Quality updates to PostgreSQL docs (#2808)

Azure · Apr 8, 2024 · 74d0cf8 · 74d0cf8
1 parent 6a23145
commit 74d0cf8
Show file tree

Hide file tree

Showing 7 changed files with 386 additions and 32 deletions.
diff --git a/docs/en/rules/Azure.PostgreSQL.AADOnly.md b/docs/en/rules/Azure.PostgreSQL.AADOnly.md
@@ -1,56 +1,74 @@
 ---
+reviewed: 2024-04-09
 severity: Important
 pillar: Security
-category: Identity and access management
+category: SE:05 Identity and access management
 resource: Azure Database for PostgreSQL
 online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.PostgreSQL.AADOnly/
 ---
 
-# Azure AD-only authentication
+# Entra ID only authentication with PostgreSQL databases
 
 ## SYNOPSIS
 
-Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases.
+Ensure Entra ID only authentication is enabled with Azure Database for PostgreSQL databases.
 
 ## DESCRIPTION
 
-Azure Database for PostgreSQL supports authentication with PostgreSQL logins and Azure AD authentication.
+Azure Database for PostgreSQL supports authentication with PostgreSQL logins and Entra ID authentication.
 
 By default, authentication with PostgreSQL logins is enabled.
 PostgreSQL logins are unable to provide sufficient protection for identities.
-Azure AD authentication provides strong protection controls including conditional access, identity governance, and privileged identity management.
+Entra ID authentication provides strong protection controls including conditional access, identity governance,
+and privileged identity management.
 
-Once you decide to use Azure AD authentication, you can disable authentication with PostgreSQL logins.
+Once you decide to use Entra ID authentication, you can disable authentication with PostgreSQL logins.
 
-Azure AD-only authentication is only supported for the flexible server deployment model.
+Entra ID only authentication is only supported for the flexible server deployment model.
 
 ## RECOMMENDATION
 
-Consider using Azure AD-only authentication.
-Also consider using Azure Policy for Azure AD-only authentication with Azure Database for PostgreSQL.
+Consider using Entra ID only authentication.
+Also consider using Azure Policy for Entra ID only authentication with Azure Database for PostgreSQL.
 
 ## EXAMPLES
 
 ### Configure with Azure template
 
 To deploy Azure Database for PostgreSQL flexible servers that pass this rule:
 
-- Set the `properties.authConfig.activeDirectoryAuth` property to `true`.
-- Set the `properties.authConfig.passwordAuth` property to `false`.
+- Set the `properties.authConfig.activeDirectoryAuth` property to `Enabled`.
+- Set the `properties.authConfig.passwordAuth` property to `Disabled`.
 
 For example:
 
 ```json
 {
   "type": "Microsoft.DBforPostgreSQL/flexibleServers",
   "apiVersion": "2022-12-01",
-  "name": "[parameters('serverName')]",
+  "name": "[parameters('name')]",
   "location": "[parameters('location')]",
+  "sku": {
+    "name": "Standard_D2ds_v4",
+    "tier": "GeneralPurpose"
+  },
   "properties": {
+    "createMode": "Default",
     "authConfig": {
       "activeDirectoryAuth": "Enabled",
       "passwordAuth": "Disabled",
-      "tenantId": "[parameters('tenantId')]"
+      "tenantId": "[tenant().tenantId]"
+    },
+    "version": "14",
+    "storage": {
+      "storageSizeGB": 32
+    },
+    "backup": {
+      "backupRetentionDays": 7,
+      "geoRedundantBackup": "Enabled"
+    },
+    "highAvailability": {
+      "mode": "ZoneRedundant"
     }
   }
 }
@@ -60,35 +78,52 @@ For example:
 
 To deploy Azure Database for PostgreSQL flexible servers that pass this rule:
 
-- Set the `properties.authConfig.activeDirectoryAuth` property to `true`.
-- Set the `properties.authConfig.passwordAuth` property to `false`.
+- Set the `properties.authConfig.activeDirectoryAuth` property to `Enabled`.
+- Set the `properties.authConfig.passwordAuth` property to `Disabled`.
 
 For example:
 
