Closed vegazbabz closed 3 months ago
Thanks @vegazbabz
For the policy enhancement suggestions here, we will triage and come back to you with any further questions or clarity we may have or require and let you know an outcome.
If you haven't already checkout our new GitHub Issue Form for taking in new ALZ Policy Requests
Thanks - the ALZ Team
@vegababz This is a good shout, and thank you for the thorough documentation. We'll add it to our backlog.
Addressed in PR: https://github.com/Azure/Enterprise-Scale/pull/1622
Replace the ALZ policy "Storage Account set to minimum TLS and Secure transfer should be enabled" (Deny-Storage-minTLS) with the 2 built-in policies:
The ALZ policy contains the same policyRule as the 2 policies combined.
Part of policy initiative "Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit" (Enforce-EncryptTransit).
Rationale: Follows strategy to use built-in when possible. Furthermore, it does not make sense to include two (2) different settings in one policy initiative. If you want to follow that logic, then why not make one policy with all settings for SQL or AppServices, etc. It would be messy. In addition, troubleshoot, including custom error messaging, will be easier for deny effect, and the auditing will be easier for audit effect, as you can see exactly which policy is in effect, which means you can see which setting/property is causing the issue.