Skip to content

Commit

Permalink
Merge branch 'policy-refresh-q1fy24' of https://github.com/Azure/Ente…
Browse files Browse the repository at this point in the history 
…rprise-Scale into MDFCStorageUpdate
  • Loading branch information
@Springstone
Springstone committed Aug 17, 2023
2 parents d7aff49 + f8b35de commit a6cb9f1
Show file tree
Hide file tree
Showing 9 changed files with 66 additions and 17 deletions.
2 changes: 2 additions & 0 deletions .gitignore
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,3 +13,5 @@

# GitHub Super Linter
super-linter.log

src/data/eslzArm.test.deployment.json
19 changes: 18 additions & 1 deletion docs/wiki/Whats-new.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,13 +50,25 @@ Major update in this release: introducing the Policy Testing Framework foundatio

#### Policy

- Updating custom policies using over permissive roles (Owner) to use resource scoped roles (e.g., Storage Account Contributor, Azure SQL Contributor, etc.):
- Deploy-Storage-sslEnforcement
- Deploy-SqlMi-minTLS
- Added evaluationDelay as provisioning takes around 4 hours and policy remediation fails on create due to time outs (as it normally triggers after 10 minutes).
- Deploy-SQL-minTLS
- Deploy-MySQL-sslEnforcement (changed from Owner to Contributor role, no built in roles currently available)
- Deploy-PostgreSQL-sslEnforcement (changed from Owner to Contributor role, no built in roles currently available)

### July 2023

#### Policy

- Added additional initiative assignment for [Enforce-Guardrails-KeyVault](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-KeyVault.html) to the Platform Management Group to improve security coverage. Initially this assignment was only applied to the Landing Zone Management Group.
- Update Portal RI to include the new assignment option for the Key Vault initiative under Platform Management.
- Added new custom policy to audit Virtual Machines not using Azure Hybrid Benefit (Audit-AzureHybridBenefit)
- Fixing bug in [Deploy-Sql-vulnerabilityAssessments](https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Sql-vulnerabilityAssessments.html) to achieve compliance if successfully remediated. NOTE: Due to the need to change parameters, this is a breaking change. The original policy will remain in place but will be deprecated and a new policy will be deployed for the fix [Deploy-Sql-vulnerabilityAssessments_20230706](https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Sql-vulnerabilityAssessments_20230706.html) - please update assignments accordingly - many thanks @Matt-FFFFFF.
- Bug fix for [Management port access from the Internet should be blocked](https://www.azadvertizer.net/azpolicyadvertizer/Deny-MgmtPorts-From-Internet.html) not enforcing deny effect when a deployment includes rules defined in network security group properties (i.e., when specifying rules when creating the NSG) - many thanks to @DavidRobson.
- Policy Testing Framework implemented for custom ALZ DENY policies (See Tooling section below).
- QoL updates: adding supersededBy metadata and adding links in the description to deprecated custom policies to point to the superseding policy - aligned with ALZ specific feature updates in [AzAdvertizer](https://www.azadvertizer.net/).
- Policy Testing Framework implemented for custom ALZ DENY policies (See Tooling section below).

#### Tooling

Expand All @@ -69,6 +81,11 @@ Major update in this release: introducing the Policy Testing Framework foundatio
- Updated contribution guide to include a new section to describe how to implement tooltips when adding new policies with default assignments that require updates to the portal reference implementation.
- Adding text to the ALZ-Policies wiki page to clarify that we do use preview policies as part of initiatives in some default assignments.

#### Docs

- Updated contribution guide to include a new section to describe how to implement tooltips when adding new policies with default assignments that require updates to the portal reference implementation.
- Adding text to the ALZ-Policies wiki page to clarify that we do use preview policies as part of initiatives in some default assignments.

### June 2023

#### Policy
Expand Down
12 changes: 6 additions & 6 deletions eslzArm/managementGroupTemplates/policyDefinitions/policies.json
View file

Large diffs are not rendered by default.

