Skip to content

Commit

Permalink
Adding update policies for PostgreSQL
Browse files Browse the repository at this point in the history
  • Loading branch information
Sebastian Claesson committed Feb 11, 2025
1 parent bad8e9b commit 8be960c
Show file tree
Hide file tree
Showing 13 changed files with 387 additions and 63 deletions.
70 changes: 70 additions & 0 deletions policyDefinitions/PostgreSql/deny-postgresql-administrator-login/azurepolicy.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
{
"name": "7c90f6d1-f79a-4c1c-b44a-4a655d4774f0",
"type": "Microsoft.Authorization/policyDefinitions",
"properties": {
"policyType": "Custom",
"mode": "Indexed",
"displayName": "PostgreSQL flexible servers - Disable local administrator login",
"description": "PostgreSQL flexible servers supports local administrator login",
"metadata": {
"version": "1.0.0",
"category": "PostgreSql"
},
"parameters": {
"effect": {
"type": "String",
"defaultValue": "Deny",
"allowedValues": [
"Audit",
"Disabled",
"Deny"
],
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.DBforPostgreSQL/flexibleServers"
},
{
"anyOf": [
{
"allOf": [
{
"field": "Microsoft.DBForPostgreSql/flexibleServers/administratorLogin",
"exists": "true"
},
{
"value": "empty(Microsoft.DBForPostgreSql/flexibleServers/administratorLogin)",
"notEquals": "true"
}
]
},
{
"allOf": [
{
"field": "Microsoft.DBForPostgreSql/flexibleServers/administratorLoginPassword",
"exists": "true"
},
{
"value": "empty(Microsoft.DBForPostgreSql/flexibleServers/administratorLoginPassword)",
"notEquals": "true"
}
]
}
]
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
}
}
}
15 changes: 15 additions & 0 deletions policyDefinitions/PostgreSql/deny-postgresql-administrator-login/azurepolicy.parameters.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
{
"effect": {
"type": "String",
"defaultValue": "Deny",
"allowedValues": [
"Audit",
"Disabled",
"Deny"
],
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
}
}
}
41 changes: 41 additions & 0 deletions policyDefinitions/PostgreSql/deny-postgresql-administrator-login/azurepolicy.rules.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.DBforPostgreSQL/flexibleServers"
},
{
"anyOf": [
{
"allOf": [
{
"field": "Microsoft.DBForPostgreSql/flexibleServers/administratorLogin",
"exists": "true"
},
{
"value": "empty(Microsoft.DBForPostgreSql/flexibleServers/administratorLogin)",
"notEquals": "true"
}
]
},
{
"allOf": [
{
"field": "Microsoft.DBForPostgreSql/flexibleServers/administratorLoginPassword",
"exists": "true"
},
{
"value": "empty(Microsoft.DBForPostgreSql/flexibleServers/administratorLoginPassword)",
"notEquals": "true"
}
]
}
]
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
}
113 changes: 57 additions & 56 deletions policyDefinitions/PostgreSql/deny-postgresql-passwordauth/azurepolicy.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,68 +2,69 @@
"name": "7c90f6d1-f79a-4c1c-b44a-4a655d4774f0",
"type": "Microsoft.Authorization/policyDefinitions",
"properties": {
"displayName": "PostgreSQL database servers - Disable Password Authentication",
"description": "Azure Database for PostgreSQL supports password based authentication, This policy will block the use of the local postgreSQL administrator account",
"policyType": "Custom",
"mode": "Indexed",
"displayName": "PostgreSQL flexible servers - Disable Password Authentication",
"description": "PostgreSQL flexible servers supports password based authentication",
"metadata": {
"version": "1.0.0",
"category": "PostgreSql"
"version": "1.0.0",
"category": "PostgreSql"
},
"mode": "Indexed",
"parameters": {
"effect": {
"type": "String",
"defaultValue": "Deny",
"allowedValues": [
"Audit",
"Disabled",
"Deny"
],
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
}
"effect": {
"type": "String",
"defaultValue": "Deny",
"allowedValues": [
"Audit",
"Disabled",
"Deny"
],
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.DBforPostgreSQL/flexibleServers"
},
{
"anyOf": [
{
"allOf": [
{
"field": "Microsoft.DBForPostgreSql/flexibleServers/authConfig.passwordAuthEnabled",
"notEquals": "false"
},
{
"field": "Microsoft.DBForPostgreSql/flexibleServers/authConfig.passwordAuthEnabled",
"exists": "true"
}
]
},
{
"allOf": [
{
"field": "Microsoft.DBForPostgreSql/flexibleServers/authConfig.passwordAuth",
"notEquals": "Disabled"
},
{
"field": "Microsoft.DBForPostgreSql/flexibleServers/authConfig.passwordAuth",
"exists": "true"
}
]
}
]
}
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.DBforPostgreSQL/flexibleServers"
