Azure / Enterprise-Scale

The Azure Landing Zones (Enterprise-Scale) architecture provides prescriptive guidance coupled with Azure best practices, and it follows design principles across the critical design areas for organizations to define their Azure architecture
https://aka.ms/alz
MIT License
1.72k stars 975 forks source link

Bug Report - Deny-Storage-ServicesEncryption - Removed unneeded rules #1780

Open cjtous1 opened 1 month ago

cjtous1 commented 1 month ago

Describe the bug When you deploy ALZ policies with the current default values for the Deny-Storage-ServicesEncryption, it checks for those 2 properties to exist and be true:

When you try to create a storage account via Terraform with the AzureRM provider, there is no way to specify those values. Those parameters were removed (see https://github.com/hashicorp/terraform-provider-azurerm/issues/3820)

These parameters were removed in AzureRM 2.0.0 because even if you set it to false, it will be set to true...

Steps to reproduce

  1. Try to create a storage account with the AzureRM provider.
  2. Get denied

I even tried the AVM module for storage account but it also does not expose this parameter to be set...

Screenshots

"evaluatedExpressions": [
              {
                "result": "True",
                "expressionKind": "Field",
                "expression": "type",
                "path": "type",
                "expressionValue": "Microsoft.Storage/storageAccounts",
                "targetValue": "Microsoft.Storage/storageAccounts",
                "operator": "Equals"
              },
              {
                "result": "True",
                "expressionKind": "Field",
                "expression": "Microsoft.Storage/storageAccounts/encryption.services.blob.enabled",
                "path": "properties.encryption.services.blob.enabled",
                "targetValue": "false",
                "operator": "Exists"
              }
            ],
"reason": "Recommended guardrails must be enforced for Storage"
Springstone commented 1 month ago

@matt-FFFFFF do you have any thoughts on how to address this?

matt-FFFFFF commented 1 month ago

Slightly confused between the post (albeit quite old), but if you can't disable encryption then why do we need the policy?

matt-FFFFFF commented 1 month ago

@Springstone from the product docs:

Azure Storage encryption is enabled for all storage accounts, including both Resource Manager and classic storage accounts. Azure Storage encryption cannot be disabled

https://learn.microsoft.com/en-us/azure/storage/common/storage-service-encryption#about-azure-storage-service-side-encryption

cjtous1 commented 4 weeks ago

The policy is still valid for queue and table, but the other conditions could be dropped from the policy.

  "policyRule": {
    "if": {
      "allOf": [
        { "field": "type", "equals": "Microsoft.Storage/storageAccounts" },
        {
          "anyOf": [
            {
-                "anyOf": [
-                  {
-                    "field": "Microsoft.Storage/storageAccounts/encryption.services.blob.enabled",
-                    "exists": "false"
-                  },
-                  {
-                    "field": "Microsoft.Storage/storageAccounts/encryption.services.blob.enabled",
-                    "notEquals": true
-                  }
-                ]
-              },
-              {
-                "anyOf": [
-                  {
-                    "field": "Microsoft.Storage/storageAccounts/encryption.services.file.enabled",
-                    "exists": "false"
-                  },
-                  {
-                    "field": "Microsoft.Storage/storageAccounts/encryption.services.file.enabled",
-                    "notEquals": true
-                  }
-                ]
-              },
            {
              "anyOf": [
                {
                  "field": "Microsoft.Storage/storageAccounts/encryption.services.queue.keyType",
                  "exists": "false"
                },
                {
                  "field": "Microsoft.Storage/storageAccounts/encryption.services.queue.keyType",
                  "notEquals": "Account"
                }
              ]
            },
            {
              "anyOf": [
                {
                  "field": "Microsoft.Storage/storageAccounts/encryption.services.table.keyType",
                  "exists": "false"
                },
                {
                  "field": "Microsoft.Storage/storageAccounts/encryption.services.table.keyType",
                  "notEquals": "Account"
                }
              ]
            }
          ]
        }
      ]
    }