From 2c816460810afdd916e115391d7bed70a8fe76c8 Mon Sep 17 00:00:00 2001 From: Thomas Defise Date: Mon, 13 May 2024 12:58:30 +0200 Subject: [PATCH 1/4] Adding a new policy --- .../azurepolicy.json | 56 +++++++++++++++++++ .../azurepolicy.parameters.json | 14 +++++ .../azurepolicy.rules.json | 29 ++++++++++ 3 files changed, 99 insertions(+) create mode 100644 policyDefinitions/App Service/app-service-apps-should-use-the-latest-tls-version-for-scm-connections/azurepolicy.json create mode 100644 policyDefinitions/App Service/app-service-apps-should-use-the-latest-tls-version-for-scm-connections/azurepolicy.parameters.json create mode 100644 policyDefinitions/App Service/app-service-apps-should-use-the-latest-tls-version-for-scm-connections/azurepolicy.rules.json diff --git a/policyDefinitions/App Service/app-service-apps-should-use-the-latest-tls-version-for-scm-connections/azurepolicy.json b/policyDefinitions/App Service/app-service-apps-should-use-the-latest-tls-version-for-scm-connections/azurepolicy.json new file mode 100644 index 00000000..c0d0571d --- /dev/null +++ b/policyDefinitions/App Service/app-service-apps-should-use-the-latest-tls-version-for-scm-connections/azurepolicy.json @@ -0,0 +1,56 @@ +{ + "name": "638423c3-17df-40bc-bf81-9bfa3f5cc0a7", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "App Service apps should use the latest TLS version for SCM connections", + "description": "Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.", + "metadata": { + "version": "1.0.0", + "category": "App Service" + }, + "mode": "All", + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "AuditIfNotExists or Disabled the execution of the Policy" + }, + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "AuditIfNotExists" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Web/sites" + }, + { + "field": "kind", + "notContains": "functionapp" + }, + { + "field": "kind", + "notContains": "workflowapp" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Web/sites/config", + "name": "web", + "existenceCondition": { + "field": "Microsoft.Web/sites/config/scmMinTlsVersion", + "equals": "1.2" + } + } + } + } + } +} diff --git a/policyDefinitions/App Service/app-service-apps-should-use-the-latest-tls-version-for-scm-connections/azurepolicy.parameters.json b/policyDefinitions/App Service/app-service-apps-should-use-the-latest-tls-version-for-scm-connections/azurepolicy.parameters.json new file mode 100644 index 00000000..fb8acc98 --- /dev/null +++ b/policyDefinitions/App Service/app-service-apps-should-use-the-latest-tls-version-for-scm-connections/azurepolicy.parameters.json @@ -0,0 +1,14 @@ +{ + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "AuditIfNotExists or Disabled the execution of the Policy" + }, + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "AuditIfNotExists" + } +} diff --git a/policyDefinitions/App Service/app-service-apps-should-use-the-latest-tls-version-for-scm-connections/azurepolicy.rules.json b/policyDefinitions/App Service/app-service-apps-should-use-the-latest-tls-version-for-scm-connections/azurepolicy.rules.json new file mode 100644 index 00000000..1e5c4f4f --- /dev/null +++ b/policyDefinitions/App Service/app-service-apps-should-use-the-latest-tls-version-for-scm-connections/azurepolicy.rules.json @@ -0,0 +1,29 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Web/sites" + }, + { + "field": "kind", + "notContains": "functionapp" + }, + { + "field": "kind", + "notContains": "workflowapp" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Web/sites/config", + "name": "web", + "existenceCondition": { + "field": "Microsoft.Web/sites/config/scmMinTlsVersion", + "equals": "1.2" + } + } + } +} From 382390b3658ed820a6d78d4a8931e7d38a6ce336 Mon Sep 17 00:00:00 2001 From: Thomas Defise Date: Mon, 13 May 2024 13:09:20 +0200 Subject: [PATCH 2/4] Added new policy --- .../azurepolicy.json | 49 +++++++++++++++++++ .../azurepolicy.parameters.json | 15 ++++++ .../azurepolicy.rules.json | 21 ++++++++ 3 files changed, 85 insertions(+) create mode 100644 policyDefinitions/Cache/azure-redis-cache-should-supports-'standard-replication'/azurepolicy.json create mode 100644 policyDefinitions/Cache/azure-redis-cache-should-supports-'standard-replication'/azurepolicy.parameters.json create mode 100644 policyDefinitions/Cache/azure-redis-cache-should-supports-'standard-replication'/azurepolicy.rules.json diff --git a/policyDefinitions/Cache/azure-redis-cache-should-supports-'standard-replication'/azurepolicy.json