTlsVersion: 'TLS1_2'
+  }
+}
+
+// Microsoft Defender for Cloud (configured via Policy)
+// This provides vulnerability scanning automatically
+
+// Container Registry with scanning enabled
+resource acr 'Microsoft.ContainerRegistry/registries@2023-07-01' = {
+  name: 'acrfedrampvuln'
+  location: location
+  sku: { name: 'Premium' }  // Required for Defender scanning
+  properties: {
+    adminUserEnabled: false
+  }
+}
+
+output storageAccountName string = evidenceStorage.name
+output containerRegistryName string = acr.name
+```

fedramp_20x_mcp/templates/bicep/cna.txt

@@ -0,0 +1,48 @@
+## Bicep Template
+
+```bicep
+// main.bicep - Cloud Native Architecture Evidence
+param location string = resourceGroup().location
+
+// AKS cluster with monitoring
+resource aks 'Microsoft.ContainerService/managedClusters@2023-10-01' = {
+  name: 'aks-fedramp-prod'
+  location: location
+  identity: {
+    type: 'SystemAssigned'
+  }
+  properties: {
+    dnsPrefix: 'fedramp'
+    enableRBAC: true
+    networkProfile: {
+      networkPlugin: 'azure'
+      networkPolicy: 'calico'  // For KSI-CNA-01
+      serviceCidr: '10.0.0.0/16'
+      dnsServiceIP: '10.0.0.10'
+    }
+    addonProfiles: {
+      omsagent: {
+        enabled: true
+        config: {
+          logAnalyticsWorkspaceResourceID: logAnalytics.id
+        }
+      }
+      azurePolicy: {
+        enabled: true  // For KSI-CNA-08
+      }
+    }
+  }
+}
+
+resource logAnalytics 'Microsoft.OperationalInsights/workspaces@2022-10-01' = {
+  name: 'log-fedramp-aks'
+  location: location
+  properties: {
+    sku: { name: 'PerGB2018' }
+    retentionInDays: 730
+  }
+}
+
+output aksClusterName string = aks.name
+output workspaceId string = logAnalytics.id
+```

fedramp_20x_mcp/templates/bicep/generic.txt

@@ -0,0 +1,47 @@
+## Bicep Template
+
+```bicep
+// main.bicep - Generic KSI Evidence Collection Infrastructure
+param location string = resourceGroup().location
+param ksiId string
+
+// Evidence Storage Account
+resource evidenceStorage 'Microsoft.Storage/storageAccounts@2023-01-01' = {
+  name: 'st${toLower(replace(ksiId, '-', ''))}evidence'
+  location: location
+  kind: 'StorageV2'
+  sku: {
+    name: 'Standard_GRS'
+  }
+  properties: {
+    supportsHttpsTrafficOnly: true
+    minimumTlsVersion: 'TLS1_2'
+    encryption: {
+      keySource: 'Microsoft.Storage'
+    }
+  }
+}
+
+// Container for evidence files
+resource evidenceContainer 'Microsoft.Storage/storageAccounts/blobServices/containers@2023-01-01' = {
+  name: '${evidenceStorage.name}/default/evidence'
+  properties: {
+    publicAccess: 'None'
+  }
+}
+
+// Log Analytics for metrics
+resource logAnalytics 'Microsoft.OperationalInsights/workspaces@2022-10-01' = {
+  name: 'log-${toLower(ksiId)}'
+  location: location
+  properties: {
+    sku: {
+      name: 'PerGB2018'
+    }
+    retentionInDays: 730
+  }
+}
+
+output storageAccountName string = evidenceStorage.name
+output workspaceId string = logAnalytics.properties.customerId
+```

