Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug Report - Policy Deploy-Storage-sslEnforcement #971

Closed
Felix-Tr opened this issue May 5, 2022 · 1 comment · Fixed by #992
Closed

Bug Report - Policy Deploy-Storage-sslEnforcement #971

Felix-Tr opened this issue May 5, 2022 · 1 comment · Fixed by #992
Assignees
@jtracey93
Labels
bug Something isn't working policy Status: Fixed

Comments

@Felix-Tr
Copy link

Felix-Tr commented May 5, 2022

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Versions

terraform: 1.1.3

azure provider: >= 2.20, < 3.0.0

module: archetypes

Description

The Policy is used to enforce the Recommendation Secure transfer to storage accounts should be enabled but causes an Error because of the following miss-match regarding the resource type.

Line 66:

          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly",
                "equals": "true"
              },
              {
                "field": "Microsoft.Storage/storageAccounts/minimumTlsVersion",
                "equals": "[parameters('minimumTlsVersion')]"
              },
              {
                "field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly",
                "equals": "false"
              }
            ]
          },

should be:

          "type": "Microsoft.Storage/storageAccounts",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly",
                "equals": "true"
              },
              {
                "field": "Microsoft.Storage/storageAccounts/minimumTlsVersion",
                "equals": "[parameters('minimumTlsVersion')]"
              }
            ]
          },

to correct the type and only set the existenceCondition=True if secure transfer (supportsHttpsTrafficOnly) is enabled

  1. apply module
  2. wait for provisioning of resources
  3. check policy compliance in the azure portal

Screenshots

image
@ghost ghost added the Needs: Triage 🔍 Needs triaging by the team label May 5, 2022
@krowlandson krowlandson transferred this issue from Azure/terraform-azurerm-caf-enterprise-scale May 5, 2022
@krowlandson
Copy link
Contributor

@Felix-Tr thank you for logging this issue.

I've moved it to our upstream repository for triage where all policies are maintained for ES/ALZ.

cc: @jtracey93, @matt-FFFFFF

@jtracey93 jtracey93 added policy bug Something isn't working labels May 10, 2022
@jtracey93 jtracey93 linked a pull request Jun 16, 2022 that will close this issue
Update Diagnostic Policies For AVD, Azure Firewall, APIM, Bastion, Machine Learning Workspaces & Fix Storage SSL Enforcement & ML Cluster Remote Login #992
Merged
6 tasks
@jtracey93 jtracey93 self-assigned this Jun 16, 2022
@jtracey93 jtracey93 removed the Needs: Triage 🔍 Needs triaging by the team label Jun 16, 2022
@jtracey93 jtracey93 mentioned this issue Jun 16, 2022
Merged
6 tasks
@ghost ghost added the Status: Fixed label Jun 17, 2022
@ghost ghost locked as resolved and limited conversation to collaborators Jul 17, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@jtracey93 jtracey93

Labels
bug Something isn't working policy Status: Fixed
Projects
None yet
Milestone
No milestone
3 participants
@krowlandson @jtracey93 @Felix-Tr