From 9f4fe9421028fff02d36fdba4bbb11eaa10a673d Mon Sep 17 00:00:00 2001 From: quoteee <45695032+JulianHayward@users.noreply.github.com> Date: Fri, 20 Oct 2023 16:48:31 +0200 Subject: [PATCH] change category from 'tags' to 'storage' and move policy definition folder from 'tags' to 'storage' (#391) * Enforce or extend Storage Account IPRules if tag match * change category and move to storage (from tags) --- .../azurepolicy.json | 190 ++++++++++++++++++ .../azurepolicy.parameters.json | 52 +++++ .../azurepolicy.rules.json | 126 ++++++++++++ .../azurepolicy.json | 2 +- .../azurepolicy.parameters.json | 0 .../azurepolicy.rules.json | 0 6 files changed, 369 insertions(+), 1 deletion(-) create mode 100644 Policies/Storage/enforce-or-extend-storage-account-iprules-if-tag-match/azurepolicy.json create mode 100644 Policies/Storage/enforce-or-extend-storage-account-iprules-if-tag-match/azurepolicy.parameters.json create mode 100644 Policies/Storage/enforce-or-extend-storage-account-iprules-if-tag-match/azurepolicy.rules.json rename policyDefinitions/{Tags => Storage}/restrict-cloud-shell-storage-account-creation/azurepolicy.json (97%) rename policyDefinitions/{Tags => Storage}/restrict-cloud-shell-storage-account-creation/azurepolicy.parameters.json (100%) rename policyDefinitions/{Tags => Storage}/restrict-cloud-shell-storage-account-creation/azurepolicy.rules.json (100%) diff --git a/Policies/Storage/enforce-or-extend-storage-account-iprules-if-tag-match/azurepolicy.json b/Policies/Storage/enforce-or-extend-storage-account-iprules-if-tag-match/azurepolicy.json new file mode 100644 index 00000000..ac7f2560 --- /dev/null +++ b/Policies/Storage/enforce-or-extend-storage-account-iprules-if-tag-match/azurepolicy.json @@ -0,0 +1,190 @@ +{ + "name": "7e5e7a22-32fe-4537-aca8-786a5f871e13", + "properties": { + "displayName": "Enforce or extend Storage Account IPRules if tag match", + "description": "This policy enforces or extends IP ranges if the Storage Account has a matching tag/value (deviating existing IP ranges may be kept or overwritten (parameter: existingIPRangesHandling)). 'publicNetworkAccess' will be enabled if disabled.", + "mode": "Indexed", + "metadata": { + "version": "1.0.0", + "category": "Storage" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "effect", + "description": "policy effect" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "tagName": { + "type": "String", + "metadata": { + "displayName": "tagName", + "description": "name of the tag that must exist for the Storage Account" + } + }, + "tagValue": { + "type": "String", + "metadata": { + "displayName": "tagValue", + "description": "value of the tagName that must match in order to apply the policy" + } + }, + "enforceIPRanges": { + "type": "Array", + "metadata": { + "displayName": "enforceIPRanges", + "description": "IP/ranges that must be applied" + }, + "defaultValue": [ + "219.94.47.192/28", + "209.127.0.0/16" + ] + }, + "existingIPRangesHandling": { + "type": "String", + "metadata": { + "displayName": "existingIPRangesHandling", + "description": "retain: keep existing IP/ranges that are not defined in 'enforceIPRanges' (union exiting and enforced IP/ranges); remove: enforce 'enforceIPRanges' and remove the existing IP/ranges that are not defined in 'enforceIPRanges'" + }, + "allowedValues": [ + "retain", + "remove" + ], + "defaultValue": "retain" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts" + }, + { + "field": "[concat('tags[', parameters('tagName'), ']')]", + "equals": "[parameters('tagValue')]" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "evaluationDelay": "AfterProvisioningSuccess", + "type": "Microsoft.Storage/storageAccounts", + "name": "[field('name')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Storage/storageAccounts/networkAcls.ipRules", + "exists": "true" + }, + { + "field": "Microsoft.Storage/storageAccounts/networkAcls.defaultAction", + "equals": "Deny" + }, + { + "field": "Microsoft.Storage/storageAccounts/publicNetworkAccess", + "equals": "Enabled" + }, + { + "count": { + "field": "Microsoft.Storage/storageAccounts/networkAcls.ipRules[*]", + "where": { + "anyOf": [ + { + "field": "Microsoft.Storage/storageAccounts/networkAcls.ipRules[*].value", + "in": "[parameters('enforceIPRanges')]" + } + ] + } + }, + "equals": "[length(parameters('enforceIPRanges'))]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "`$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "enforceIPRanges": { + "type": "Array" + }, + "location": { + "type": "String" + }, + "ipRulesExisting": { + "type": "Array" + }, + "existingIPRangesHandling": { + "type": "String" + } + }, + "variables": { + "varIPRangesToApply": "[if(equals(parameters('existingIPRangesHandling'), 'retain'), union(parameters('enforceIPRanges'), parameters('ipRulesExisting')), parameters('enforceIPRanges'))]" + }, + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2022-09-01", + "name": "[parameters('resourceName')]", + "location": "[parameters('location')]", + "properties": { + "publicNetworkAccess": "Enabled", + "networkAcls": { + "defaultAction": "Deny", + "copy": [ + { + "name": "ipRules", + "count": "[length(variables('varIPRangesToApply'))]", + "input": { + "value": "[variables('varIPRangesToApply')[copyIndex('ipRules')]]", + "action": "Allow" + } + } + ] + } + } + } + ], + "outputs": {} + }, + "parameters": { + "resourceName": { + "value": "[field('name')]" + }, + "enforceIPRanges": { + "value": "[parameters('enforceIPRanges')]" + }, + "location": { + "value": "[field('location')]" + }, + "ipRulesExisting": { + "value": "[field('Microsoft.Storage/storageAccounts/networkAcls.ipRules[*].value')]" + }, + "existingIPRangesHandling": { + "value": "[parameters('existingIPRangesHandling')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/Policies/Storage/enforce-or-extend-storage-account-iprules-if-tag-match/azurepolicy.parameters.json b/Policies/Storage/enforce-or-extend-storage-account-iprules-if-tag-match/azurepolicy.parameters.json new file mode 100644 index 00000000..2825b4bb --- /dev/null +++ b/Policies/Storage/enforce-or-extend-storage-account-iprules-if-tag-match/azurepolicy.parameters.json @@ -0,0 +1,52 @@ +{ + "effect": { + "type": "String", + "metadata": { + "displayName": "effect", + "description": "policy effect" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "tagName": { + "type": "String", + "metadata": { + "displayName": "tagName", + "description": "name of the tag that must exist for the Storage Account" + } + }, + "tagValue": { + "type": "String", + "metadata": { + "displayName": "tagValue", + "description": "value of the tagName that must match in order to apply the policy" + } + }, + "enforceIPRanges": { + "type": "Array", + "metadata": { + "displayName": "enforceIPRanges", + "description": "IP/ranges that must be applied" + }, + "defaultValue": [ + "219.94.47.192/28", + "209.127.0.0/16" + ] + }, + "existingIPRangesHandling": { + "type": "String", + "metadata": { + "displayName": "existingIPRangesHandling", + "description": "retain: keep existing IP/ranges that are not defined in 'enforceIPRanges' (union exiting and enforced IP/ranges); remove: enforce 'enforceIPRanges' and remove the existing IP/ranges that are not defined in 'enforceIPRanges'" + }, + "allowedValues": [ + "retain", + "remove" + ], + "defaultValue": "retain" + } +} \ No newline at end of file diff --git a/Policies/Storage/enforce-or-extend-storage-account-iprules-if-tag-match/azurepolicy.rules.json b/Policies/Storage/enforce-or-extend-storage-account-iprules-if-tag-match/azurepolicy.rules.json new file mode 100644 index 00000000..6b3d1ddb --- /dev/null +++ b/Policies/Storage/enforce-or-extend-storage-account-iprules-if-tag-match/azurepolicy.rules.json @@ -0,0 +1,126 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts" + }, + { + "field": "[concat('tags[', parameters('tagName'), ']')]", + "equals": "[parameters('tagValue')]" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "evaluationDelay": "AfterProvisioningSuccess", + "type": "Microsoft.Storage/storageAccounts", + "name": "[field('name')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Storage/storageAccounts/networkAcls.ipRules", + "exists": "true" + }, + { + "field": "Microsoft.Storage/storageAccounts/networkAcls.defaultAction", + "equals": "Deny" + }, + { + "field": "Microsoft.Storage/storageAccounts/publicNetworkAccess", + "equals": "Enabled" + }, + { + "count": { + "field": "Microsoft.Storage/storageAccounts/networkAcls.ipRules[*]", + "where": { + "anyOf": [ + { + "field": "Microsoft.Storage/storageAccounts/networkAcls.ipRules[*].value", + "in": "[parameters('enforceIPRanges')]" + } + ] + } + }, + "equals": "[length(parameters('enforceIPRanges'))]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "`$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "enforceIPRanges": { + "type": "Array" + }, + "location": { + "type": "String" + }, + "ipRulesExisting": { + "type": "Array" + }, + "existingIPRangesHandling": { + "type": "String" + } + }, + "variables": { + "varIPRangesToApply": "[if(equals(parameters('existingIPRangesHandling'), 'retain'), union(parameters('enforceIPRanges'), parameters('ipRulesExisting')), parameters('enforceIPRanges'))]" + }, + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2022-09-01", + "name": "[parameters('resourceName')]", + "location": "[parameters('location')]", + "properties": { + "publicNetworkAccess": "Enabled", + "networkAcls": { + "defaultAction": "Deny", + "copy": [ + { + "name": "ipRules", + "count": "[length(variables('varIPRangesToApply'))]", + "input": { + "value": "[variables('varIPRangesToApply')[copyIndex('ipRules')]]", + "action": "Allow" + } + } + ] + } + } + } + ], + "outputs": {} + }, + "parameters": { + "resourceName": { + "value": "[field('name')]" + }, + "enforceIPRanges": { + "value": "[parameters('enforceIPRanges')]" + }, + "location": { + "value": "[field('location')]" + }, + "ipRulesExisting": { + "value": "[field('Microsoft.Storage/storageAccounts/networkAcls.ipRules[*].value')]" + }, + "existingIPRangesHandling": { + "value": "[parameters('existingIPRangesHandling')]" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/policyDefinitions/Tags/restrict-cloud-shell-storage-account-creation/azurepolicy.json b/policyDefinitions/Storage/restrict-cloud-shell-storage-account-creation/azurepolicy.json similarity index 97% rename from policyDefinitions/Tags/restrict-cloud-shell-storage-account-creation/azurepolicy.json rename to policyDefinitions/Storage/restrict-cloud-shell-storage-account-creation/azurepolicy.json index 0f6a5ce7..11e5f5e9 100644 --- a/policyDefinitions/Tags/restrict-cloud-shell-storage-account-creation/azurepolicy.json +++ b/policyDefinitions/Storage/restrict-cloud-shell-storage-account-creation/azurepolicy.json @@ -5,7 +5,7 @@ "displayName": "Restrict cloud shell storage account creation", "description": "Storage accounts that you create in Cloud Shell are tagged with ms-resource-usage:azure-cloud-shell. If you want to disallow users from creating storage accounts in Cloud Shell, create an Azure resource policy for tags that is triggered by this specific tag. https://learn.microsoft.com/en-us/azure/cloud-shell/persisting-shell-storage#restrict-resource-creation-with-an-azure-resource-policy", "metadata": { - "category": "Tags", + "category": "Storage", "version": "1.0.0" }, "mode": "All", diff --git a/policyDefinitions/Tags/restrict-cloud-shell-storage-account-creation/azurepolicy.parameters.json b/policyDefinitions/Storage/restrict-cloud-shell-storage-account-creation/azurepolicy.parameters.json similarity index 100% rename from policyDefinitions/Tags/restrict-cloud-shell-storage-account-creation/azurepolicy.parameters.json rename to policyDefinitions/Storage/restrict-cloud-shell-storage-account-creation/azurepolicy.parameters.json diff --git a/policyDefinitions/Tags/restrict-cloud-shell-storage-account-creation/azurepolicy.rules.json b/policyDefinitions/Storage/restrict-cloud-shell-storage-account-creation/azurepolicy.rules.json similarity index 100% rename from policyDefinitions/Tags/restrict-cloud-shell-storage-account-creation/azurepolicy.rules.json rename to policyDefinitions/Storage/restrict-cloud-shell-storage-account-creation/azurepolicy.rules.json