b/policyDefinitions/Cache/azure-redis-cache-should-supports-'standard-replication'/azurepolicy.json new file mode 100644 index 00000000..f86e14a6 --- /dev/null +++ b/policyDefinitions/Cache/azure-redis-cache-should-supports-'standard-replication'/azurepolicy.json @@ -0,0 +1,49 @@ +{ + "name": "8fefe846-bf48-4882-a717-a451275655ef", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Azure Redis Cache should supports 'Standard replication'", + "description": "Use 'Standard replication' in order to have an a high availability architecture that ensures your managed instance is functioning, even when outages affect the underlying virtual machines (VMs)", + "metadata": { + "version": "1.0.0", + "category": "Cache" + }, + "mode": "Indexed", + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Deny, Audit or Disabled the execution of the Policy" + }, + "allowedValues": [ + "Deny", + "Audit", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Cache/Redis" + }, + { + "field": "Microsoft.Cache/Redis/sku.family", + "equals": "C" + }, + { + "field": "Microsoft.Cache/Redis/sku.name", + "equals": "Basic" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} diff --git a/policyDefinitions/Cache/azure-redis-cache-should-supports-'standard-replication'/azurepolicy.parameters.json b/policyDefinitions/Cache/azure-redis-cache-should-supports-'standard-replication'/azurepolicy.parameters.json new file mode 100644 index 00000000..d2c89f94 --- /dev/null +++ b/policyDefinitions/Cache/azure-redis-cache-should-supports-'standard-replication'/azurepolicy.parameters.json @@ -0,0 +1,15 @@ +{ + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Deny, Audit or Disabled the execution of the Policy" + }, + "allowedValues": [ + "Deny", + "Audit", + "Disabled" + ], + "defaultValue": "Audit" + } +} diff --git a/policyDefinitions/Cache/azure-redis-cache-should-supports-'standard-replication'/azurepolicy.rules.json b/policyDefinitions/Cache/azure-redis-cache-should-supports-'standard-replication'/azurepolicy.rules.json new file mode 100644 index 00000000..1c27be20 --- /dev/null +++ b/policyDefinitions/Cache/azure-redis-cache-should-supports-'standard-replication'/azurepolicy.rules.json @@ -0,0 +1,21 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Cache/Redis" + }, + { + "field": "Microsoft.Cache/Redis/sku.family", + "equals": "C" + }, + { + "field": "Microsoft.Cache/Redis/sku.name", + "equals": "Basic" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } +} From b98434874280c1fc55874933a49789555dea24bf Mon Sep 17 00:00:00 2001 From: Thomas Defise Date: Mon, 13 May 2024 13:13:28 +0200 Subject: [PATCH 3/4] Fix PR --- Scripts/policy.json | 49 ++++++++++++++++ .../azurepolicy.json | 56 ------------------- .../azurepolicy.parameters.json | 14 ----- .../azurepolicy.rules.json | 29 ---------- 4 files changed, 49 insertions(+), 99 deletions(-) create mode 100644 Scripts/policy.json delete mode 100644 policyDefinitions/App Service/app-service-apps-should-use-the-latest-tls-version-for-scm-connections/azurepolicy.json delete mode 100644 policyDefinitions/App Service/app-service-apps-should-use-the-latest-tls-version-for-scm-connections/azurepolicy.parameters.json delete mode 100644 policyDefinitions/App Service/app-service-apps-should-use-the-latest-tls-version-for-scm-connections/azurepolicy.rules.json diff --git a/Scripts/policy.json b/Scripts/policy.json new file mode 100644 index 00000000..420b3082 --- /dev/null +++ b/Scripts/policy.json @@ -0,0 +1,49 @@ +{ + "name": "8fefe846-bf48-4882-a717-a451275655ef", + "properties": { + "displayName": "Azure Redis Cache should supports 'Standard replication'", + "mode": "Indexed", + "description": "Use 'Standard replication' in order to have an a high availability architecture that ensures your managed instance is functioning, even when outages affect the underlying virtual machines (VMs)", + "metadata": { + "version": "1.0.0", + "category": "Cache" + } + , + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Cache/Redis" + }, + { + "field": "Microsoft.Cache/Redis/sku.family", + "equals": "C" + }, + { + "field": "Microsoft.Cache/Redis/sku.name", + "equals": "Basic" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/policyDefinitions/App Service/app-service-apps-should-use-the-latest-tls-version-for-scm-connections/azurepolicy.json b/policyDefinitions/App Service/app-service-apps-should-use-the-latest-tls-version-for-scm-connections/azurepolicy.json deleted file mode 100644 index