fedramp_20x_mcp/templates/bicep/iam.txt

@@ -0,0 +1,211 @@
+// main.bicep - IAM Evidence Collection Infrastructure
+// Follows Azure CAF naming conventions and WAF best practices
+param location string = resourceGroup().location
+param environmentName string = 'prod'
+param workloadName string = 'fedramp'
+
+// CAF recommended tags for governance
+param tags object = {
+  Environment: environmentName
+  Workload: workloadName
+  CostCenter: 'Security'
+  ManagedBy: 'IaC'
+  Compliance: 'FedRAMP'
+}
+
+// Log Analytics Workspace for IAM logs (CAF naming: log-<workload>-<env>-<purpose>)
+resource logAnalytics 'Microsoft.OperationalInsights/workspaces@2023-09-01' = {
+  name: 'log-${workloadName}-${environmentName}-iam'
+  location: location
+  tags: tags
+  properties: {
+    sku: {
+      name: 'PerGB2018'
+    }
+    retentionInDays: 730  // 2 years retention for FedRAMP
+    features: {
+      immediatePurgeDataOn30Days: false  // Prevent accidental data loss
+    }
+  }
+}
+
+// Storage Account for evidence (CAF naming: st<workload><env><unique>)
+resource evidenceStorage 'Microsoft.Storage/storageAccounts@2023-05-01' = {
+  name: 'st${workloadName}${environmentName}iam'
+  location: location
+  kind: 'StorageV2'
+  tags: tags
+  sku: {
+    name: 'Standard_GRS'  // Geo-redundant for WAF Reliability
+  }
+  identity: {
+    type: 'SystemAssigned'  // Enable managed identity
+  }
+  properties: {
+    supportsHttpsTrafficOnly: true
+    minimumTlsVersion: 'TLS1_2'
+    allowBlobPublicAccess: false  // WAF Security: Block public access
+    networkAcls: {
+      defaultAction: 'Deny'  // WAF Security: Default deny
+      bypass: 'AzureServices'
+    }
+    encryption: {
+      keySource: 'Microsoft.Storage'
+      requireInfrastructureEncryption: true  // Double encryption
+      services: {
+        blob: {
+          enabled: true
+        }
+        file: {
+          enabled: true
+        }
+      }
+    }
+  }
+}
+
+// Blob service configuration
+resource blobService 'Microsoft.Storage/storageAccounts/blobServices@2023-05-01' = {
+  parent: evidenceStorage
+  name: 'default'
+  properties: {
+    deleteRetentionPolicy: {
+      enabled: true
+      days: 30  // Soft delete for 30 days
+    }
+    containerDeleteRetentionPolicy: {
+      enabled: true
+      days: 30
+    }
+  }
+}
+
+// Container for IAM evidence
+resource evidenceContainer 'Microsoft.Storage/storageAccounts/blobServices/containers@2023-05-01' = {
+  parent: blobService
+  name: 'iam-evidence'
+  properties: {
+    publicAccess: 'None'
+  }
+}
+
+// Application Insights for monitoring (CAF naming: appi-<workload>-<env>-<purpose>)
+resource appInsights 'Microsoft.Insights/components@2020-02-02' = {
+  name: 'appi-${workloadName}-${environmentName}-iam'
+  location: location
+  tags: tags
+  kind: 'web'
+  properties: {
+    Application_Type: 'web'
+    WorkspaceResourceId: logAnalytics.id
+  }
+}
+
+// Azure Function for IAM data collection (CAF naming: func-<workload>-<env>-<purpose>)
+resource appServicePlan 'Microsoft.Web/serverfarms@2023-12-01' = {
+  name: 'asp-${workloadName}-${environmentName}-iam'
+  location: location
+  tags: tags
+  sku: {
+    name: 'Y1'  // Consumption plan for cost optimization
+    tier: 'Dynamic'
+  }
+}
+
+resource functionApp 'Microsoft.Web/sites@2023-12-01' = {
+  name: 'func-${workloadName}-${environmentName}-iam'
+  location: location
+  kind: 'functionapp'
+  tags: tags
+  identity: {
+    type: 'SystemAssigned'  // WAF Security: Use managed identity
+  }
+  properties: {
+    serverFarmId: appServicePlan.id
+    httpsOnly: true  // WAF Security: Force HTTPS
+    siteConfig: {
+      minTlsVersion: '1.2'
+      ftpsState: 'Disabled'  // WAF Security: Disable FTP
+      appSettings: [
+        {
+          name: 'AzureWebJobsStorage__accountName'
+          value: evidenceStorage.name  // WAF Security: Managed identity auth
+        }
+        {
+          name: 'FUNCTIONS_EXTENSION_VERSION'
+          value: '~4'
+        }
+        {
+          name: 'FUNCTIONS_WORKER_RUNTIME'
+          value: 'dotnet-isolated'
+        }
+        {
+          name: 'APPLICATIONINSIGHTS_CONNECTION_STRING'
+          value: appInsights.properties.ConnectionString
+        }
+        {
+          name: 'LOG_ANALYTICS_WORKSPACE_ID'
+          value: logAnalytics.properties.customerId
+        }
+        {
+          name: 'EVIDENCE_STORAGE_ACCOUNT'
+          value: evidenceStorage.name  // Reference by name for managed identity
+        }
+      ]
+    }
+  }
+}
+
+// RBAC: Grant Function App Storage Blob Data Contributor role
+resource storageRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  name: guid(evidenceStorage.id, functionApp.id, 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')
+  scope: evidenceStorage
+  properties: {
+    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe') // Storage Blob Data Contributor
+    principalId: functionApp.identity.principalId
+    principalType: 'ServicePrincipal'
+  }
+}
+
+// Metric alert for function failures (WAF Reliability)
+resource alertRule 'Microsoft.Insights/metricAlerts@2018-03-01' = {
+  name: 'alert-${workloadName}-${environmentName}-iam-failures'
+  location: 'global'
+  tags: tags
+  properties: {
+    description: 'Alert when IAM evidence collection fails'
+    severity: 2
+    enabled: true
+    scopes: [
+      functionApp.id
+    ]
+    evaluationFrequency: 'PT5M'
+    windowSize: 'PT15M'
+    criteria: {
+      'odata.type': 'Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria'
+      allOf: [
+        {
+          name: 'FunctionErrors'
+          metricName: 'FunctionExecutionCount'
+          dimensions: [
+            {
+              name: 'Status'
+              operator: 'Include'
+              values: ['Failed']
+            }
+          ]
+          operator: 'GreaterThan'
+          threshold: 5
+          timeAggregation: 'Total'
+        }
+      ]
+    }
+    actions: []  // Configure action group for notifications
+  }
+}
+
+// Outputs
+output logAnalyticsWorkspaceId string = logAnalytics.properties.customerId
+output evidenceStorageAccountName string = evidenceStorage.name
+output functionAppName string = functionApp.name
+output functionAppPrincipalId string = functionApp.identity.principalId

