From fee9805263b0774579f15f411fc3bc4c2130c8a3 Mon Sep 17 00:00:00 2001 From: kenieva-MSFT <54639692+kenieva@users.noreply.github.com> Date: Wed, 2 Oct 2024 10:16:21 -0700 Subject: [PATCH 1/4] Address issues with R/o aliases --- README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/README.md b/README.md index d76792d13..afbcf68b3 100644 --- a/README.md +++ b/README.md @@ -310,4 +310,10 @@ Currently Azure Policy supports only alphanumeric characters for property and al - `redisConfiguration.preferred-data-archive-auth-method` - `redisConfiguration.preferred-data-persistence-auth-method` +### Read only aliases + +In few instances, aliases for read-only properties will be generated. These aliases are strictly meant for auditing purposes, since the read-only nature does not allow for modification post resource/configuration deployment. If a policy with a modify or DINE effect targets this alias, the compliance results will show non-compliance. However, when remediated the read-only properties are not evaluated. This renders the resource compliant and not triggering remediation. In most cases, if remediation is triggered, the system is not allowed to alter the read-only property. + + + *This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments.* From 3c6363103bc4d26823b13b18903cc5aebbfadbdf Mon Sep 17 00:00:00 2001 From: kenieva-MSFT <54639692+kenieva@users.noreply.github.com> Date: Wed, 2 Oct 2024 15:06:14 -0700 Subject: [PATCH 2/4] address comments and shown example --- README.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index afbcf68b3..1e3c4fd15 100644 --- a/README.md +++ b/README.md @@ -312,7 +312,10 @@ Currently Azure Policy supports only alphanumeric characters for property and al ### Read only aliases -In few instances, aliases for read-only properties will be generated. These aliases are strictly meant for auditing purposes, since the read-only nature does not allow for modification post resource/configuration deployment. If a policy with a modify or DINE effect targets this alias, the compliance results will show non-compliance. However, when remediated the read-only properties are not evaluated. This renders the resource compliant and not triggering remediation. In most cases, if remediation is triggered, the system is not allowed to alter the read-only property. +In rare instances, aliases for read-only properties have be generated (request for R/O are not supported at this time). These aliases are strictly meant for auditing purposes, since the read-only nature does not allow for modification post resource/configuration deployment. If a policy with a modify or DINE effect targets this alias, the compliance results will show non-compliance. However, when remediated the read-only properties are not evaluated. This renders the resource compliant and not triggering remediation. In most cases, if remediation is triggered, the system is not allowed to alter the read-only property. + +Some examples of these read-only property: + - `Microsoft.Compute/virtualMachines/provisioningState` From 12954744dc91b387d22d005ff141b6af0b486b50 Mon Sep 17 00:00:00 2001 From: kenieva-MSFT <54639692+kenieva@users.noreply.github.com> Date: Thu, 3 Oct 2024 11:07:01 -0700 Subject: [PATCH 3/4] Added full list of readonly aliases --- README.md | 30 ++++++++++++++++++++++++++++-- 1 file changed, 28 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 1e3c4fd15..a49978baa 100644 --- a/README.md +++ b/README.md @@ -314,8 +314,34 @@ Currently Azure Policy supports only alphanumeric characters for property and al In rare instances, aliases for read-only properties have be generated (request for R/O are not supported at this time). These aliases are strictly meant for auditing purposes, since the read-only nature does not allow for modification post resource/configuration deployment. If a policy with a modify or DINE effect targets this alias, the compliance results will show non-compliance. However, when remediated the read-only properties are not evaluated. This renders the resource compliant and not triggering remediation. In most cases, if remediation is triggered, the system is not allowed to alter the read-only property. -Some examples