-
Notifications
You must be signed in to change notification settings - Fork 1k
/
Copy pathDeny-SqlMi-minTLS.json
75 lines (75 loc) · 2.13 KB
/
Deny-SqlMi-minTLS.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
{
"name": "Deny-SqlMi-minTLS",
"type": "Microsoft.Authorization/policyDefinitions",
"apiVersion": "2021-06-01",
"scope": null,
"properties": {
"policyType": "Custom",
"mode": "Indexed",
"displayName": "SQL Managed Instance should have the minimal TLS version set to the highest version",
"description": "Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.",
"metadata": {
"version": "1.1.0",
"category": "SQL",
"source": "https://github.com/Azure/Enterprise-Scale/",
"alzCloudEnvironments": [
"AzureCloud",
"AzureChinaCloud",
"AzureUSGovernment"
]
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"Audit",
"Disabled",
"Deny"
],
"defaultValue": "Audit"
},
"minimalTlsVersion": {
"type": "String",
"defaultValue": "1.2",
"allowedValues": [
"1.2",
"1.1",
"1.0"
],
"metadata": {
"displayName": "Select version for SQL server",
"description": "Select version minimum TLS version SQL servers to enforce"
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Sql/managedInstances"
},
{
"anyOf": [
{
"field": "Microsoft.Sql/managedInstances/minimalTlsVersion",
"exists": "false"
},
{
"field": "Microsoft.Sql/managedInstances/minimalTlsVersion",
"less": "[[parameters('minimalTlsVersion')]"
}
]
}
]
},
"then": {
"effect": "[[parameters('effect')]"
}
}
}
}