Standardize Policy Naming Convention in Enterprise-Scale

[uday31in]

Describe the solution you'd like

As a part of this issue, I would like to invite proposal for Standardising Naming convention for Policies used in Enterprise-Scale that can be enforced as a part of pull request with following design goals in mind:

1. Allow iterative development of artefacts independently in respective repos https://github.com/Azure/Enterprise-Scale and https://github.com/Azure/terraform-azurerm-caf-enterprise-scale

2. Ensure consistency and minimise breaking changes in Terraform module for ES in https://github.com/Azure/terraform-azurerm-caf-enterprise-scale

Proposal for Naming Convention

Append-AppService-HttpsOnly
Append-AppService-LatestTLS
Append-Redis-DisableNonSslPort
Append-Redis-SslEnforcement
Deny-AA-Child-Resources
Deny-ApplicationGateway-Without-WAF
Deny-AppService-ApiApp-Http
Deny-AppService-FunctionApp-Http
Deny-AppService-WebApp-Http
Deny-MySql-Http
Deny-PostgreSql-Http
Deny-Private-DNS-Zones
Deny-PublicEndpoint-AKS
Deny-PublicEndpoint-CosmosDB
Deny-PublicEndpoint-KeyVault
Deny-PublicEndpoint-MariaDB
Deny-PublicEndpoint-MySQL
Deny-PublicEndpoint-PostgreSql
Deny-PublicEndpoint-Sql
Deny-PublicEndpoint-Storage
Deny-PublicIP
Deny-RDP-From-Internet
Deny-Redis-Http
Deny-Sql-MinTLS
Deny-SqlMI-MinTLS
Deny-Storage-MinTLS
Deny-Subnet-Without-NSG
Deny-Subnet-Without-UDR
Deny-VNet-Peer-Cross-Sub
Deny-VNet-Peering
Deploy-ASC-Defender-ACR
Deploy-ASC-Defender-AKS
Deploy-ASC-Defender-AKV
Deploy-ASC-Defender-AppService
Deploy-ASC-Defender-ARM
Deploy-ASC-Defender-DNS
Deploy-ASC-Defender-SA
Deploy-ASC-Defender-Sql
Deploy-ASC-Defender-SqlVM
Deploy-ASC-Defender-VM
Deploy-ASC-SecurityContacts
Deploy-Budget
Deploy-DDoSProtection
Deploy-Default-UDR
Deploy-Diagnostics-AA
Deploy-Diagnostics-ACI
Deploy-Diagnostics-ACR
Deploy-Diagnostics-ActivityLog
Deploy-Diagnostics-AKS
Deploy-Diagnostics-AnalysisService
Deploy-Diagnostics-ApiForFHIR
Deploy-Diagnostics-APIMgmt
Deploy-Diagnostics-ApplicationGateway
Deploy-Diagnostics-Batch
Deploy-Diagnostics-CDNEndpoints
Deploy-Diagnostics-CognitiveServices
Deploy-Diagnostics-CosmosDB
Deploy-Diagnostics-Databricks
Deploy-Diagnostics-DataExplorerCluster
Deploy-Diagnostics-DataFactory
Deploy-Diagnostics-DataLakeStore
Deploy-Diagnostics-DLAnalytics
Deploy-Diagnostics-EventGridSub
Deploy-Diagnostics-EventGridSystemTopic
Deploy-Diagnostics-EventGridTopic
Deploy-Diagnostics-EventHub
Deploy-Diagnostics-ExpressRoute
Deploy-Diagnostics-Firewall
Deploy-Diagnostics-FrontDoor
Deploy-Diagnostics-Function
Deploy-Diagnostics-HDInsight
Deploy-Diagnostics-IotHub
Deploy-Diagnostics-KeyVault
Deploy-Diagnostics-LoadBalancer
Deploy-Diagnostics-LogicAppsISE
Deploy-Diagnostics-LogicAppsWF
Deploy-Diagnostics-MariaDB
Deploy-Diagnostics-MediaService
Deploy-Diagnostics-MLWorkspace
Deploy-Diagnostics-MySQL
Deploy-Diagnostics-NIC
Deploy-Diagnostics-NSG
Deploy-Diagnostics-PostgreSql
Deploy-Diagnostics-PowerBIEmbedded
Deploy-Diagnostics-RecoveryVault
Deploy-Diagnostics-RedisCache
Deploy-Diagnostics-Relay
Deploy-Diagnostics-SearchServices
Deploy-Diagnostics-ServiceBus
Deploy-Diagnostics-SignalR
Deploy-Diagnostics-SqlDBs
Deploy-Diagnostics-SqlElasticPools
Deploy-Diagnostics-SqlMI
Deploy-Diagnostics-StreamAnalytics
Deploy-Diagnostics-TimeSeriesInsights
Deploy-Diagnostics-TrafficManager
Deploy-Diagnostics-VirtualNetwork
Deploy-Diagnostics-VM
Deploy-Diagnostics-VMSS
Deploy-Diagnostics-VNetGW
Deploy-Diagnostics-WebServerFarm
Deploy-Diagnostics-Website
Deploy-Diagnostics-WVDAppGroup
Deploy-Diagnostics-WVDHostPools
Deploy-Diagnostics-WVDWorkspace
Deploy-DNSZoneGroup-For-Blob-PrivateEndpoint
Deploy-DNSZoneGroup-For-File-PrivateEndpoint
Deploy-DNSZoneGroup-For-KeyVault-PrivateEndpoint
Deploy-DNSZoneGroup-For-Queue-PrivateEndpoint
Deploy-DNSZoneGroup-For-Sql-PrivateEndpoint
Deploy-DNSZoneGroup-For-Table-PrivateEndpoint
Deploy-FirewallPolicy
Deploy-Hub
Deploy-Log-Analytics
Deploy-Log-Analytics-Config
Deploy-MySql-SslEnforcement
Deploy-NSG-FlowLogs
Deploy-NSG-FlowLogs-To-Log-Analytics
Deploy-PostgreSQL-SslEnforcement
Deploy-Sql-Audit-Settings
Deploy-Sql-MinTLS
Deploy-Sql-SecurityAlertPolicies
Deploy-Sql-Tde
Deploy-Sql-VulnerabilityAssessments
Deploy-SqlMI-MinTLS
Deploy-Storage-SslEnforcement
Deploy-VHub
Deploy-VNet
Deploy-VNet-HubSpoke
Deploy-VWan
Deploy-Windows-DomainJoin