4 changes: 2 additions & 2 deletions src/resources/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
"displayName": "Azure Database for MySQL server deploy a specific min TLS version and enforce SSL.",
"description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.",
"metadata": {
"version": "1.0.0",
"version": "1.1.0",
"category": "SQL",
"source": "https://github.com/Azure/Enterprise-Scale/",
"alzCloudEnvironments": [
Expand Down Expand Up @@ -84,7 +84,7 @@
]
},
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635"
"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"deployment": {
"properties": {
Expand Down
4 changes: 2 additions & 2 deletions ...resources/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
"displayName": "Azure Database for PostgreSQL server deploy a specific min TLS version requirement and enforce SSL ",
"description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.",
"metadata": {
"version": "1.0.0",
"version": "1.1.0",
"category": "SQL",
"source": "https://github.com/Azure/Enterprise-Scale/",
"alzCloudEnvironments": [
Expand Down Expand Up @@ -85,7 +85,7 @@
},
"name": "current",
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635"
"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"deployment": {
"properties": {
Expand Down
4 changes: 2 additions & 2 deletions src/resources/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
"displayName": "SQL servers deploys a specific min TLS version requirement.",
"description": "Deploys a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.",
"metadata": {
"version": "1.0.0",
"version": "1.1.0",
"category": "SQL",
"source": "https://github.com/Azure/Enterprise-Scale/",
"alzCloudEnvironments": [
Expand Down Expand Up @@ -72,7 +72,7 @@
},
"name": "current",
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635"
"/providers/microsoft.authorization/roleDefinitions/6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437"
],
"deployment": {
"properties": {
Expand Down
5 changes: 3 additions & 2 deletions src/resources/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
"displayName": "SQL managed instances deploy a specific min TLS version requirement.",
"description": "Deploy a specific min TLS version requirement and enforce SSL on SQL managed instances. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.",
"metadata": {
"version": "1.0.0",
"version": "1.2.0",
"category": "SQL",
"source": "https://github.com/Azure/Enterprise-Scale/",
"alzCloudEnvironments": [
Expand Down Expand Up @@ -62,6 +62,7 @@
"effect": "[[parameters('effect')]",
"details": {
"type": "Microsoft.Sql/managedInstances",
"evaluationDelay": "AfterProvisioningSuccess",
"existenceCondition": {
"allOf": [
{
Expand All @@ -72,7 +73,7 @@
},
"name": "current",
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635"
"/providers/microsoft.authorization/roleDefinitions/4939a1f6-9ae0-4e48-a1e0-f2cbe897382d"
],
"deployment": {
"properties": {
Expand Down
4 changes: 2 additions & 2 deletions src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
"displayName": "Azure Storage deploy a specific min TLS version requirement and enforce SSL/HTTPS ",
"description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Storage. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your Azure Storage.",
"metadata": {
"version": "1.1.0",
"version": "1.2.0",
"category": "Storage",
"source": "https://github.com/Azure/Enterprise-Scale/",
"alzCloudEnvironments": [
Expand Down Expand Up @@ -84,7 +84,7 @@
},
"name": "current",
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635"
"/providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"
],
"deployment": {
"properties": {
Expand Down
29 changes: 29 additions & 0 deletions src/resources/Microsoft.Authorization/roleDefinitions/OssDb-Owners.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
{
"name": "6fca939a-1b08-420b-affd-3d3061ecceb2",
"type": "Microsoft.Authorization/roleDefinitions",
"apiVersion": "2022-04-01",
"properties": {
"roleName": "OssDb-Owners",
"description": "Platform-wide Open Source Database Owners: PostgreSQL, MySql",
"type": "customRole",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.DBforMySQL/*",
"Microsoft.DBforPostgreSQL/*",
"Microsoft.DBforMariaDB/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"assignableScopes": [
"/providers/Microsoft.Management/managementGroups/contoso"
]
}
}

0 comments on commit a6cb9f1

Please sign in to comment.