CODEWITHSUNDEEP
jsonazure-storageazure-policy
Jayendran
Jayendran

Reputation: 10930

Azure Policy : Storage Account min TLS DeployNot Exisit

Trying to update the TLS 1.2 for all my existing Storage account when the TLS settings is not equal to TLS 1.2

 "if": {
    "allOf": [
      {
        "field": "type",
        "equals": "Microsoft.Storage/storageAccounts"
      },
      {
        "field": "location",
        "in": "[parameters('deploymentLocations')]"
      }    
    ]
  },
  "then": {
    "effect": "deployIfNotExists",
    "details": {
      "type": "Microsoft.Storage/storageAccounts",
      "roleDefinitionIds": [
        "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
      ],
      "existenceCondition": {       
        "allOf": [
          {
            "field": "Microsoft.Storage/storageAccounts/minimumTlsVersion",
            "Equals": "TLS1_2"
          },
          {
            "exists": "true",
            "field": "Microsoft.Storage/storageAccounts/minimumTlsVersion"
          }
        ]
      },

The Problem is the policy is showing compliance for storage account that are in TLS 1.1 as well, which it should not be !

I tried to modify the existenceCondition with anyOf no luck still the same issue. Thinking i missing something on the existenceCondtion

Upvotes: 1

Views: 392

Answers (1)

NotFound
NotFound

Reputation: 6157

You can try the following policy:

{
  "mode": "All",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Storage/storageAccounts"
        },
        {
          "anyOf": [
            {
              "field": "Microsoft.Storage/storageAccounts/minimumTlsVersion",
              "exists": "false"
            },
            {
              "field": "Microsoft.Storage/storageAccounts/minimumTlsVersion",
              "notEquals": "TLS1_2"
            }
          ]
        }
      ]
    },
    "then": {
      "effect": "modify",
      "details": {
        "roleDefinitionIds": [
          "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
        ],
        "conflictEffect": "audit",
        "operations": [
          {
            "operation": "addOrReplace",
            "field": "Microsoft.Storage/storageAccounts/minimumTlsVersion",
            "value": "TLS1_2"
          }
        ]
      }
    }
  },
  "parameters": {}
}

It modifies the TLS to 1.2 for all new resources. Old resource are audited and can be changed through a remediation task from the Azure Policy page in the Azure Portal.

Upvotes: 1

Related Questions