Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GH 1423 - Policy PaaS should Disable Public Access for Container Apps #1447

Merged
merged 13 commits into from
Oct 27, 2023
Merged

GH 1423 - Policy PaaS should Disable Public Access for Container Apps #1447

Show file tree
Hide file tree
Changes from 11 commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
2d3f0fe
add changes
Oct 12, 2023
02d0c11
whats new
Oct 12, 2023
7f5fa02
default value
Oct 12, 2023
05aba56
Deny
Oct 12, 2023
81dc3d6
https only
Oct 12, 2023
d468a1a
metadata versions
Oct 12, 2023
737ed73
Merge branch 'policy-refresh-q2fy24' into https1423
Springstone Oct 23, 2023
a8161ef
whats new updated
Oct 23, 2023
e836c72
Auto-update Portal experience [jtracey93/df45741f]
github-actions[bot] Oct 23, 2023
4e6da84
fix enforce-encryptiontransit
Oct 23, 2023
4880f10
Auto-update Portal experience [JamJarchitect/df45741f]
github-actions[bot] Oct 23, 2023
ef3abc4
version of enforce
Oct 27, 2023
aea5a61
Auto-update Portal experience [JamJarchitect/df45741f]
github-actions[bot] Oct 27, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions docs/wiki/Whats-new.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,8 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones:

#### Policy

- Added ['Container Apps environment should disable public network access'](https://www.azadvertizer.net/azpolicyadvertizer/d074ddf8-01a5-4b5e-a2b8-964aed452c0a.html) to ['Deny-PublicPaaSEndpoints'.](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deny-PublicPaaSEndpoints.html)
- Added ['Container Apps should only be accessible over HTTPS'](https://www.azadvertizer.net/azpolicyadvertizer/0e80e269-43a4-4ae9-b5bc-178126b8a5cb.html) to this ['Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit'.](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit.html)
- The portal accelerator experience has been updated to include deployment of Azure Monitor baseline alerts. Details on the policies deployed can be found [here](https://aka.ms/amba/alz).
- Fixed issue with couple of Policy file names to align with the actual name of the policies
- Bug fix for [Deploy-MDFC-Config](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config.html) version
Expand Down
6 changes: 3 additions & 3 deletions eslzArm/managementGroupTemplates/policyDefinitions/policies.json
View file
Open in desktop

Large diffs are not rendered by default.

27 changes: 25 additions & 2 deletions src/resources/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
"displayName": "Public network access should be disabled for PaaS services",
"description": "This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints",
"metadata": {
"version": "3.1.0",
"version": "3.2.0",
"category": "Network",
"source": "https://github.com/Azure/Enterprise-Scale/",
"alzCloudEnvironments": [
Expand Down Expand Up @@ -274,6 +274,19 @@
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"ContainerAppsEnvironmentDenyEffect" : {
"type": "String",
"metadata": {
"displayName": "Container Apps environment should disable public network access",
"description": "This policy denies creation of Container Apps Environment with exposed public endpoints"
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Deny"
}
},
"policyDefinitions": [
Expand Down Expand Up @@ -476,8 +489,18 @@
}
},
"groupNames": []
},
{
"policyDefinitionReferenceId": "ContainerAppsEnvironmentDenyPublicIP",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d074ddf8-01a5-4b5e-a2b8-964aed452c0a",
"parameters": {
"effect": {
"value": "[[parameters('ContainerAppsEnvironmentDenyEffect')]"
}
},
"groupNames": []
}
],
"policyDefinitionGroups": null
}
}
}
25 changes: 24 additions & 1 deletion src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit.json
View file
Open in desktop
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please increment initiative version.

Original file line number Diff line number Diff line change
Expand Up @@ -360,6 +360,19 @@
"Deny",
"Disabled"
]
},
"ContainerAppsHttpsOnlyEffect": {
"metadata": {
"displayName": "Container Apps should only be accessible over HTTPS",
"description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps."
},
"type": "String",
"defaultValue": "Deny",
"allowedValues": [
"Audit",
"Deny",
"Disabled"
]
}
},
"policyDefinitions": [
Expand Down Expand Up @@ -611,8 +624,18 @@
}
},
"groupNames": []
},
{
"policyDefinitionReferenceId": "ContainerAppsHttpsOnlyEffect",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb",
"parameters": {
"effect": {
"value": "[[parameters('ContainerAppsHttpsOnlyEffect')]"
}
},
"groupNames": []
}
],
"policyDefinitionGroups": null
}
}
}