Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug Report - Deny-Storage-ServicesEncryption - Removed unneeded rules #1780

Open
cjtous1 opened this issue Sep 27, 2024 · 4 comments
Open

Bug Report - Deny-Storage-ServicesEncryption - Removed unneeded rules #1780

cjtous1 opened this issue Sep 27, 2024 · 4 comments
Assignees
@Springstone @matt-FFFFFF
Labels
Area: Policy 📝 Issues / PR's related to Policy bug Something isn't working Needs: Triage 🔍 Needs triaging by the team
Milestone
policy-refresh-fy...

Comments

@cjtous1
Copy link

cjtous1 commented Sep 27, 2024

Describe the bug
When you deploy ALZ policies with the current default values for the Deny-Storage-ServicesEncryption, it checks for those 2 properties to exist and be true:

  • Microsoft.Storage/storageAccounts/encryption.services.blob.enabled
  • Microsoft.Storage/storageAccounts/encryption.services.file.enabled

When you try to create a storage account via Terraform with the AzureRM provider, there is no way to specify those values.
Those parameters were removed (see hashicorp/terraform-provider-azurerm#3820)

These parameters were removed in AzureRM 2.0.0 because even if you set it to false, it will be set to true...

Steps to reproduce

  1. Try to create a storage account with the AzureRM provider.
  2. Get denied

I even tried the AVM module for storage account but it also does not expose this parameter to be set...

Screenshots

"evaluatedExpressions": [
              {
                "result": "True",
                "expressionKind": "Field",
                "expression": "type",
                "path": "type",
                "expressionValue": "Microsoft.Storage/storageAccounts",
                "targetValue": "Microsoft.Storage/storageAccounts",
                "operator": "Equals"
              },
              {
                "result": "True",
                "expressionKind": "Field",
                "expression": "Microsoft.Storage/storageAccounts/encryption.services.blob.enabled",
                "path": "properties.encryption.services.blob.enabled",
                "targetValue": "false",
                "operator": "Exists"
              }
            ],
"reason": "Recommended guardrails must be enforced for Storage"
@cjtous1 cjtous1 added the bug Something isn't working label Sep 27, 2024
@Springstone
Copy link
Member

@matt-FFFFFF do you have any thoughts on how to address this?

@Springstone Springstone added the Area: Policy 📝 Issues / PR's related to Policy label Oct 10, 2024
@Springstone Springstone added this to the policy-refresh-fy25-q2 milestone Oct 10, 2024
@matt-FFFFFF
Copy link
Member

Slightly confused between the post (albeit quite old), but if you can't disable encryption then why do we need the policy?

@Springstone Springstone added the Needs: Triage 🔍 Needs triaging by the team label Oct 10, 2024
@matt-FFFFFF
Copy link
Member

@Springstone from the product docs:

Azure Storage encryption is enabled for all storage accounts, including both Resource Manager and classic storage accounts. Azure Storage encryption cannot be disabled

https://learn.microsoft.com/en-us/azure/storage/common/storage-service-encryption#about-azure-storage-service-side-encryption

@cjtous1
Copy link
Author

cjtous1 commented Oct 15, 2024

The policy is still valid for queue and table, but the other conditions could be dropped from the policy.

  "policyRule": {
    "if": {
      "allOf": [
        { "field": "type", "equals": "Microsoft.Storage/storageAccounts" },
        {
          "anyOf": [
            {
-                "anyOf": [
-                  {
-                    "field": "Microsoft.Storage/storageAccounts/encryption.services.blob.enabled",
-                    "exists": "false"
-                  },
-                  {
-                    "field": "Microsoft.Storage/storageAccounts/encryption.services.blob.enabled",
-                    "notEquals": true
-                  }
-                ]
-              },
-              {
-                "anyOf": [
-                  {
-                    "field": "Microsoft.Storage/storageAccounts/encryption.services.file.enabled",
-                    "exists": "false"
-                  },
-                  {
-                    "field": "Microsoft.Storage/storageAccounts/encryption.services.file.enabled",
-                    "notEquals": true
-                  }
-                ]
-              },
            {
              "anyOf": [
                {
                  "field": "Microsoft.Storage/storageAccounts/encryption.services.queue.keyType",
                  "exists": "false"
                },
                {
                  "field": "Microsoft.Storage/storageAccounts/encryption.services.queue.keyType",
                  "notEquals": "Account"
                }
              ]
            },
            {
              "anyOf": [
                {
                  "field": "Microsoft.Storage/storageAccounts/encryption.services.table.keyType",
                  "exists": "false"
                },
                {
                  "field": "Microsoft.Storage/storageAccounts/encryption.services.table.keyType",
                  "notEquals": "Account"
                }
              ]
            }
          ]
        }
      ]
    }

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Springstone Springstone

@matt-FFFFFF matt-FFFFFF

Labels
Area: Policy 📝 Issues / PR's related to Policy bug Something isn't working Needs: Triage 🔍 Needs triaging by the team
Projects
None yet
Milestone
policy-refresh-fy25-q2
Development

No branches or pull requests
3 participants
@Springstone @matt-FFFFFF @cjtous1