-
Notifications
You must be signed in to change notification settings - Fork 1.1k
/
FirewallEnabled_Modify.json
62 lines (62 loc) · 1.82 KB
/
FirewallEnabled_Modify.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
{
"properties": {
"displayName": "Configure key vaults to enable firewall",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security",
"metadata": {
"version": "1.1.1",
"category": "Key Vault"
},
"version": "1.1.1",
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"Modify",
"Disabled"
],
"defaultValue": "Modify"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.KeyVault/vaults"
},
{
"field": "Microsoft.KeyVault/vaults/networkAcls.defaultAction",
"notEquals": "Deny"
}
]
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"conflictEffect": "audit",
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395"
],
"operations": [
{
"operation": "addOrReplace",
"field": "Microsoft.KeyVault/vaults/networkAcls.defaultAction",
"value": "Deny"
}
]
}
}
},
"versions": [
"1.1.1"
]
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01dc",
"name": "ac673a9a-f77d-4846-b2d8-a57f8e1c01dc"
}