[Built-in Rule] SQL managed instances should use customer-managed keys to encrypt data at rest

[yane3628]

Azure Policy link: https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_EnsureServerTDEisEncryptedWithYourOwnKey_Audit.json

{
  "name": "Sql_ManagedInstance_EnsureServerTDEisEncryptedWithYourOwnKey",
  "description": "SQL managed instances should use customer-managed keys to encrypt data at rest",
  "recommendation": "Implement Transparent Data Encryption (TDE) with your own key",
  "helpUri": "https://github.com/Azure/template-analyzer/docs/built-in-bpa-rules.md/#sql-managed-instances-should-use-customer-managed-keys-to-encrypt-data-at-rest",
  "evaluation": {
    "where": {
      "resourceType": "Microsoft.Sql/managedInstances",
      "path": "name",
      "hasValue": true
    },
    "evaluate": {
      "resourceType": "Microsoft.Sql/managedInstances/encryptionProtector",
      "anyOf": [
        {
          "path": "properties.serverKeyType",
          "notEquals": "AzureKeyVault"
        },
        {
          "path": "properties.uri",
          "equals": ""
        },
        {
          "field": "properties.uri",
          "exists": false
        }
      ]
    }
  }
}

[yane3628]

uri is not part of the properties according to the Template schema docs. https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/managedinstances/encryptionprotector?tabs=json#managedinstanceencryptionprotectorproperties-object

[JohnathonMohr]

I wonder if it's supposed to look at this schema instead: https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/managedinstances/keys?tabs=json

[JohnathonMohr]

Looking at the schemas of encryptionProtector and keys, I wonder if it's supposed to be a combination of both. encryptionProtector might reference a key that's defined in the keys schema.

[yane3628]

I'm not sure. I find it unlike the type is wrong in the Policy...

[yane3628]

@JohnathonMohr This is likely a case of aliasing in action...