Azure
/
data-management-zone
зеркало из https://github.com/Azure/data-management-zone.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

added storage policies

This commit is contained in:
Marvin Buss 2020-12-11 09:42:54 +01:00
Родитель a762779168
Коммит acb1cc8c90
15 изменённых файлов: 906 добавлений и 0 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

111
infra/Policies/DataPolicies/params.policyDefinition.Append-Storage-Encryption.json Normal file
Просмотреть файл

@ -0,0 +1,111 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"policyName": {
"value": "Append-Storage-Encryption"
},
"policyDescription": {
"value": "Enforce encryption for storage accounts."
},
"policyMode": {
"value": "All"
},
"policyParameters": {
"value": {}
},
"policyDefinition": {
"value": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
{
"anyOf": [
{
"field": "Microsoft.Storage/storageAccounts/encryption.services.file.enabled",
"notEquals": true
},
{
"field": "Microsoft.Storage/storageAccounts/encryption.services.file.keyType",
"notEquals": "Account"
},
{
"field": "Microsoft.Storage/storageAccounts/encryption.services.blob.enabled",
"notEquals": true
},
{
"field": "Microsoft.Storage/storageAccounts/encryption.services.blob.keyType",
"notEquals": "Account"
},
{
"field": "Microsoft.Storage/storageAccounts/encryption.services.table.enabled",
"notEquals": true
},
{
"field": "Microsoft.Storage/storageAccounts/encryption.services.table.keyType",
"notEquals": "Service"
},
{
"field": "Microsoft.Storage/storageAccounts/encryption.services.queue.enabled",
"notEquals": true
},
{
"field": "Microsoft.Storage/storageAccounts/encryption.services.queue.keyType",
"notEquals": "Service"
}
]
}
]
},
"then": {
"effect": "Append",
"details": [
{
"field": "Microsoft.Storage/storageAccounts/encryption.services.file.enabled",
"value": true
},
{
"field": "Microsoft.Storage/storageAccounts/encryption.services.file.keyType",
"value": "Account"
},
{
"field": "Microsoft.Storage/storageAccounts/encryption.services.blob.enabled",
"value": true
},
{
"field": "Microsoft.Storage/storageAccounts/encryption.services.blob.keyType",
"value": "Account"
},
{
"field": "Microsoft.Storage/storageAccounts/encryption.services.table.enabled",
"value": true
},
{
"field": "Microsoft.Storage/storageAccounts/encryption.services.table.keyType",
"value": "Service"
},
{
"field": "Microsoft.Storage/storageAccounts/encryption.services.queue.enabled",
"value": true
},
{
"field": "Microsoft.Storage/storageAccounts/encryption.services.queue.keyType",
"value": "Service"
}
]
}
}
},
"policyMetadata": {
"value": {
"version": "1.0.0",
"category": "Storage",
"preview": false,
"deprecated": false
}
}
}
}

51
infra/Policies/DataPolicies/params.policyDefinition.Append-Storage-InfrastructureEncryption.json Normal file
Просмотреть файл

@ -0,0 +1,51 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"policyName": {
"value": "Append-Storage-InfrastructureEncryption"
},
"policyDescription": {
"value": "Enforce infrastructure (double) encryption for storage accounts."
},
"policyMode": {
"value": "All"
},
"policyParameters": {
"value": {}
},
"policyDefinition": {
"value": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
{
"field": "Microsoft.Storage/storageAccounts/encryption.requireInfrastructureEncryption",
"notEquals": true
}
]
},
"then": {
"effect": "Append",
"details": [
{
"field": "Microsoft.Storage/storageAccounts/encryption.requireInfrastructureEncryption",
"value": true
}
]
}
}
},
"policyMetadata": {
"value": {
"version": "1.0.0",
"category": "Storage",
"preview": false,
"deprecated": false
}
}
}
}

51
infra/Policies/DataPolicies/params.policyDefinition.Append-Storage-Kind.json Normal file
Просмотреть файл

@ -0,0 +1,51 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"policyName": {
"value": "Append-Storage-InfrastructureEncryption"
},
"policyDescription": {
"value": "Enforce infrastructure (double) encryption for storage accounts."
},
"policyMode": {
"value": "All"
},
"policyParameters": {
"value": {}
},
"policyDefinition": {
"value": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
{
"field": "kind",
"notEquals": "StorageV2"
}
]
},
"then": {
"effect": "Append",
"details": [
{
"field": "kind",
"value": "StorageV2"
}
]
}
}
},
"policyMetadata": {
"value": {
"version": "1.0.0",
"category": "Storage",
"preview": false,
"deprecated": false
}
}
}
}

