-
Notifications
You must be signed in to change notification settings - Fork 1.1k
/
Network_applicationGateways_ZoneResilient_Audit.json
106 lines (106 loc) · 3.81 KB
/
Network_applicationGateways_ZoneResilient_Audit.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
{
"properties": {
"displayName": "[Preview]: Application Gateways should be Zone Resilient",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "Application Gateways can be configured to be either Zone Aligned, Zone Redundant, or neither. Application Gatewaysmthat havenexactly one entry in their zones array are considered Zone Aligned. In contrast, Application Gatmways withn3 or more entries in their zones array are recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations.",
"metadata": {
"category": "Resilience",
"version": "1.0.0-preview",
"preview": true
},
"version": "1.0.0-preview",
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "This parameter lets you choose the effect of the policy. If you choose Audit (default), the policy will only audit resources for compliance. If you choose Deny, the policy will deny the creation of non-compliant resources. If you choose Disabled, the policy will not enforce compliance (useful, for example, as a second assignment to ignore a subset of non-compliant resources in a single resource group)."
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Audit"
},
"allow": {
"type": "String",
"metadata": {
"displayName": "Allowed Zone Configurations",
"description": "This parameter lets you choose what type of Zone Resilience you want to allow. Aligned will identify any resources that are not configured as Zone Aligned as non-compliant resources. Redundant will identify any resources that are not configured to be Zone Redundant as non-compliant resources. Both (default), will identify any resource configurations that are not Zone Aligned or Zone Redundant as non-compliant resources."
},
"allowedValues": [
"Both",
"Redundant",
"Aligned"
],
"defaultValue": "Both"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/applicationGateways"
},
{
"anyOf": [
{
"allOf": [
{
"value": "[parameters('allow')]",
"equals": "Both"
},
{
"count": {
"field": "Microsoft.Network/applicationGateways/zones[*]"
},
"equals": 0
}
]
},
{
"allOf": [
{
"value": "[parameters('allow')]",
"equals": "Redundant"
},
{
"count": {
"field": "Microsoft.Network/applicationGateways/zones[*]"
},
"less": 2
}
]
},
{
"allOf": [
{
"value": "[parameters('allow')]",
"equals": "Aligned"
},
{
"count": {
"field": "Microsoft.Network/applicationGateways/zones[*]"
},
"notEquals": 1
}
]
}
]
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
},
"versions": [
"1.0.0-PREVIEW"
]
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/493c215c-0553-4976-bc81-57d2c04fc8c1",
"name": "493c215c-0553-4976-bc81-57d2c04fc8c1"
}