c0d0571d..00000000 --- a/policyDefinitions/App Service/app-service-apps-should-use-the-latest-tls-version-for-scm-connections/azurepolicy.json +++ /dev/null @@ -1,56 +0,0 @@ -{ - "name": "638423c3-17df-40bc-bf81-9bfa3f5cc0a7", - "type": "Microsoft.Authorization/policyDefinitions", - "properties": { - "displayName": "App Service apps should use the latest TLS version for SCM connections", - "description": "Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.", - "metadata": { - "version": "1.0.0", - "category": "App Service" - }, - "mode": "All", - "parameters": { - "effect": { - "type": "String", - "metadata": { - "displayName": "Effect", - "description": "AuditIfNotExists or Disabled the execution of the Policy" - }, - "allowedValues": [ - "AuditIfNotExists", - "Disabled" - ], - "defaultValue": "AuditIfNotExists" - } - }, - "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.Web/sites" - }, - { - "field": "kind", - "notContains": "functionapp" - }, - { - "field": "kind", - "notContains": "workflowapp" - } - ] - }, - "then": { - "effect": "[parameters('effect')]", - "details": { - "type": "Microsoft.Web/sites/config", - "name": "web", - "existenceCondition": { - "field": "Microsoft.Web/sites/config/scmMinTlsVersion", - "equals": "1.2" - } - } - } - } - } -} diff --git a/policyDefinitions/App Service/app-service-apps-should-use-the-latest-tls-version-for-scm-connections/azurepolicy.parameters.json b/policyDefinitions/App Service/app-service-apps-should-use-the-latest-tls-version-for-scm-connections/azurepolicy.parameters.json deleted file mode 100644 index fb8acc98..00000000 --- a/policyDefinitions/App Service/app-service-apps-should-use-the-latest-tls-version-for-scm-connections/azurepolicy.parameters.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "effect": { - "type": "String", - "metadata": { - "displayName": "Effect", - "description": "AuditIfNotExists or Disabled the execution of the Policy" - }, - "allowedValues": [ - "AuditIfNotExists", - "Disabled" - ], - "defaultValue": "AuditIfNotExists" - } -} diff --git a/policyDefinitions/App Service/app-service-apps-should-use-the-latest-tls-version-for-scm-connections/azurepolicy.rules.json b/policyDefinitions/App Service/app-service-apps-should-use-the-latest-tls-version-for-scm-connections/azurepolicy.rules.json deleted file mode 100644 index 1e5c4f4f..00000000 --- a/policyDefinitions/App Service/app-service-apps-should-use-the-latest-tls-version-for-scm-connections/azurepolicy.rules.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.Web/sites" - }, - { - "field": "kind", - "notContains": "functionapp" - }, - { - "field": "kind", - "notContains": "workflowapp" - } - ] - }, - "then": { - "effect": "[parameters('effect')]", - "details": { - "type": "Microsoft.Web/sites/config", - "name": "web", - "existenceCondition": { - "field": "Microsoft.Web/sites/config/scmMinTlsVersion", - "equals": "1.2" - } - } - } -} From 946d1d038b255262ea5293fe9b3ec7631efd2ad7 Mon Sep 17 00:00:00 2001 From: Thomas Defise <36169753+tdefise@users.noreply.github.com> Date: Mon, 13 May 2024 13:14:16 +0200 Subject: [PATCH 4/4] Delete Scripts/policy.json --- Scripts/policy.json | 49 --------------------------------------------- 1 file changed, 49 deletions(-) delete mode 100644 Scripts/policy.json diff --git a/Scripts/policy.json b/Scripts/policy.json deleted file mode 100644 index 420b3082..00000000 --- a/Scripts/policy.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "name": "8fefe846-bf48-4882-a717-a451275655ef", - "properties": { - "displayName": "Azure Redis Cache should supports 'Standard replication'", - "mode": "Indexed", - "description": "Use 'Standard replication' in order to have an a high availability architecture that ensures your managed instance is functioning, even when outages affect the underlying virtual machines (VMs)", - "metadata": { - "version": "1.0.0", - "category": "Cache" - } - , - "parameters": { - "effect": { - "type": "String", - "metadata": { - "displayName": "Effect", - "description": "Enable or disable the execution of the policy" - }, - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "defaultValue": "Deny" - } - }, - "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.Cache/Redis" - }, - { - "field": "Microsoft.Cache/Redis/sku.family", - "equals": "C" - }, - { - "field": "Microsoft.Cache/Redis/sku.name", - "equals": "Basic" - } - ] - }, - "then": { - "effect": "[parameters('effect')]" - } - } - } -} \ No newline at end of file