 ```bicep
-resource postgreSqlFlexibleServer 'Microsoft.DBforPostgreSQL/flexibleServers@2022-12-01' = {
-  name: serverName
+resource flexible 'Microsoft.DBforPostgreSQL/flexibleServers@2022-12-01' = {
+  name: name
   location: location
+  sku: {
+    name: 'Standard_D2ds_v4'
+    tier: 'GeneralPurpose'
+  }
   properties: {
+    createMode: 'Default'
     authConfig: {
       activeDirectoryAuth: 'Enabled'
       passwordAuth: 'Disabled'
-      tenantId: tenantId
+      tenantId: tenant().tenantId
+    }
+    version: '14'
+    storage: {
+      storageSizeGB: 32
+    }
+    backup: {
+      backupRetentionDays: 7
+      geoRedundantBackup: 'Enabled'
+    }
+    highAvailability: {
+      mode: 'ZoneRedundant'
     }
   }
 }
 ```
 
 ## NOTES
 
-The Azure AD admin must be set before enabling Azure AD-only authentication.
-Azure AD-only authentication is only suppored for the flexible server deployment model.
+The Entra ID admin must be set before enabling Entra ID only authentication.
+Entra ID only authentication is only supported for the flexible server deployment model.
 
 ## LINKS
 
-- [Use modern password protection](https://learn.microsoft.com/azure/architecture/framework/security/design-identity-authentication#use-modern-password-protection)
-- [Use Azure AD for authentication with Azure Database for PostgreSQL - Flexible Server](https://learn.microsoft.com/azure/postgresql/flexible-server/how-to-configure-sign-in-azure-ad-authentication)
-- [Azure Active Directory Authentication (Single Server VS Flexible Server)](https://learn.microsoft.com/azure/postgresql/flexible-server/concepts-azure-ad-authentication#azure-active-directory-authentication-single-server-vs-flexible-server)
-- [Azure security baseline for Azure Database for PostgreSQL - Flexible Server](https://learn.microsoft.com/security/benchmark/azure/baselines/azure-database-for-postgresql-flexible-server-security-baseline)
+- [SE:05 Identity and access management](https://learn.microsoft.com/azure/well-architected/security/identity-access)
+- [How Microsoft Entra ID Works in Azure Database for PostgreSQL flexible server](https://learn.microsoft.com/azure/postgresql/flexible-server/concepts-azure-ad-authentication#how-azure-ad-works-in-flexible-server)
+- [Use Microsoft Entra ID for authentication with Azure Database for PostgreSQL - Flexible Server](https://learn.microsoft.com/azure/postgresql/flexible-server/how-to-configure-sign-in-azure-ad-authentication)
+- [Use Microsoft Entra ID for authentication with PostgreSQL](https://learn.microsoft.com/azure/postgresql/single-server/how-to-configure-sign-in-azure-ad-authentication)
+- [Microsoft Entra authentication (Azure Database for PostgreSQL single Server vs Azure Database for PostgreSQL flexible server)](https://learn.microsoft.com/azure/postgresql/flexible-server/concepts-azure-ad-authentication#microsoft-entra-authentication-azure-database-for-postgresql-single-server-vs-azure-database-for-postgresql-flexible-server)
 - [IM-1: Use centralized identity and authentication system](https://learn.microsoft.com/security/benchmark/azure/baselines/azure-database-for-postgresql-flexible-server-security-baseline#im-1-use-centralized-identity-and-authentication-system)
 - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.dbforpostgresql/flexibleservers#authconfig)
diff --git a/docs/en/rules/Azure.PostgreSQL.MinTLS.md b/docs/en/rules/Azure.PostgreSQL.MinTLS.md
@@ -1,7 +1,8 @@
 ---
+reviewed: 2024-04-09
 severity: Critical
 pillar: Security
-category: Encryption
+category: SE:07 Encryption
 resource: Azure Database for PostgreSQL
 online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.PostgreSQL.MinTLS/
 ---
@@ -24,10 +25,66 @@ By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.
 
 Consider configuring the minimum supported TLS version to be 1.2.
 
+## EXAMPLES
+
+### Configure with Azure template
+
+To deploy servers that pass this rule:
