From 8ef1afc6ffa6f2294dd8f20dcd84608e4710737c Mon Sep 17 00:00:00 2001 From: Kristian Nese Date: Thu, 27 Apr 2023 16:56:44 +0100 Subject: [PATCH] updated appgw policy with cmk --- .../Compliant-NetworkPolicySetDefinition.json | 64 +++++++++++++++++++ 1 file changed, 64 insertions(+) diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-NetworkPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-NetworkPolicySetDefinition.json index 2324a135..b40f2594 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-NetworkPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-NetworkPolicySetDefinition.json @@ -2132,6 +2132,54 @@ } }, "name": "Deploy-Diagnostics-Firewall" + }, + { + "properties": { + "DisplayName": "Application Gateway should be using customer managed key stored in Azure Key Vault", + "Description": "Application Gateway should be using customer managed key stored in Azure Key Vault", + "mode": "All", + "Metadata": { + "category": "Network", + "version": "1.0.0" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/applicationGateways" + }, + { + "anyOf": [ + { + "field": "Microsoft.Network/applicationGateways/sslCertificates[*].keyVaultSecretId", + "exists": "False" + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-AppGw-Without-Cmk" } ] } @@ -2461,6 +2509,10 @@ "fwLogAnalyticsWorkspaceId": { "type": "string", "defaultValue": "" + }, + "appGwCmk": { + "type": "string", + "defaultValue": "Deny" } }, "policyDefinitions": [ @@ -3006,6 +3058,18 @@ "value": "[[parameters('fwLogAnalyticsWorkspaceId')]" } } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[16].name)]", + "policyDefinitionReferenceId": "Deny-AppGw-Without-Cmk", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('appGwCmk')]" + } + } } ] }