Append-AppService-latestTLS and others Microsoft.Web/sites/config

[brunolauze]

We seems to have a discruptency between the latestTLS Azure Policy and usage of non web sites/config resources. According to the documentation, the sites/config resource accepts different properties based on the value of the name property. Therefore, only config/web should be subject to this policy. I could suggest this could be accomplished adding an "id" endsWith 'config/web' condition as well as the minTlsVersion query to avoid reporting other sites/config resource as non compliant.

Thanks for correcting me if i'm missing something here.

References: https://learn.microsoft.com/en-us/azure/templates/microsoft.web/sites/config-authsettingsv2

https://github.com/Azure/Enterprise-Scale/blob/0f78874689e21b9cbc48863797fbf077bfd1c4f9/src/resources/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS.json#L53

[4ppli3d]

Thanks for raising this @brunolauze.

Just to clarify the problem statement, are you suggesting that L53 of "equals": "Microsoft.Web/sites/config" is not scoped down granularly enough as a type?

Please elaborate as much as possible so we may address this as fast as possible for you 👍

[4ppli3d]

The policy is there by design for a minimum version of TLS to be enabled on resources.

It's also part of the policy initiative here: Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit (azadvertizer.net)

If you need an exemption to this policy, do so by customising your environment accordingly.