diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints.json index e54e3c06ba..02cbae97c3 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints.json @@ -274,6 +274,18 @@ "Disabled" ], "defaultValue": "AuditIfNotExists" + }, + "ContainerAppsEnvironmentDenyEffect" : { + "type": "String", + "metadata": { + "displayName": "Container Apps environment should disable public network access", + "description": "This policy denies creation of Container Apps Environment with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] } }, "policyDefinitions": [ @@ -476,8 +488,18 @@ } }, "groupNames": [] + }, + { + "policyDefinitionReferenceId": "ContainerAppsEnvironmentDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d074ddf8-01a5-4b5e-a2b8-964aed452c0a", + "parameters": { + "effect": { + "value": "[[parameters('ContainerAppsEnvironmentDenyEffect')]" + } + }, + "groupNames": [] } ], "policyDefinitionGroups": null } -} +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit.json index 0e3d731afa..7028add6a7 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit.json @@ -360,259 +360,282 @@ "Deny", "Disabled" ] - } - }, - "policyDefinitions": [ - { - "policyDefinitionReferenceId": "AppServiceHttpEffect", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly", - "parameters": { - "effect": { - "value": "[[parameters('AppServiceHttpEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "AppServiceminTlsVersion", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS", - "parameters": { - "effect": { - "value": "[[parameters('AppServiceTlsVersionEffect')]" - }, - "minTlsVersion": { - "value": "[[parameters('AppServiceminTlsVersion')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "FunctionLatestTlsEffect", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193", - "parameters": { - "effect": { - "value": "[[parameters('FunctionLatestTlsEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "WebAppServiceLatestTlsEffect", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b", - "parameters": { - "effect": { - "value": "[[parameters('WebAppServiceLatestTlsEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "APIAppServiceHttpsEffect", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http", - "parameters": { - "effect": { - "value": "[[parameters('APIAppServiceHttpsEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "FunctionServiceHttpsEffect", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http", - "parameters": { - "effect": { - "value": "[[parameters('FunctionServiceHttpsEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "WebAppServiceHttpsEffect", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http", - "parameters": { - "effect": { - "value": "[[parameters('WebAppServiceHttpsEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "AKSIngressHttpsOnlyEffect", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d", - "parameters": { - "effect": { - "value": "[[parameters('AKSIngressHttpsOnlyEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "MySQLEnableSSLDeployEffect", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement", - "parameters": { - "effect": { - "value": "[[parameters('MySQLEnableSSLDeployEffect')]" - }, - "minimalTlsVersion": { - "value": "[[parameters('MySQLminimalTlsVersion')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "MySQLEnableSSLEffect", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http", - "parameters": { - "effect": { - "value": "[[parameters('MySQLEnableSSLEffect')]" - }, - "minimalTlsVersion": { - "value": "[[parameters('MySQLminimalTlsVersion')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "PostgreSQLEnableSSLDeployEffect", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement", - "parameters": { - "effect": { - "value": "[[parameters('PostgreSQLEnableSSLDeployEffect')]" - }, - "minimalTlsVersion": { - "value": "[[parameters('PostgreSQLminimalTlsVersion')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "PostgreSQLEnableSSLEffect", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http", - "parameters": { - "effect": { - "value": "[[parameters('PostgreSQLEnableSSLEffect')]" - }, - "minimalTlsVersion": { - "value": "[[parameters('PostgreSQLminimalTlsVersion')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "RedisTLSDeployEffect", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement", - "parameters": { - "effect": { - "value": "[[parameters('RedisTLSDeployEffect')]" - }, - "minimumTlsVersion": { - "value": "[[parameters('RedisMinTlsVersion')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "RedisdisableNonSslPort", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort", - "parameters": { - "effect": { - "value": "[[parameters('RedisTLSDeployEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "RedisDenyhttps", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http", - "parameters": { - "effect": { - "value": "[[parameters('RedisTLSEffect')]" - }, - "minimumTlsVersion": { - "value": "[[parameters('RedisMinTlsVersion')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "SQLManagedInstanceTLSDeployEffect", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS", - "parameters": { - "effect": { - "value": "[[parameters('SQLManagedInstanceTLSDeployEffect')]" - }, - "minimalTlsVersion": { - "value": "[[parameters('SQLManagedInstanceMinTlsVersion')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "SQLManagedInstanceTLSEffect", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS", - "parameters": { - "effect": { - "value": "[[parameters('SQLManagedInstanceTLSEffect')]" - }, - "minimalTlsVersion": { - "value": "[[parameters('SQLManagedInstanceMinTlsVersion')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "SQLServerTLSDeployEffect", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS", - "parameters": { - "effect": { - "value": "[[parameters('SQLServerTLSDeployEffect')]" - }, - "minimalTlsVersion": { - "value": "[[parameters('SQLServerminTlsVersion')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "SQLServerTLSEffect", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS", - "parameters": { - "effect": { - "value": "[[parameters('SQLServerTLSEffect')]" - }, - "minimalTlsVersion": { - "value": "[[parameters('SQLServerminTlsVersion')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "StorageHttpsEnabledEffect", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS", - "parameters": { - "effect": { - "value": "[[parameters('StorageHttpsEnabledEffect')]" - }, - "minimumTlsVersion": { - "value": "[[parameters('StorageMinimumTlsVersion')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "StorageDeployHttpsEnabledEffect", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement", - "parameters": { - "effect": { - "value": "[[parameters('StorageDeployHttpsEnabledEffect')]" - }, - "minimumTlsVersion": { - "value": "[[parameters('StorageMinimumTlsVersion')]" - } + }, + "ContainerAppsHttpsOnlyEffect": { + "metadata": { + "displayName": "Container