Implementation options:

1. GitHub Action

• [ ] Check Max length for Policy Name is <64 characters
• [ ] Check Policy Resource Name and Name are consistent
• [ ] Check for Pascal casing
• [ ] Check for Policy only uses approved verbs and nouns specified in Actions

Pros:

• Simple to implement Cons:
• Static checks only and will not be comprehensive

1. Run TerraForm plan as a part of build validation

Pros:

• Validation through TF and that will cover static and dynamic validation based on deployment Cons:
• Complexity to bring the TF plan validation task in ES repo

[krowlandson]

Looks good to me. Main observation (and this is a slight extension to the original conversation around consistency) is that it's difficult to differentiate between networking policies and whether they are intended to be for "hub & spoke", "Virtual WAN", or "generic". If we can address this as part of this issue, that would be a definite bonus!

[uday31in]

@krowlandson Does the notation of "Deny" vs "Deploy" help?

Deploy-VHub Deploy-VNet Deploy-VNet-HubSpoke Deploy-VWan

[FallenHoot]

@uday31in Should we have this all lowercase? Like it is in the CAF Resource-Naming best practice?

vnet-shared-eastus2-001
vnet-prod-westus-001
vnet-client-eastus2-001

https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming

[jtracey93]

Trigger ADO Sync 1

[jtracey93]

Trigger ADO Sync 2

[jtracey93]

Closing as standardised in contribution guide: https://aka.ms/alz/contribute