49
infra/Policies/DataPolicies/params.policyDefinition.Deny-Storage-ContainerDeleteRetentionPolicy.json Normal file
Просмотреть файл

@ -0,0 +1,49 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"policyName": {
"value": "Deny-Storage-ContainerDeleteRetentionPolicy"
},
"policyDescription": {
"value": "Enforce container delete retention policies lower than seven days for storage account."
},
"policyMode": {
"value": "All"
},
"policyParameters": {
"value": {}
},
"policyDefinition": {
"value": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts/blobServices"
},
{
"field": "Microsoft.Storage/storageAccounts/blobServices/deleteRetentionPolicy.enabled",
"notEquals": true
},
{
"field": "Microsoft.Storage/storageAccounts/blobServices/deleteRetentionPolicy.days",
"less": 7
}
]
},
"then": {
"effect": "Deny"
}
}
},
"policyMetadata": {
"value": {
"version": "1.0.0",
"category": "Storage",
"preview": false,
"deprecated": false
}
}
}
}

47
infra/Policies/DataPolicies/params.policyDefinition.Deny-Storage-CorsRules.json Normal file
Просмотреть файл

@ -0,0 +1,47 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"policyName": {
"value": "Deny-Storage-CorsRules"
},
"policyDescription": {
"value": "Deny cors rules for storage account."
},
"policyMode": {
"value": "All"
},
"policyParameters": {
"value": {}
},
"policyDefinition": {
"value": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts/blobServices"
},
{
"count": {
"field": "Microsoft.Storage/storageAccounts/blobServices/default.cors.corsRules[*]"
},
"greater": 0
}
]
},
"then": {
"effect": "Deny"
}
}
},
"policyMetadata": {
"value": {
"version": "1.0.0",
"category": "Storage",
"preview": false,
"deprecated": false
}
}
}
}

47
infra/Policies/DataPolicies/params.policyDefinition.Deny-Storage-NetworkAclsIpRules.json Normal file
Просмотреть файл

@ -0,0 +1,47 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"policyName": {
"value": "Deny-Storage-NetworkAclsIpRules"
},
"policyDescription": {
"value": "Enforces network ip rules for storage account."
},
"policyMode": {
"value": "All"
},
"policyParameters": {
"value": {}
},
"policyDefinition": {
"value": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
{
"count": {
"field": "Microsoft.Storage/storageAccounts/networkAcls.ipRules[*]"
},
"greater": 0
}
]
},
"then": {
"effect": "Deny"
}
}
},
"policyMetadata": {
"value": {
"version": "1.0.0",
"category": "Storage",
"preview": false,
"deprecated": false
}
}
}
}

47
infra/Policies/DataPolicies/params.policyDefinition.Deny-Storage-NetworkAclsVirtualNetworkRules.json Normal file
Просмотреть файл

@ -0,0 +1,47 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"policyName": {
"value": "Deny-Storage-NetworkAclsVirtualNetworkRules"
},
"policyDescription": {
"value": "Denies virtual network rules for storage account."
},
"policyMode": {
"value": "All"
},
"policyParameters": {
"value": {}
},
"policyDefinition": {
"value": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
{
"count": {
"field": "Microsoft.Storage/storageAccounts/networkAcls.virtualNetworkRules[*]"
},
"greater": 0
}
]
},
"then": {
"effect": "Deny"
}
}
},
"policyMetadata": {
"value": {
"version": "1.0.0",
"category": "Storage",
"preview": false,
"deprecated": false
}
}
}
}

53
infra/Policies/DataPolicies/params.policyDefinition.Deny-Storage-RoutingPreference.json Normal file
Просмотреть файл