+
+- Set the `properties.minimalTlsVersion` property to `TLS1_2`.
+
+For example:
+
+```json
+{
+  "type": "Microsoft.DBforPostgreSQL/servers",
+  "apiVersion": "2017-12-01",
+  "name": "[parameters('name')]",
+  "location": "[parameters('location')]",
+  "properties": {
+    "createMode": "Default",
+    "administratorLogin": "[parameters('localAdministrator')]",
+    "administratorLoginPassword": "[parameters('localAdministratorPassword')]",
+    "minimalTlsVersion": "TLS1_2",
+    "sslEnforcement": "Enabled",
+    "publicNetworkAccess": "Disabled",
+    "version": "11"
+  }
+}
+```
+
+### Configure with Bicep
+
+To deploy servers that pass this rule:
+
+- Set the `properties.minimalTlsVersion` property to `TLS1_2`.
+
+For example:
+
+```bicep
+resource single 'Microsoft.DBforPostgreSQL/servers@2017-12-01' = {
+  name: name
+  location: location
+  properties: {
+    createMode: 'Default'
+    administratorLogin: localAdministrator
+    administratorLoginPassword: localAdministratorPassword
+    minimalTlsVersion: 'TLS1_2'
+    sslEnforcement: 'Enabled'
+    publicNetworkAccess: 'Disabled'
+    version: '11'
+  }
+}
+```
+
+## NOTES
+
+This rule is not applicable to PostgreSQL using the flexible server model.
+
 ## LINKS
 
-- [Data encryption in Azure](https://learn.microsoft.com/azure/architecture/framework/security/design-storage-encryption#data-in-transit)
-- [TLS enforcement in Azure Database for PostgreSQL Single server](https://learn.microsoft.com/azure/postgresql/concepts-ssl-connection-security#tls-enforcement-in-azure-database-for-postgresql-single-server)
-- [Set TLS configurations for Azure Database for PostgreSQL - Single server](https://learn.microsoft.com/azure/postgresql/howto-tls-configurations#set-tls-configurations-for-azure-database-for-postgresql---single-server)
+- [SE:07 Encryption](https://learn.microsoft.com/azure/well-architected/security/encryption#data-in-transit)
+- [TLS enforcement in Azure Database for PostgreSQL Single server](https://learn.microsoft.com/azure/postgresql/single-server/concepts-ssl-connection-security#tls-enforcement-in-azure-database-for-postgresql-single-server)
+- [Set TLS configurations for Azure Database for PostgreSQL - Single server](https://learn.microsoft.com/azure/postgresql/single-server/how-to-tls-configurations#set-tls-configurations-for-azure-database-for-postgresql---single-server)
 - [Preparing for TLS 1.2 in Microsoft Azure](https://azure.microsoft.com/updates/azuretls12/)
-- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.dbforpostgresql/servers#ServerPropertiesForCreate)
+- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.dbforpostgresql/servers)
diff --git a/docs/en/rules/Azure.PostgreSQL.UseSSL.md b/docs/en/rules/Azure.PostgreSQL.UseSSL.md
@@ -1,7 +1,8 @@
 ---
+reviewed: 2024-04-09
 severity: Critical
 pillar: Security
-category: Data protection
+category: SE:07 Encryption
 resource: Azure Database for PostgreSQL
 online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.PostgreSQL.UseSSL/
 ms-content-id: 80d34e65-8ab5-4cf3-a0dd-3b5e56e06f40
@@ -28,7 +29,64 @@ Unless explicitly required, consider enabling _enforce SSL connections_.
 
 Also consider using Azure Policy to audit or enforce this configuration.
 
+## EXAMPLES
+
+### Configure with Azure template
+
+To deploy servers that pass this rule:
+
+- Set the `properties.sslEnforcement` property to `Enabled`.
+
+For example:
+
+```json
+{
+  "type": "Microsoft.DBforPostgreSQL/servers",
+  "apiVersion": "2017-12-01",
+  "name": "[parameters('name')]",
+  "location": "[parameters('location')]",
+  "properties": {
+    "createMode": "Default",
+    "administratorLogin": "[parameters('localAdministrator')]",
+    "administratorLoginPassword": "[parameters('localAdministratorPassword')]",
+    "minimalTlsVersion": "TLS1_2",
+    "sslEnforcement": "Enabled",
+    "publicNetworkAccess": "Disabled",
