Hi @Sumarigo-MSFT /@JamesTran-MSFT ,
Hope you are doing well.
In my current organization, we are leveraging the azure devops pipelines to invoke the policies, so that it would enforce the compliance across resources. I would request you help me with custom policy for above requirement. I have tried to build the policy and wanted to validate but i am unable to do it in a free tier account as VM sizes are not available for all regions.
{
"properties": {
"displayName": "Azure disk encryption should be worked with a customer-managed key",
"policyType": "Custom",
"mode": "Indexed",
"description": "Use customer-managed keys to manage the encryption at rest of the contents of your managed disks. By default, the data is encrypted at rest with platform-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/disks-cmk.",
"metadata": {
"category": "Compute",
"version": "3.0.0"
},
"parameters": {
"effect": {
"type": "string",
"defaultValue": "DeployIfNotExists",
"allowedValues": [
"Audit",
"Deny",
"Disabled"
"DeployIfNotExists"
],
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
}
}
},
"policyRule": {
"if": {
"anyOf": [
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.managedDisk.diskEncryptionSet.id",
"exists": "False"
}
]
},
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"value": "[length(field('Microsoft.Compute/virtualMachines/storageProfile.dataDisks'))]",
"greater": 0
},
{
"field": "Microsoft.Compute/virtualMachines/storageProfile.dataDisks[].managedDisk.id",
"exists": "False"
},
{
"field": "Microsoft.Compute/virtualMachines/storageProfile.dataDisks[].managedDisk.diskEncryptionSet.id",
"exists": "False"
}
]
},
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/disks"
},
{
"field": "Microsoft.Compute/disks/encryption.diskEncryptionSetId",
"exists": "False"
}
]
},
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/galleries/images/versions"
},
{
"value": "[length(field('Microsoft.Compute/galleries/images/versions/publishingProfile.targetRegions[].encryption.osDiskImage.diskEncryptionSetId'))]",
"notEquals": "[length(field('Microsoft.Compute/galleries/images/versions/publishingProfile.targetRegions[]'))]"
}
]
},
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/galleries/images/versions"
},
{
"value": "[length(field('Microsoft.Compute/galleries/images/versions/storageProfile.dataDiskImages[]'))]",
"greater": 0
},
{
"anyOf": [
{
"count": {
"field": "Microsoft.Compute/galleries/images/versions/publishingProfile.targetRegions[]",
"where": {
"value": "[length(current('Microsoft.Compute/galleries/images/versions/publishingProfile.targetRegions[].encryption.dataDiskImages[].diskEncryptionSetId'))]",
"notEquals": "[length(field('Microsoft.Compute/galleries/images/versions/storageProfile.dataDiskImages[]'))]"
}
},
"greater": 0
},
{
"not": {
"field": "Microsoft.Compute/galleries/images/versions/publishingProfile.targetRegions[].encryption.dataDiskImages[].diskEncryptionSetId",
"exists": "true"
}
}
]
}
]
},
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/images"
},
{
"field": "Microsoft.Compute/images/storageProfile.osDisk.diskEncryptionSet.id",
"exists": "False"
}
]
},
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/images"
},
{
"value": "[length(field('Microsoft.Compute/images/storageProfile.dataDisks[]'))]",
"greater": 0
},
{
"not": {
"field": "Microsoft.Compute/images/storageProfile.dataDisks[*].diskEncryptionSet.id",
"exists": "true"
}
}
]
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
}
},
"deployment": {
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"vmName": {
"type": "string",
"metadata": {
"description": "Name of the virtual machine"
}
},
"keyVaultName": {
"type": "string",
"metadata": {
"description": "Name of the KeyVault to place the volume encryption key"
}
},
"keyVaultResourceGroup": {
"type": "string",
"metadata": {
"description": "Resource group of the KeyVault"
}
},
"keyEncryptionKeyURL": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "URL of the KeyEncryptionKey used to encrypt the volume encryption key"
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Location for all resources."
}
}
},
"variables": {
"extensionName": "AzureDiskEncryption",
"extensionVersion": "2.2",
"encryptionOperation": "EnableEncryption",
"keyEncryptionAlgorithm": "RSA-OAEP",
"keyVaultResourceID": "[resourceId(parameters('keyVaultResourceGroup'), 'Microsoft.KeyVault/vaults/', parameters('keyVaultName'))]"
},
"resources": [
{
"type": "Microsoft.Compute/virtualMachines/extensions",
"name": "[concat(parameters('vmName'),'/', variables('extensionName'))]",
"location": "[parameters('location')]",
"apiVersion": "2020-06-01",
"properties": {
"publisher": "Microsoft.Azure.Security",
"type": "[variables('extensionName')]",
"typeHandlerVersion": "[variables('extensionVersion')]",
"autoUpgradeMinorVersion": true,
"settings": {
"EncryptionOperation": "[variables('encryptionOperation')]",
"KeyVaultURL": "[reference(variables('keyVaultResourceId'), '2019-09-01').vaultUri]",
"KeyVaultResourceId": "[variables('keyVaultResourceID')]",
"KeyEncryptionKeyURL": "[parameters('keyEncryptionKeyURL')]",
"KekVaultResourceId": "[variables('keyVaultResourceID')]",
"KeyEncryptionAlgorithm": "[variables('keyEncryptionAlgorithm')]",
}
}
}
],
"outputs":{}
},
"parameters": {
"vmName": {
"value": "GET-PREREQ-vmName"
},
"keyVaultName": {
"value": "GEN-KEYVAULT-NAME"
},
"keyVaultResourceGroup": {
"value": "GEN-KEYVAULT-RESOURCEGROUP-NAME"
},
"keyEncryptionKeyURL": {
"value": "GEN-KEYVAULT-ENCRYPTION-KEY-URI"
}
}
"id": "/providers/Microsoft.Authorization/policyDefinitions/702dd420-7fcc-42c5-afe8-4026edd20fe0",
"name": "702dd420-7fcc-42c5-afe8-4026edd20fe0"
}
}
}
Can you please go through above policy and advise me whether we can enable ADE on multiple machines along with passing the parameters duing run time.
Looking forward for your kind response.
Thank you,
Raju.