@ -0,0 +1,53 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"policyName": {
"value": "Deny-Storage-RoutingPreference"
},
"policyDescription": {
"value": "Enforce infrastructure (double) encryption for storage accounts."
},
"policyMode": {
"value": "All"
},
"policyParameters": {
"value": {}
},
"policyDefinition": {
"value": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
{
"anyOf": [
{
"field": "Microsoft.Storage/storageAccounts/routingPreference.routingChoice",
"equals": "InternetRouting"
},
{
"field": "Microsoft.Storage/storageAccounts/routingPreference.publishInternetEndpoints",
"equals": true
}
]
}
]
},
"then": {
"effect": "Deny"
}
}
},
"policyMetadata": {
"value": {
"version": "1.0.0",
"category": "Storage",
"preview": false,
"deprecated": false
}
}
}
}

52
infra/Policies/DataPolicies/params.policyDefinition.Deny-Storage-Sku.json Normal file
Просмотреть файл

@ -0,0 +1,52 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"policyName": {
"value": "Deny-Storage-Sku"
},
"policyDescription": {
"value": "Enforces storage account SKUs."
},
"policyMode": {
"value": "All"
},
"policyParameters": {
"value": {}
},
"policyDefinition": {
"value": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
{
"field": "Microsoft.Storage/storageAccounts/sku.name",
"notIn": [
"Standard_GRS",
"Standard_RAGRS",
"Standard_ZRS",
"Premium_ZRS",
"Standard_GZRS",
"Standard_RAGZRS"
]
}
]
},
"then": {
"effect": "Deny"
}
}
},
"policyMetadata": {
"value": {
"version": "1.0.0",
"category": "Storage",
"preview": false,
"deprecated": false
}
}
}
}

103
infra/Policies/DataPolicies/params.policyDefinition.Deploy-Storage-BlobServices.json Normal file
Просмотреть файл

@ -0,0 +1,103 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"policyName": {
"value": "Deploy-Storage-BlobServices"
},
"policyDescription": {
"value": "Deploy blob services default settings for storage account."
},
"policyMode": {
"value": "All"
},
"policyParameters": {
"value": {}
},
"policyDefinition": {
"value": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
}
]
},
"then": {
"effect": "deployIfNotExists",
"details": {
"type": "Microsoft.Storage/storageAccounts/blobServices",
"name": "default",
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Storage/storageAccounts/blobServices/deleteRetentionPolicy.enabled",
"equals": "true"
},
{
"field": "Microsoft.Storage/storageAccounts/blobServices/deleteRetentionPolicy.days",
"equals": 7
},
{
"count": {
"field": "Microsoft.Storage/storageAccounts/blobServices/default.cors.corsRules[*]"
},
"equals": 0
}
]
},
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"storageAccountName": {
"type": "string"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts/blobServices",
"apiVersion": "2020-08-01-preview",
"name": "[concat(parameters('storageAccountName'), '/default')]",
"properties": {
"containerDeleteRetentionPolicy": {
"enabled": true,
"days": 7
},
"cors": {
"corsRules": []
}
}
}
],
"outputs": {}
},
"parameters": {
"storageAccountName": {
"value": "[field('name')]"
}
}
}
}
}
}
}
},
"policyMetadata": {
"value": {
"version": "1.0.0",
"category": "Storage",
"preview": false,
"deprecated": false
}
}
}
}

59
infra/Policies/DataPolicies/params.policyDefinition.Modify-Storage-AllowBlobPublicAccess.json Normal file
Просмотреть файл

@ -0,0 +1,59 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"policyName": {
"value": "Modify-Storage-AllowBlobPublicAccess"
},
"policyDescription": {
"value": "Enforces no public access to all blobs or containers in the storage account."
},
"policyMode": {
"value": "All"
},
"policyParameters": {
"value": {}
},
"policyDefinition": {
"value": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
{
"field": "Microsoft.Storage/storageAccounts/allowBlobPublicAccess",
"notEquals": false
}
]
},
"then": {
"effect": "Modify",
"details": {
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"
],
"conflictEffect": "Deny",
"operations": [
{
"condition": "[greaterOrEquals(requestContext().apiVersion, '2019-04-01')]",
"operation": "addOrReplace",
"field": "Microsoft.Storage/storageAccounts/allowBlobPublicAccess",
"value": false
}
]
}
}
}
},
"policyMetadata": {
"value": {
"version": "1.0.0",
"category": "Storage",
"preview": false,
"deprecated": false
}
}
}
}

59
infra/Policies/DataPolicies/params.policyDefinition.Modify-Storage-MinimumTlsVersion.json Normal file
Просмотреть файл

