Comments (10)
techlake
commented on June 12, 2024
I do not have a great test bed. Can you try/test the following in your environment:
{
"name": "1b8dc472-9716-414a-9328-9f34f4e00d67",
"type": "Microsoft.Authorization/policyDefinitions",
"properties": {
"displayName": "Enable soft-delete and purge protection on Key Vaults",
"description": "This Policy will enable soft-delete and purge protection on all Key Vaults.",
"metadata": {
"category": "Key Vault",
"version": "1.0.0"
},
"mode": "All",
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Modify, Deny, Audit, or Disabled"
},
"allowedValues": [
"Modify",
"Deny",
"Audit",
"Disabled"
],
"defaultValue": "DeployIfNotExists"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.KeyVault/vaults"
},
{
"anyOf": [
{
"field": "enableSoftDelete",
"exists": "false"
},
{
"field": "enablePurgeProtection",
"exists": "false"
},
{
"field": "enablePurgeProtection",
"equals": "false"
},
{
"field": "enableSoftDelete",
"equals": "false"
}
]
}
]
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395"
],
"operations": [
{
"operation": "addOrReplace",
"field": "enableSoftDelete",
"value": "true"
},
{
"operation": "addOrReplace",
"field": "enablePurgeProtection",
"value": "true"
}
]
}
}
}
}
}from community-policy.
techlake
commented on June 12, 2024
PS: I gave it a new GUID to prevent conflicts.
from community-policy.
TusharNagar211
commented on June 12, 2024
Unfortunately it does not work.
For the above definition, the field enablePurgeProtection or enableSoftDelete do not exists
If I replace it with Microsoft.KeyVault/vaults/enablePurgeProtection then it says:
The policy definition '""' has operations that modify aliases with values that are not supported: 'Microsoft.KeyVault/vaults/enableSoftDelete' does not support values of type: 'String'. Only 'Boolean' values are supported,'Microsoft.KeyVault/vaults/enablePurgeProtection' does not support values of type: 'String'. Only 'Boolean' values are supported.
from community-policy.
TusharNagar211
commented on June 12, 2024
Also do you think that the deployifNotExist will not show the compliance status for resources remediated and the resources newly created?
from community-policy.
techlake
commented on June 12, 2024
Try removing the "" around the true values in the "addRemove" section. It is likely that the quotes are good in the if section (don't ask :-))
On your second question: yes, they do show as compliant if remediated (either new resource DINEd, or remediation task run)
from community-policy.
getazcloud
commented on June 12, 2024
Hi,
I tried this one and it worked for me.
"then": {
"effect": "modify",
"details": {
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395"
],
"operations": [
{
"operation": "addOrReplace",
"field": "Microsoft.KeyVault/vaults/enablePurgeProtection",
"value": true
},
{
"operation": "addOrReplace",
"field": "Microsoft.KeyVault/vaults/enableSoftDelete",
"value": true
}
]
}
}from community-policy.
techlake
commented on June 12, 2024
Great. I'll fix this and commit it
from community-policy.
techlake
commented on June 12, 2024
To confirm. Is this what you are using?
{
"name": "1b8dc472-9716-414a-9328-9f34f4e00d67",
"type": "Microsoft.Authorization/policyDefinitions",
"properties": {
"displayName": "Enable soft-delete and purge protection on Key Vaults",
"description": "This Policy will enable soft-delete and purge protection on all Key Vaults.",
"metadata": {
"category": "Key Vault",
"version": "2.0.0"
},
"mode": "All",
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Modify, Deny, Audit, or Disabled"
},
"allowedValues": [
"Modify",
"Deny",
"Audit",
"Disabled"
],
"defaultValue": "Modify"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.KeyVault/vaults"
},
{
"anyOf": [
{
"field": "Microsoft.KeyVault/vaults/enableSoftDelete",
"exists": "false"
},
{
"field": "Microsoft.KeyVault/vaults/enablePurgeProtection",
"exists": "false"
},
{
"field": "Microsoft.KeyVault/vaults/enablePurgeProtection",
"equals": "false"
},
{
"field": "Microsoft.KeyVault/vaults/enableSoftDelete",
"equals": "false"
}
]
}
]
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395"
],
"operations": [
{
"operation": "addOrReplace",
"field": "Microsoft.KeyVault/vaults/enableSoftDelete",
"value": true
},
{
"operation": "addOrReplace",
"field": "Microsoft.KeyVault/vaults/enablePurgeProtection",
"value": true
}
]
}
}
}
}
}from community-policy.
getazcloud
commented on June 12, 2024
@techlake yes that is the one. Just tested the purge protection, because didn't have any KV with enableSoftDelete set to false
from community-policy.
techlake
commented on June 12, 2024
Did it work?
from community-policy.
Related Issues (20)
- [New] Container Registries enable soft delete policy
- [New] Container Registries enable zone redundancy
- [New] Storage Accounts enable purge protection HOT 1
- [New] Storage Accounts default to OAuth authentication HOT 1
- [New] Storage Accounts block external copy scope HOT 1
- [New] Storage Accounts block deletion HOT 1
- [New] Storage Accounts enable Advanced Threat Protection HOT 1
- [New] Log Analytics Workspace require retention in days
- VM App policy for Scaleset HOT 1
- Enhance validation script
- Links to Github broken on website HOT 1
- Validate in the pipeline that policy id is not equal to any built-in policies HOT 3
- Undefined Parameter - configurationURL HOT 1
- Typo in deploy-private-endpoint-private-dns-zone-link HOT 1
- Links all broken ? HOT 8
- Incorerct role definition ID for policy "Deploy Resource Lock on RGs - tag exclusion"? HOT 1
- issue Address space must be pre-allocated to region policy HOT 3
- Depandabot Security finding HOT 1
- Bug in policy deploy-sas-expiration-policy-on-storage-account
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from community-policy.