of these read-only property: - - `Microsoft.Compute/virtualMachines/provisioningState` +Some examples of read-only aliases: + - `Microsoft.Authorization/roleAssignmentScheduleInstances/*` + - `Microsoft.BotService/botServices/networkSecurityPerimeterConfigurations/*` + - `Microsoft.Cache/Redis/privateEndpointConnections[*]` + - `Microsoft.Cache/Redis/privateEndpointConnections[*].privateLinkServiceConnectionState.status` + - `Microsoft.Cache/Redis/privateEndpointConnections[*].provisioningState` + - `Microsoft.Compute/virtualMachines/provisioningState` + - `Microsoft.DocumentDB/databaseAccounts/networkSecurityPerimeterConfigurations/networkSecurityPerimeter.id` + - `Microsoft.DocumentDB/databaseAccounts/networkSecurityPerimeterConfigurations/profile.name` + - `Microsoft.DocumentDB/databaseAccounts/networkSecurityPerimeterConfigurations/resourceAssociation.accessMode` + - `Microsoft.EventHub/namespaces/networkSecurityPerimeterConfigurations/networkSecurityPerimeter.id` + - `Microsoft.EventHub/namespaces/networkSecurityPerimeterConfigurations/resourceAssociation.accessMode` + - `Microsoft.EventHub/namespaces/networkSecurityPerimeterConfigurations/profile.name` + - `Microsoft.KeyVault/vaults/networkSecurityPerimeterConfigurations/networkSecurityPerimeter.id` + - `Microsoft.KeyVault/vaults/networkSecurityPerimeterConfigurations/resourceAssociation.accessMode` + - `Microsoft.KeyVault/vaults/networkSecurityPerimeterConfigurations/profile.name` + - `Microsoft.Sql/servers/networkSecurityPerimeterConfigurations/networkSecurityPerimeter.id` + - `Microsoft.Sql/servers/networkSecurityPerimeterConfigurations/resourceAssociation.accessMode` + - `Microsoft.Sql/servers/networkSecurityPerimeterConfigurations/profile.name` + - `Microsoft.Storage/storageAccounts/primaryEndpoints` + - `Microsoft.Storage/storageAccounts/primaryEndpoints.web` + - `Microsoft.Storage/storageAccounts/primaryEndpoints.blob` + - `Microsoft.Storage/storageAccounts/primaryEndpoints.queue` + - `Microsoft.Storage/storageAccounts/primaryEndpoints.table` + - `Microsoft.Storage/storageAccounts/primaryEndpoints.file` + - `Microsoft.Storage/storageAccounts/networkSecurityPerimeterConfigurations/networkSecurityPerimeter.id` + - `Microsoft.Storage/storageAccounts/networkSecurityPerimeterConfigurations/resourceAssociation.accessMode` + - `Microsoft.Storage/storageAccounts/networkSecurityPerimeterConfigurations/profile.name` From caba72223201f0b8107bf7bebc39ae40a54772ac Mon Sep 17 00:00:00 2001 From: kenieva-MSFT <54639692+kenieva@users.noreply.github.com> Date: Fri, 4 Oct 2024 09:14:04 -0700 Subject: [PATCH 4/4] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index a49978baa..a3d6e26e6 100644 --- a/README.md +++ b/README.md @@ -312,7 +312,7 @@ Currently Azure Policy supports only alphanumeric characters for property and al ### Read only aliases -In rare instances, aliases for read-only properties have be generated (request for R/O are not supported at this time). These aliases are strictly meant for auditing purposes, since the read-only nature does not allow for modification post resource/configuration deployment. If a policy with a modify or DINE effect targets this alias, the compliance results will show non-compliance. However, when remediated the read-only properties are not evaluated. This renders the resource compliant and not triggering remediation. In most cases, if remediation is triggered, the system is not allowed to alter the read-only property. +In rare instances, aliases for read-only properties have be generated (request for R/O are not supported at this time). These aliases are strictly meant for auditing purposes, since the read-only nature does not allow for modification post resource/configuration deployment. If a policy with a modify or DINE effect targets this alias, the compliance results will show non-compliance. However, when remediated the read-only properties are not evaluated. This causes the resource to evaluate as compliant and not remediate. In most cases, if remediation is manually triggered, the system is not allowed to alter the read-only property. Some examples of read-only aliases: - `Microsoft.Authorization/roleAssignmentScheduleInstances/*`