From 7af35a8bd50ee197f7395f662406c44e1b252ebd Mon Sep 17 00:00:00 2001 From: Thomas Defise Date: Tue, 9 Apr 2024 16:33:38 +0200 Subject: [PATCH] New Policy --- .../azurepolicy.json | 44 +++++++++++++++++++ .../azurepolicy.parameters.json | 14 ++++++ .../azurepolicy.rules.json | 17 +++++++ 3 files changed, 75 insertions(+) create mode 100644 policyDefinitions/SQL/postgresql-flexible-servers-should-log-checkpoints/azurepolicy.json create mode 100644 policyDefinitions/SQL/postgresql-flexible-servers-should-log-checkpoints/azurepolicy.parameters.json create mode 100644 policyDefinitions/SQL/postgresql-flexible-servers-should-log-checkpoints/azurepolicy.rules.json diff --git a/policyDefinitions/SQL/postgresql-flexible-servers-should-log-checkpoints/azurepolicy.json b/policyDefinitions/SQL/postgresql-flexible-servers-should-log-checkpoints/azurepolicy.json new file mode 100644 index 00000000..96691051 --- /dev/null +++ b/policyDefinitions/SQL/postgresql-flexible-servers-should-log-checkpoints/azurepolicy.json @@ -0,0 +1,44 @@ +{ + "name": "7a2deb93-6f4f-4668-8697-be314e342085", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "PostgreSQL flexible servers should log checkpoints", + "description": "This policy helps audit any PostgreSQL databases in your environment without log_checkpoints setting enabled.", + "metadata": { + "version": "1.0.0", + "category": "SQL" + }, + "mode": "All", + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "AuditIfNotExists or Disabled the execution of the Policy" + }, + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "AuditIfNotExists" + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DBforPostgreSQL/flexibleServers" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.DBforPostgreSQL/flexibleServers/configurations", + "name": "log_checkpoints", + "existenceCondition": { + "field": "Microsoft.DBforPostgreSQL/flexibleServers/configurations/value", + "equals": "ON" + } + } + } + } + } +} diff --git a/policyDefinitions/SQL/postgresql-flexible-servers-should-log-checkpoints/azurepolicy.parameters.json b/policyDefinitions/SQL/postgresql-flexible-servers-should-log-checkpoints/azurepolicy.parameters.json new file mode 100644 index 00000000..fb8acc98 --- /dev/null +++ b/policyDefinitions/SQL/postgresql-flexible-servers-should-log-checkpoints/azurepolicy.parameters.json @@ -0,0 +1,14 @@ +{ + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "AuditIfNotExists or Disabled the execution of the Policy" + }, + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "AuditIfNotExists" + } +} diff --git a/policyDefinitions/SQL/postgresql-flexible-servers-should-log-checkpoints/azurepolicy.rules.json b/policyDefinitions/SQL/postgresql-flexible-servers-should-log-checkpoints/azurepolicy.rules.json new file mode 100644 index 00000000..677781e9 --- /dev/null +++ b/policyDefinitions/SQL/postgresql-flexible-servers-should-log-checkpoints/azurepolicy.rules.json @@ -0,0 +1,17 @@ +{ + "if": { + "field": "type", + "equals": "Microsoft.DBforPostgreSQL/flexibleServers" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.DBforPostgreSQL/flexibleServers/configurations", + "name": "log_checkpoints", + "existenceCondition": { + "field": "Microsoft.DBforPostgreSQL/flexibleServers/configurations/value", + "equals": "ON" + } + } + } +}