fedramp_20x_mcp/templates/bicep/mla.txt

@@ -0,0 +1,82 @@
+## Bicep Template
+
+```bicep
+// main.bicep - Monitoring, Logging & Analysis Infrastructure
+param location string = resourceGroup().location
+param environmentName string = 'fedramp'
+
+// Sentinel Workspace (includes Log Analytics)
+resource logAnalytics 'Microsoft.OperationalInsights/workspaces@2022-10-01' = {
+  name: 'log-${environmentName}-sentinel'
+  location: location
+  properties: {
+    sku: {
+      name: 'PerGB2018'
+    }
+    retentionInDays: 730
+  }
+}
+
+// Enable Microsoft Sentinel
+resource sentinel 'Microsoft.SecurityInsights/onboardingStates@2023-02-01' = {
+  name: 'default'
+  scope: logAnalytics
+  properties: {}
+}
+
+// Evidence Storage
+resource evidenceStorage 'Microsoft.Storage/storageAccounts@2023-01-01' = {
+  name: 'st${environmentName}mlaevidence'
+  location: location
+  kind: 'StorageV2'
+  sku: {
+    name: 'Standard_GRS'
+  }
+  properties: {
+    supportsHttpsTrafficOnly: true
+    minimumTlsVersion: 'TLS1_2'
+  }
+}
+
+// Data Collection Rules for centralized logging
+resource dataCollectionEndpoint 'Microsoft.Insights/dataCollectionEndpoints@2022-06-01' = {
+  name: 'dce-${environmentName}-mla'
+  location: location
+  properties: {}
+}
+
+resource dataCollectionRule 'Microsoft.Insights/dataCollectionRules@2022-06-01' = {
+  name: 'dcr-${environmentName}-mla'
+  location: location
+  properties: {
+    dataCollectionEndpointId: dataCollectionEndpoint.id
+    streamDeclarations: {
+      'Custom-SecurityLogs': {
+        columns: [
+          {name: 'TimeGenerated', type: 'datetime'}
+          {name: 'EventType', type: 'string'}
+          {name: 'EventData', type: 'dynamic'}
+        ]
+      }
+    }
+    destinations: {
+      logAnalytics: [
+        {
+          workspaceResourceId: logAnalytics.id
+          name: 'centralWorkspace'
+        }
+      ]
+    }
+    dataFlows: [
+      {
+        streams: ['Custom-SecurityLogs']
+        destinations: ['centralWorkspace']
+      }
+    ]
+  }
+}
+
+output workspaceId string = logAnalytics.properties.customerId
+output workspaceKey string = logAnalytics.listKeys().primarySharedKey
+output dataCollectionEndpointUrl string = dataCollectionEndpoint.properties.logsIngestion.endpoint
+```

