Trying to update the TLS 1.2 for all my existing Storage account when the TLS settings is not equal to TLS 1.2
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
{
"field": "location",
"in": "[parameters('deploymentLocations')]"
}
]
},
"then": {
"effect": "deployIfNotExists",
"details": {
"type": "Microsoft.Storage/storageAccounts",
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Storage/storageAccounts/minimumTlsVersion",
"Equals": "TLS1_2"
},
{
"exists": "true",
"field": "Microsoft.Storage/storageAccounts/minimumTlsVersion"
}
]
},
The Problem is the policy is showing compliance for storage account that are in TLS 1.1 as well, which it should not be !
I tried to modify the existenceCondition with anyOf no luck still the same issue. Thinking i missing something on the existenceCondtion
You can try the following policy:
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
{
"anyOf": [
{
"field": "Microsoft.Storage/storageAccounts/minimumTlsVersion",
"exists": "false"
},
{
"field": "Microsoft.Storage/storageAccounts/minimumTlsVersion",
"notEquals": "TLS1_2"
}
]
}
]
},
"then": {
"effect": "modify",
"details": {
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"conflictEffect": "audit",
"operations": [
{
"operation": "addOrReplace",
"field": "Microsoft.Storage/storageAccounts/minimumTlsVersion",
"value": "TLS1_2"
}
]
}
}
},
"parameters": {}
}
It modifies the TLS to 1.2 for all new resources. Old resource are audited and can be changed through a remediation task from the Azure Policy page in the Azure Portal.