Apps should only be accessible over HTTPS", + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps." }, - "groupNames": [] + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] } - ], - "policyDefinitionGroups": null - } -} + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "AppServiceHttpEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly", + "parameters": { + "effect": { + "value": "[[parameters('AppServiceHttpEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AppServiceminTlsVersion", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS", + "parameters": { + "effect": { + "value": "[[parameters('AppServiceTlsVersionEffect')]" + }, + "minTlsVersion": { + "value": "[[parameters('AppServiceminTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "FunctionLatestTlsEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193", + "parameters": { + "effect": { + "value": "[[parameters('FunctionLatestTlsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "WebAppServiceLatestTlsEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b", + "parameters": { + "effect": { + "value": "[[parameters('WebAppServiceLatestTlsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "APIAppServiceHttpsEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http", + "parameters": { + "effect": { + "value": "[[parameters('APIAppServiceHttpsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "FunctionServiceHttpsEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http", + "parameters": { + "effect": { + "value": "[[parameters('FunctionServiceHttpsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "WebAppServiceHttpsEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http", + "parameters": { + "effect": { + "value": "[[parameters('WebAppServiceHttpsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AKSIngressHttpsOnlyEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d", + "parameters": { + "effect": { + "value": "[[parameters('AKSIngressHttpsOnlyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "MySQLEnableSSLDeployEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement", + "parameters": { + "effect": { + "value": "[[parameters('MySQLEnableSSLDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('MySQLminimalTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "MySQLEnableSSLEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http", + "parameters": { + "effect": { + "value": "[[parameters('MySQLEnableSSLEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('MySQLminimalTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "PostgreSQLEnableSSLDeployEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement", + "parameters": { + "effect": { + "value": "[[parameters('PostgreSQLEnableSSLDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('PostgreSQLminimalTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "PostgreSQLEnableSSLEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http", + "parameters": { + "effect": { + "value": "[[parameters('PostgreSQLEnableSSLEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('PostgreSQLminimalTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "RedisTLSDeployEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement", + "parameters": { + "effect": { + "value": "[[parameters('RedisTLSDeployEffect')]" + }, + "minimumTlsVersion": { + "value": "[[parameters('RedisMinTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "RedisdisableNonSslPort", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort", + "parameters": { + "effect": { + "value": "[[parameters('RedisTLSDeployEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "RedisDenyhttps", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http", + "parameters": { + "effect": { + "value": "[[parameters('RedisTLSEffect')]" + }, + "minimumTlsVersion": { + "value": "[[parameters('RedisMinTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SQLManagedInstanceTLSDeployEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS", + "parameters": { + "effect": { + "value": "[[parameters('SQLManagedInstanceTLSDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLManagedInstanceMinTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SQLManagedInstanceTLSEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS", + "parameters": { + "effect": { + "value": "[[parameters('SQLManagedInstanceTLSEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLManagedInstanceMinTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SQLServerTLSDeployEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS", + "parameters": { + "effect": { + "value": "[[parameters('SQLServerTLSDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLServerminTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SQLServerTLSEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS", + "parameters": { + "effect": { + "value": "[[parameters('SQLServerTLSEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLServerminTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "StorageHttpsEnabledEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS", + "parameters": { + "effect": { + "value": "[[parameters('StorageHttpsEnabledEffect')]" + }, + "minimumTlsVersion": { + "value": "[[parameters('StorageMinimumTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "StorageDeployHttpsEnabledEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement", + "parameters": { + "effect": { + "value": "[[parameters('StorageDeployHttpsEnabledEffect')]" + }, + "minimumTlsVersion": { + "value": "[[parameters('StorageMinimumTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "ContainerAppsHttpsOnlyEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb", + "parameters": { + "effect": { + "value": "[[parameters('ContainerAppsHttpsOnlyEffect')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null +} \ No newline at end of file