Comments (10)
I do not have a great test bed. Can you try/test the following in your environment:
{
"name": "1b8dc472-9716-414a-9328-9f34f4e00d67",
"type": "Microsoft.Authorization/policyDefinitions",
"properties": {
"displayName": "Enable soft-delete and purge protection on Key Vaults",
"description": "This Policy will enable soft-delete and purge protection on all Key Vaults.",
"metadata": {
"category": "Key Vault",
"version": "1.0.0"
},
"mode": "All",
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Modify, Deny, Audit, or Disabled"
},
"allowedValues": [
"Modify",
"Deny",
"Audit",
"Disabled"
],
"defaultValue": "DeployIfNotExists"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.KeyVault/vaults"
},
{
"anyOf": [
{
"field": "enableSoftDelete",
"exists": "false"
},
{
"field": "enablePurgeProtection",
"exists": "false"
},
{
"field": "enablePurgeProtection",
"equals": "false"
},
{
"field": "enableSoftDelete",
"equals": "false"
}
]
}
]
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395"
],
"operations": [
{
"operation": "addOrReplace",
"field": "enableSoftDelete",
"value": "true"
},
{
"operation": "addOrReplace",
"field": "enablePurgeProtection",
"value": "true"
}
]
}
}
}
}
}
from community-policy.
PS: I gave it a new GUID to prevent conflicts.
from community-policy.
Unfortunately it does not work.
For the above definition, the field enablePurgeProtection or enableSoftDelete do not exists
If I replace it with Microsoft.KeyVault/vaults/enablePurgeProtection then it says:
The policy definition '""' has operations that modify aliases with values that are not supported: 'Microsoft.KeyVault/vaults/enableSoftDelete' does not support values of type: 'String'. Only 'Boolean' values are supported,'Microsoft.KeyVault/vaults/enablePurgeProtection' does not support values of type: 'String'. Only 'Boolean' values are supported.
from community-policy.
Also do you think that the deployifNotExist will not show the compliance status for resources remediated and the resources newly created?
from community-policy.
Try removing the "" around the true values in the "addRemove" section. It is likely that the quotes are good in the if section (don't ask :-))
On your second question: yes, they do show as compliant if remediated (either new resource DINEd, or remediation task run)
from community-policy.
Hi,
I tried this one and it worked for me.
"then": {
"effect": "modify",
"details": {
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395"
],
"operations": [
{
"operation": "addOrReplace",
"field": "Microsoft.KeyVault/vaults/enablePurgeProtection",
"value": true
},
{
"operation": "addOrReplace",
"field": "Microsoft.KeyVault/vaults/enableSoftDelete",
"value": true
}
]
}
}
from community-policy.
Great. I'll fix this and commit it
from community-policy.
To confirm. Is this what you are using?
{
"name": "1b8dc472-9716-414a-9328-9f34f4e00d67",
"type": "Microsoft.Authorization/policyDefinitions",
"properties": {
"displayName": "Enable soft-delete and purge protection on Key Vaults",
"description": "This Policy will enable soft-delete and purge protection on all Key Vaults.",
"metadata": {
"category": "Key Vault",
"version": "2.0.0"
},
"mode": "All",
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Modify, Deny, Audit, or Disabled"
},
"allowedValues": [
"Modify",
"Deny",
"Audit",
"Disabled"
],
"defaultValue": "Modify"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.KeyVault/vaults"
},
{
"anyOf": [
{
"field": "Microsoft.KeyVault/vaults/enableSoftDelete",
"exists": "false"
},
{
"field": "Microsoft.KeyVault/vaults/enablePurgeProtection",
"exists": "false"
},
{
"field": "Microsoft.KeyVault/vaults/enablePurgeProtection",
"equals": "false"
},
{
"field": "Microsoft.KeyVault/vaults/enableSoftDelete",
"equals": "false"
}
]
}
]
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395"
],
"operations": [
{
"operation": "addOrReplace",
"field": "Microsoft.KeyVault/vaults/enableSoftDelete",
"value": true
},
{
"operation": "addOrReplace",
"field": "Microsoft.KeyVault/vaults/enablePurgeProtection",
"value": true
}
]
}
}
}
}
}
from community-policy.
@techlake yes that is the one. Just tested the purge protection, because didn't have any KV with enableSoftDelete set to false
from community-policy.
Did it work?
from community-policy.
Related Issues (20)
- [New] Container Registries enable soft delete policy
- [New] Container Registries enable zone redundancy
- [New] Storage Accounts enable purge protection HOT 1
- [New] Storage Accounts default to OAuth authentication HOT 1
- [New] Storage Accounts block external copy scope HOT 1
- [New] Storage Accounts block deletion HOT 1
- [New] Storage Accounts enable Advanced Threat Protection HOT 1
- [New] Log Analytics Workspace require retention in days
- VM App policy for Scaleset HOT 1
- Enhance validation script
- Links to Github broken on website HOT 1
- Validate in the pipeline that policy id is not equal to any built-in policies HOT 3
- Undefined Parameter - configurationURL HOT 1
- Typo in deploy-private-endpoint-private-dns-zone-link HOT 1
- Links all broken ? HOT 8
- Incorerct role definition ID for policy "Deploy Resource Lock on RGs - tag exclusion"? HOT 1
- issue Address space must be pre-allocated to region policy HOT 3
- Depandabot Security finding HOT 1
- Bug in policy deploy-sas-expiration-policy-on-storage-account
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from community-policy.