diff --git a/Deny/Azure-NetworkFrontdoor-Https-only/README.md b/Deny/Azure-NetworkFrontdoor-Https-only/README.md new file mode 100644 index 0000000..ad652a1 --- /dev/null +++ b/Deny/Azure-NetworkFrontdoor-Https-only/README.md @@ -0,0 +1,26 @@ +# Deny creation of Network FrontDoor if routing rule has http + +This policy will block the create or update operation on Network FrontDoor if the Routing Rules contains http. + +## Try it on Portal + +[![Deploy to Azure](http://azuredeploy.net/deploybutton.png)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/CreatePolicyDefinitionBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fhakashya%2FAzure-Policy%2Fmaster%2FDeny%2FAzure-NIC-In-Incorrect-Subnet%2Fazurepolicy.json) + +## Try with PowerShell + +````powershell +$definition = New-AzPolicyDefinition -Name "DenyNetworkFrontDoorForHttp" -DisplayName "Deny Network Frontdoor when Routing Rules have http" -description "This policy will block the create or update operation on Network FrontDoor if the Routing Rules contains http. It only allows https routing rules" -Policy 'https://raw.githubusercontent.com/hakashya/Azure-Policy/master/Deny/Azure-NetworkFrontdoor-Https-only/azurepolicy.rules.json' -Mode All +$definition +$assignment = New-AzPolicyAssignment -Name -Scope -PolicyDefinition $definition -PolicyParameter +$assignment +```` + +## Try with CLI + +````cli + +az policy definition create --name 'DenyNetworkFrontDoorForHttp' --display-name 'Deny Network Frontdoor when Routing Rules have http' --description 'This policy will block the create or update operation on Network FrontDoor if the Routing Rules contains http. It only allows https routing rules' --rules 'https://raw.githubusercontent.com/hakashya/Azure-Policy/master/Deny/Azure-NetworkFrontdoor-Https-only/azurepolicy.rules.json' --mode All + +az policy assignment create --name --scope --policy "DenyNICinIncorrectSubnet" --params + +```` diff --git a/Deny/Azure-NetworkFrontdoor-Https-only/azurepolicy.json b/Deny/Azure-NetworkFrontdoor-Https-only/azurepolicy.json new file mode 100644 index 0000000..7fef330 --- /dev/null +++ b/Deny/Azure-NetworkFrontdoor-Https-only/azurepolicy.json @@ -0,0 +1,41 @@ +{ + "mode": "All", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/Frontdoors" + }, + { + "count": { + "field": "Microsoft.Network/frontdoors/routingRules[*]", + "where": { + "anyOf": [ + { + "count": { + "field": "Microsoft.Network/frontdoors/routingRules[*].acceptedProtocols[*]", + "where": { + "equals": "Http", + "field": "Microsoft.Network/frontdoors/routingRules[*].acceptedProtocols[*]" + } + }, + "greaterOrEquals": 1 + }, + { + "field": "Microsoft.Network/frontDoors/routingRules[*].routeConfiguration.#Microsoft-Azure-FrontDoor-Models-FrontdoorForwardingConfiguration.forwardingProtocol", + "notContains": "HttpsOnly" + } + ] + } + }, + "greaterOrEquals": 1 + } + ] + }, + "then": { + "effect": "deny" + } + }, + "parameters": {} +} diff --git a/Deny/Azure-NetworkFrontdoor-Https-only/azurepolicy.rules.json b/Deny/Azure-NetworkFrontdoor-Https-only/azurepolicy.rules.json new file mode 100644 index 0000000..0168e5c --- /dev/null +++ b/Deny/Azure-NetworkFrontdoor-Https-only/azurepolicy.rules.json @@ -0,0 +1,37 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/Frontdoors" + }, + { + "count": { + "field": "Microsoft.Network/frontdoors/routingRules[*]", + "where": { + "anyOf": [ + { + "count": { + "field": "Microsoft.Network/frontdoors/routingRules[*].acceptedProtocols[*]", + "where": { + "equals": "Http", + "field": "Microsoft.Network/frontdoors/routingRules[*].acceptedProtocols[*]" + } + }, + "greaterOrEquals": 1 + }, + { + "field": "Microsoft.Network/frontDoors/routingRules[*].routeConfiguration.#Microsoft-Azure-FrontDoor-Models-FrontdoorForwardingConfiguration.forwardingProtocol", + "notContains": "HttpsOnly" + } + ] + } + }, + "greaterOrEquals": 1 + } + ] + }, + "then": { + "effect": "deny" + } + }