Azure Policy to validate if TLS field is not selected
I am trying to implement a Deny Policy for "Azure Database for MySQL" -> "Connection Security" in Azure Portal which validates that once the "Enforce SSL Connection" is set to "Enabled" (handled in a separate policy), only a minimum of TLS 1.2 will be allowed.
The challenge I have is a non-selection of a TLS version should not be allowed. However when "Enabled" is selected, there is no default TLS selected, so the default version is blank if a user does not select it. My policy will only allow TLS 1.2, so that portion is working correctly, but I am having challenges dealing with a non-selection. "Save" should not be allowed if this is the case, however based on my current definition "Save" is still allowed. A snippet from my existing definition:
`
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.DBforMySQL/servers"
},
{
"anyOf": [
{
"field": "Microsoft.DBforMySQL/servers/minimalTlsVersion",
"notEquals": "TLS1_2"
},
{
"field": "Microsoft.DBforMySQL/servers/minimalTlsVersion",
"Equals": "TLSEnforcementDisabled"
}
]
}
]
},
"then": {
"effect": "deny"
}
}
`
Please advise as to what I would need to change in my policy definition? Thank you
A similar policy would be implemented for Azure MariaDB and PostgreSQL after I get this right.