From 28a1af381e9a4cba09b5d5de5304635503fcc56f Mon Sep 17 00:00:00 2001 From: Heinrich Gantenbein <6719941+techlake@users.noreply.github.com> Date: Wed, 24 Jan 2024 11:06:08 -0600 Subject: [PATCH] Change Policy from DINE to Modify (#418) --- .../azurepolicy.json | 102 +++++------------- 1 file changed, 26 insertions(+), 76 deletions(-) diff --git a/policyDefinitions/Key Vault/enable-soft-delete-and-purge-protection-on-key-vaults/azurepolicy.json b/policyDefinitions/Key Vault/enable-soft-delete-and-purge-protection-on-key-vaults/azurepolicy.json index ebdeccd0..ae862843 100644 --- a/policyDefinitions/Key Vault/enable-soft-delete-and-purge-protection-on-key-vaults/azurepolicy.json +++ b/policyDefinitions/Key Vault/enable-soft-delete-and-purge-protection-on-key-vaults/azurepolicy.json @@ -6,7 +6,7 @@ "description": "This Policy will enable soft-delete and purge protection on all Key Vaults.", "metadata": { "category": "Key Vault", - "version": "1.0.0" + "version": "2.0.0" }, "mode": "All", "parameters": { @@ -14,14 +14,15 @@ "type": "String", "metadata": { "displayName": "Effect", - "description": "DeployIfNotExists, AuditIfNotExists or Disabled the execution of the Policy" + "description": "Modify, Deny, Audit, or Disabled" }, "allowedValues": [ - "DeployIfNotExists", - "AuditIfNotExists", + "Modify", + "Deny", + "Audit", "Disabled" ], - "defaultValue": "DeployIfNotExists" + "defaultValue": "Modify" } }, "policyRule": { @@ -40,6 +41,14 @@ { "field": "Microsoft.KeyVault/vaults/enablePurgeProtection", "exists": "false" + }, + { + "field": "Microsoft.KeyVault/vaults/enablePurgeProtection", + "equals": "false" + }, + { + "field": "Microsoft.KeyVault/vaults/enableSoftDelete", + "equals": "false" } ] } @@ -48,82 +57,23 @@ "then": { "effect": "[parameters('effect')]", "details": { - "type": "Microsoft.KeyVault/vaults", "roleDefinitionIds": [ "/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395" ], - "existenceCondition": { - "allOf": [ - { - "field": "Microsoft.KeyVault/vaults/enablePurgeProtection", - "equals": "true" - }, - { - "field": "Microsoft.KeyVault/vaults/enableSoftDelete", - "equals": "true" - } - ] - }, - "deployment": { - "properties": { - "mode": "incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "keyvaultName": { - "type": "string" - }, - "location": { - "type": "string" - }, - "sku": { - "type": "object" - }, - "tenantId": { - "type": "string" - }, - "accessPolicies": { - "type": "array" - } - }, - "resources": [ - { - "type": "Microsoft.KeyVault/vaults", - "apiVersion": "2018-02-14", - "name": "[parameters('keyVaultName')]", - "location": "[parameters('location')]", - "properties": { - "tenantId": "[parameters('tenantId')]", - "enableSoftDelete": true, - "enablePurgeProtection": true, - "sku": "[parameters('sku')]", - "accessPolicies": "[parameters('accessPolicies')]" - } - } - ] - }, - "parameters": { - "keyvaultName": { - "value": "[field('name')]" - }, - "location": { - "value": "[field('location')]" - }, - "sku": { - "value": "[field('Microsoft.KeyVault/vaults/sku')]" - }, - "tenantId": { - "value": "[field('Microsoft.KeyVault/vaults/tenantId')]" - }, - "accessPolicies": { - "value": "[field('Microsoft.KeyVault/vaults/accessPolicies')]" - } - } + "operations": [ + { + "operation": "addOrReplace", + "field": "Microsoft.KeyVault/vaults/enableSoftDelete", + "value": true + }, + { + "operation": "addOrReplace", + "field": "Microsoft.KeyVault/vaults/enablePurgeProtection", + "value": true } - } + ] } } } } -} +} \ No newline at end of file