},
{
"anyOf": [
{
"allOf": [
{
"field": "Microsoft.DBForPostgreSql/flexibleServers/authConfig.passwordAuthEnabled",
"notEquals": "false"
},
{
"field": "Microsoft.DBForPostgreSql/flexibleServers/authConfig.passwordAuthEnabled",
"exists": "true"
}
]
},
{
"allOf": [
{
"field": "Microsoft.DBForPostgreSql/flexibleServers/authConfig.passwordAuth",
"notEquals": "Disabled"
},
{
"field": "Microsoft.DBForPostgreSql/flexibleServers/authConfig.passwordAuth",
"exists": "true"
}
]
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
}
}
}
}
10 changes: 5 additions & 5 deletions policyDefinitions/PostgreSql/deny-postgresql-version/azurepolicy.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,13 +2,14 @@
"name": "d78f353a-a5e7-4747-8d31-62f361bafac5",
"type": "Microsoft.Authorization/policyDefinitions",
"properties": {
"displayName": "PostgreSQL database servers - Allow certain version(s)",
"description": "Azure Database for PostgreSQL supports multiple Postgres version(s), This policy will only allow set version(s).",
"policyType": "Custom",
"mode": "Indexed",
"displayName": "PostgreSQL flexible servers - Allow certain version(s)",
"description": "PostgreSQL flexible servers supports multiple Postgres version(s), This policy will only allow set version(s).",
"metadata": {
"version": "1.0.0",
"category": "PostgreSql"
},
"mode": "Indexed",
"parameters": {
"effect": {
"type": "String",
Expand All @@ -26,7 +27,6 @@
"allowedVersions": {
"type": "array",
"defaultValue": [
"15",
"16",
"17"
],
Expand All @@ -45,7 +45,7 @@
},
{
"value": "[contains(parameters('allowedVersions'),field('Microsoft.DBForPostgreSql/flexibleServers/version'))]",
"notEquals": "true"
"equals": "false"
}
]
},
Expand Down
1 change: 0 additions & 1 deletion policyDefinitions/PostgreSql/deny-postgresql-version/azurepolicy.parameters.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,6 @@
"allowedVersions": {
"type": "array",
"defaultValue": [
"15",
"16",
"17"
],
Expand Down
2 changes: 1 addition & 1 deletion policyDefinitions/PostgreSql/deny-postgresql-version/azurepolicy.rules.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
},
{
"value": "[contains(parameters('allowedVersions'),field('Microsoft.DBForPostgreSql/flexibleServers/version'))]",
"notEquals": "true"
"equals": "false"
}
]
},
Expand Down
57 changes: 57 additions & 0 deletions .../PostgreSql/enforce-postgresql-administrator-group-principal-name-prefix/azurepolicy.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
{
"name": "d78f353a-a5e7-4747-8d31-62f361bafac5",
"type": "Microsoft.Authorization/policyDefinitions",
"properties": {
"policyType": "Custom",
"mode": "All",
"displayName": "PostgreSQL flexible servers administrator - Enforce a naming convention to be used for Administrator groups",
"description": "PostgreSQL flexible servers supports Entra ID Security groups to be PostgreSQL Administrator, This policy will only allow groups following a certain naming convention to be allowed as Administrator.",
"metadata": {
"version": "1.0.0",
"category": "PostgreSql"
},
"parameters": {
"effect": {
"type": "String",
"defaultValue": "Deny",
"allowedValues": [
"Audit",
"Disabled",
"Deny"
],
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
}
},
"namePattern": {
"type": "string",
"metadata": {
"displayName": "Naming pattern to enforce",
"description": "Allowed Entra ID Security group name pattern to enforce, for example Admin_* will enforce that the group starts with Admin_"
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.DBforPostgreSQL/flexibleServers/administrators"
},
{
"field": "Microsoft.DBforPostgreSQL/flexibleServers/administrators/principalType",
"equals": "Group"
},
{
"field": "Microsoft.DBforPostgreSQL/flexibleServers/administrators/principalName",
"notLike": "[parameters('namePattern')]"
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
}
}
}
22 changes: 22 additions & 0 deletions .../enforce-postgresql-administrator-group-principal-name-prefix/azurepolicy.parameters.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
{
"effect": {
"type": "String",
"defaultValue": "Deny",
"allowedValues": [
"Audit",
"Disabled",
"Deny"
],
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
}
},
"namePattern": {
"type": "string",
"metadata": {
"displayName": "Naming pattern to enforce",
"description": "Allowed Entra ID Security group name pattern to enforce, for example Admin_* will enforce that the group starts with Admin_"
}
}
}
Loading

0 comments on commit 8be960c

Please sign in to comment.