@ -0,0 +1,59 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"policyName": {
"value": "Modify-Storage-MinimumTlsVersion"
},
"policyDescription": {
"value": "Enforces minimum tls version 1.2 for storage account."
},
"policyMode": {
"value": "All"
},
"policyParameters": {
"value": {}
},
"policyDefinition": {
"value": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
{
"field": "Microsoft.Storage/storageAccounts/minimumTlsVersion",
"notEquals": "TLS1_2"
}
]
},
"then": {
"effect": "Modify",
"details": {
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"
],
"conflictEffect": "Deny",
"operations": [
{
"condition": "[greaterOrEquals(requestContext().apiVersion, '2019-04-01')]",
"operation": "addOrReplace",
"field": "Microsoft.Storage/storageAccounts/minimumTlsVersion",
"value": "TLS1_2"
}
]
}
}
}
},
"policyMetadata": {
"value": {
"version": "1.0.0",
"category": "Storage",
"preview": false,
"deprecated": false
}
}
}
}

59
infra/Policies/DataPolicies/params.policyDefinition.Modify-Storage-NetworkAclsBypass.json Normal file
Просмотреть файл

@ -0,0 +1,59 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"policyName": {
"value": "Modify-Storage-NetworkAclsBypass"
},
"policyDescription": {
"value": "Enforces network bypass to none for storage account."
},
"policyMode": {
"value": "All"
},
"policyParameters": {
"value": {}
},
"policyDefinition": {
"value": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
{
"field": "Microsoft.Storage/storageAccounts/networkAcls.bypass",
"notEquals": "None"
}
]
},
"then": {
"effect": "Modify",
"details": {
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"
],
"conflictEffect": "Deny",
"operations": [
{
"condition": "[greaterOrEquals(requestContext().apiVersion, '2017-06-01')]",
"operation": "addOrReplace",
"field": "Microsoft.Storage/storageAccounts/networkAcls.bypass",
"value": "None"
}
]
}
}
}
},
"policyMetadata": {
"value": {
"version": "1.0.0",
"category": "Storage",
"preview": false,
"deprecated": false
}
}
}
}

59
infra/Policies/DataPolicies/params.policyDefinition.Modify-Storage-NetworkAclsDefaultAction.json Normal file
Просмотреть файл

@ -0,0 +1,59 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"policyName": {
"value": "Modify-Storage-NetworkAclsDefaultAction"
},
"policyDescription": {
"value": "Enforces default tls version 1.2 for storage account."
},
"policyMode": {
"value": "All"
},
"policyParameters": {
"value": {}
},
"policyDefinition": {
"value": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
{
"field": "Microsoft.Storage/storageAccounts/networkAcls.defaultAction",
"notEquals": "Deny"
}
]
},
"then": {
"effect": "Modify",
"details": {
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"
],
"conflictEffect": "Deny",
"operations": [
{
"condition": "[greaterOrEquals(requestContext().apiVersion, '2017-06-01')]",
"operation": "addOrReplace",
"field": "Microsoft.Storage/storageAccounts/networkAcls.defaultAction",
"value": "Deny"
}
]
}
}
}
},
"policyMetadata": {
"value": {
"version": "1.0.0",
"category": "Storage",
"preview": false,
"deprecated": false
}
}
}
}

59
infra/Policies/DataPolicies/params.policyDefinition.Modify-Storage-SupportsHttpsTrafficOnly.json Normal file
Просмотреть файл

@ -0,0 +1,59 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"policyName": {
"value": "Modify-Storage-SupportsHttpsTrafficOnly"
},
"policyDescription": {
"value": "Enforces https traffic for storage account."
},
"policyMode": {
"value": "All"
},
"policyParameters": {
"value": {}
},
"policyDefinition": {
"value": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
{
"field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly",
"notEquals": true
}
]
},
"then": {
"effect": "Modify",
"details": {
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"
],
"conflictEffect": "Deny",
"operations": [
{
"condition": "[greaterOrEquals(requestContext().apiVersion, '2016-12-01')]",
"operation": "addOrReplace",
"field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly",
"value": true
}
]
}
}
}
},
"policyMetadata": {
"value": {
"version": "1.0.0",
"category": "Storage",
"preview": false,
"deprecated": false
}
}
}
}