fedramp_20x_mcp/templates/bicep/rpl.txt

@@ -0,0 +1,44 @@
+## Bicep Template
+
+```bicep
+// main.bicep - Backup & Recovery Evidence Collection
+param location string = resourceGroup().location
+
+// Recovery Services Vault
+resource recoveryVault 'Microsoft.RecoveryServices/vaults@2023-04-01' = {
+  name: 'rsv-fedramp-backup'
+  location: location
+  sku: {
+    name: 'RS0'
+    tier: 'Standard'
+  }
+  properties: {}
+}
+
+// Backup Policy for VMs
+resource backupPolicy 'Microsoft.RecoveryServices/vaults/backupPolicies@2023-04-01' = {
+  parent: recoveryVault
+  name: 'DailyBackupPolicy'
+  properties: {
+    backupManagementType: 'AzureIaasVM'
+    instantRpRetentionRangeInDays: 5
+    schedulePolicy: {
+      schedulePolicyType: 'SimpleSchedulePolicy'
+      scheduleRunFrequency: 'Daily'
+      scheduleRunTimes: ['2023-01-01T02:00:00Z']
+    }
+    retentionPolicy: {
+      retentionPolicyType: 'LongTermRetentionPolicy'
+      dailySchedule: {
+        retentionTimes: ['2023-01-01T02:00:00Z']
+        retentionDuration: {
+          count: 30
+          durationType: 'Days'
+        }
+      }
+    }
+  }
+}
+
+output recoveryVaultName string = recoveryVault.name
+```

fedramp_20x_mcp/templates/bicep/svc.txt

@@ -0,0 +1,54 @@
+## Bicep Template
+
+```bicep
+// main.bicep - Service Management Evidence Collection
+param location string = resourceGroup().location
+
+// Key Vault for secret management (KSI-SVC-06)
+resource keyVault 'Microsoft.KeyVault/vaults@2023-02-01' = {
+  name: 'kv-fedramp-secrets'
+  location: location
+  properties: {
+    sku: {
+      family: 'A'
+      name: 'standard'
+    }
+    tenantId: subscription().tenantId
+    enableRbacAuthorization: true
+    enableSoftDelete: true
+    softDeleteRetentionInDays: 90
+    enablePurgeProtection: true
+  }
+}
+
+// Diagnostic settings for Key Vault audit logs
+resource keyVaultDiagnostics 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
+  name: 'kv-diagnostics'
+  scope: keyVault
+  properties: {
+    workspaceId: logAnalytics.id
+    logs: [
+      {
+        category: 'AuditEvent'
+        enabled: true
+        retentionPolicy: {
+          enabled: true
+          days: 730
+        }
+      }
+    ]
+  }
+}
+
+resource logAnalytics 'Microsoft.OperationalInsights/workspaces@2022-10-01' = {
+  name: 'log-fedramp-keyvault'
+  location: location
+  properties: {
+    sku: { name: 'PerGB2018' }
+    retentionInDays: 730
+  }
+}
+
+output keyVaultName string = keyVault.name
+output workspaceId string = logAnalytics.id
+```

fedramp_20x_mcp/templates/code/generic_csharp.txt

@@ -0,0 +1,65 @@
+## C# Code (.NET 8)
+
+```csharp
+using Azure.Identity;
+using Azure.Storage.Blobs;
+using System.Text.Json;
+
+public class KSIEvidenceCollector
+{
+    private readonly BlobServiceClient _blobClient;
+
+    public KSIEvidenceCollector()
+    {
+        var credential = new DefaultAzureCredential();
+        var storageAccount = Environment.GetEnvironmentVariable("EVIDENCE_STORAGE_ACCOUNT");
+        
+        _blobClient = new BlobServiceClient(
+            new Uri($"https://{storageAccount}.blob.core.windows.net"),
+            credential
+        );
+    }
+
+    public async Task<Evidence> CollectEvidenceAsync(string ksiId)
+    {
+        var evidence = new Evidence
+        {
+            CollectionDate = DateTime.UtcNow,
+            KsiId = ksiId,
+            ComplianceStatus = "compliant",
+            EvidenceData = new Dictionary<string, object>
+            {
+                // Add your evidence data here
+            }
+        };
+
+        return evidence;
+    }
+
+    public async Task StoreEvidenceAsync(Evidence evidence)
+    {
+        var timestamp = DateTime.UtcNow.ToString("yyyy-MM-dd");
+        var blobName = $"evidence/{timestamp}.json";
+        
+        var containerClient = _blobClient.GetBlobContainerClient("evidence");
+        await containerClient.CreateIfNotExistsAsync();
+        
+        var blobClient = containerClient.GetBlobClient(blobName);
+        var json = JsonSerializer.Serialize(evidence, new JsonSerializerOptions
+        {
+            WriteIndented = true
+        });
+        
+        await blobClient.UploadAsync(BinaryData.FromString(json), overwrite: true);
+        Console.WriteLine($"✓ Evidence stored: {blobName}");
+    }
+}
+
+public class Evidence
+{
+    public DateTime CollectionDate { get; set; }
+    public string KsiId { get; set; }
+    public string ComplianceStatus { get; set; }
+    public Dictionary<string, object> EvidenceData { get; set; }
+}
+```