+    "version": "11"
+  }
+}
+```
+
+### Configure with Bicep
+
+To deploy servers that pass this rule:
+
+- Set the `properties.sslEnforcement` property to `Enabled`.
+
+For example:
+
+```bicep
+resource single 'Microsoft.DBforPostgreSQL/servers@2017-12-01' = {
+  name: name
+  location: location
+  properties: {
+    createMode: 'Default'
+    administratorLogin: localAdministrator
+    administratorLoginPassword: localAdministratorPassword
+    minimalTlsVersion: 'TLS1_2'
+    sslEnforcement: 'Enabled'
+    publicNetworkAccess: 'Disabled'
+    version: '11'
+  }
+}
+```
+
+## NOTES
+
+This rule is not applicable to PostgreSQL using the flexible server model.
+
 ## LINKS
 
-- [Data encryption in Azure](https://learn.microsoft.com/azure/architecture/framework/security/design-storage-encryption#data-in-transit)
-- [Configure SSL connectivity in Azure Database for PostgreSQL](https://learn.microsoft.com/azure/postgresql/concepts-ssl-connection-security)
+- [SE:07 Encryption](https://learn.microsoft.com/azure/well-architected/security/encryption#data-in-transit)
+- [Configure SSL connectivity in Azure Database for PostgreSQL](https://learn.microsoft.com/azure/postgresql/single-server/concepts-ssl-connection-security)
+- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.dbforpostgresql/servers)
diff --git a/docs/examples-ML.bicep → docs/examples-ml.bicep b/docs/examples-ML.bicep → docs/examples-ml.bicep
diff --git a/docs/examples-ML.json → docs/examples-ml.json b/docs/examples-ML.json → docs/examples-ml.json
diff --git a/docs/examples-postgresql.bicep b/docs/examples-postgresql.bicep
@@ -0,0 +1,87 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+// Bicep documentation examples
+
+@sys.description('The name of the resource.')
+param name string
+
+@sys.description('The location resources will be deployed.')
+param location string = resourceGroup().location
+
+@sys.description('The login for an administrator.')
+param localAdministrator string
+
+@secure()
+@description('A default administrator password.')
+param localAdministratorPassword string
+
+@sys.description('The object GUID for an administrator account.')
+param loginObjectId string
+
+// An example PostgreSQL server.
+resource single 'Microsoft.DBforPostgreSQL/servers@2017-12-01' = {
+  name: name
+  location: location
+  properties: {
+    createMode: 'Default'
+    administratorLogin: localAdministrator
+    administratorLoginPassword: localAdministratorPassword
+    minimalTlsVersion: 'TLS1_2'
+    sslEnforcement: 'Enabled'
+    publicNetworkAccess: 'Disabled'
+    version: '11'
+  }
+}
+
+// Configure administrators for single server.
+resource single_admin 'Microsoft.DBforPostgreSQL/servers/administrators@2017-12-01' = {
+  parent: single
+  name: 'activeDirectory'
+  properties: {
+    administratorType: 'ActiveDirectory'
+    login: localAdministrator
+    sid: loginObjectId
+    tenantId: tenant().tenantId
+  }
+}
+
+// An example PostgreSQL using the flexible server model.
+resource flexible 'Microsoft.DBforPostgreSQL/flexibleServers@2022-12-01' = {
+  name: name
+  location: location
+  sku: {
+    name: 'Standard_D2ds_v4'
+    tier: 'GeneralPurpose'
+  }
+  properties: {
+    createMode: 'Default'
+    authConfig: {
+      activeDirectoryAuth: 'Enabled'
+      passwordAuth: 'Disabled'
+      tenantId: tenant().tenantId
+    }
+    version: '14'
+    storage: {
+      storageSizeGB: 32
+    }
+    backup: {
+      backupRetentionDays: 7
+      geoRedundantBackup: 'Enabled'
+    }
+    highAvailability: {
+      mode: 'ZoneRedundant'
+    }
+  }
+}
+
+// Configure administrators for a flexible server.
+resource flexible_admin 'Microsoft.DBforPostgreSQL/flexibleServers/administrators@2022-12-01' = {
+  parent: flexible
+  name: loginObjectId
+  properties: {
+    principalType: 'ServicePrincipal'
+    principalName: localAdministrator
+    tenantId: tenant().tenantId
+  }
+}