Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NewlyCreatedDeployStoragePolices #1847

Open
wants to merge 21 commits into
base: policy-refresh-q2fy25
Choose a base branch
from

Conversation

BeckyHope19
Copy link
Contributor

@BeckyHope19 BeckyHope19 commented Nov 25, 2024

Overview/Summary

Replace this with a brief description of what this Pull Request fixes, changes, etc.

This PR adds

  1. Enable Point in Time Restore for Blobs

    • Description: This policy enables point in time restore if it’s not enabled for blob services. To enable this policy, it is required that blob versioning, change feed and soft delete is enabled. The point in time restore days need to be less than the soft delete days and change feed days (keep all logs is a default of 7 days).
    • Policy: Deploy-Storage-PointInTimeRestoreForBlob
  2. Enable change feed for blobs

    • Description: This policy enables change feed if it’s not enabled for blob services based on a specific tag on the Storage Account.
    • Policy: Deploy-Storage-ChangefeedForBlobIfTagExists
  3. Enable Versioning for Blobs

    • Description: This policy enables Versioning if it’s not enabled for blob services based on a specific tag on the Storage Account.
    • Policy: Deploy-Storage-VersioningForBlobIfTagExists

Breaking Changes

N/A

Testing Evidence

Storage Accounts before testing

Amonsterpacks88 tags and data protection settings:

Below you will see the storage account with both tags applied for versioning and change feed.
image

For the data protection settings, you will also see point in time, change feed and versioning is enabled.
image
Expected outcome: This resource will be compliant all policies as versioning, change feed and point in time are already enabled.

satestnewpolicybh01 tags and data protection settings:

Below you will see the storage account with both tags applied for versioning and change feed.
image

For the data protection settings, you will also see point in time, change feed and versioning is disabled.
image
Expected outcome: This resource will not be compliant and will require remediation for versioning and change feed. For point in time restore, it will require a manual step to enable soft delete for blobs before the remediation can be run for point intime restore. After all remediation steps are taken, then it will show as compliant.

satestnotags01 tags and data protection settings

Below you will see the storage account with no tags applied for versioning and change feed. Due to this, on the point in time policy will be relevant.
image

For the data protection settings, you will also see point in time, change feed and versioning is disabled.
image
Expected outcome: This resource will not be compliant for point in time restore, it will require a manual step to enable soft delete for blobs, versioning and change feed before the remediation can be run for point intime restore. After all remediation steps are taken, then it will show as compliant.

Assigned policy without auto remediation:

Deploy-Storage-ChangefeedForBlobIfTagExists
Untick the “Only show parameters that need input or review” and entered the tag name and tag value.
image

Deploy-Storage-VersioningForBlobIfTagExists
Untick the “Only show parameters that need input or review” and entered the tag name and tag value.
image

Deploy-Storage-PointInTimeRestoreForBlob
Untick the “Only show parameters that need input or review” and entered days to retain for, the default is set to 6 as the soft delete blob and change feed is a default of 7 days and the point in time needs to be less than.
image

After policies are applied but before remediation:

Policies have been applied, the point in time is auditing 3 storage accounts to see if point in time is enabled, only 1(Amonsterpacks88) out of the 3 have it enabled. The other two storage accounts don’t have it enabled as shown in the screenshots from the beginning of testing.
The versioning and change feed policies are showing 1(Amonsterpacks88) of 2 resources compliant, this is the two storage accounts with tags, as tags are required for those policies. As shown in the screenshots at the beginning, only one of the storage accounts have data protection settings.

image

image

image

image

This screenshot shows the resources that require remediation.
image

After policies are applied and after remediation:

Once the remediation tasks are completed, you will see the point in time restore fail, this is because other data protection setting are needed, see in the example below. As for the change feed and versioning, they were successful.
image

Example:
image

Settings on the two-storage account that failed for remediation:

This storage account doesn’t have tags, so no changes were made for change feed or versioning, as for the point in time policy, it failed because soft delete, versioning and change feed are not enabled.
image

This storage account has tags, so only the versioning and change feed changes were made, as for point in time policy it failed because soft delete isn’t enabled.
image

Here you will see I have manually enabled soft delete on satestnewpolicybh01, and soft delete, versioning and change feed on satestnotags01.
image

image

After enabling soft delete on satestnewpolicybh01, and soft delete, versioning and change feed on satestnotags01, the remediation completed successfully.
image

All storage accounts config after remediations

All settings are configured with soft delete, versioning, change feed and point in time restore.
image

image

image

image

Testing URLs

The below URLs can be updated where the placeholders are, look for {YOUR GITHUB BRANCH NAME HERE - Remove Curly Brackets Also} & {YOUR GITHUB BRANCH NAME HERE - Remove Curly Brackets Also}, to allow you to test your portal deployment experience.

Please also replace the curly brackets on the placeholders {}

Azure Public

Deploy To Azure

Azure US Gov (Fairfax)

Deploy To Azure

As part of this Pull Request I have

  • Checked for duplicate Pull Requests
  • Associated it with relevant issues, for tracking and closure.
  • Ensured my code/branch is up-to-date with the latest changes in the main branch
  • Performed testing and provided evidence.
  • Ensured contribution guidance is followed.
  • Updated relevant and associated documentation.
  • Updated the "What's New?" wiki page (located: /docs/wiki/whats-new.md)

JonasCordsen and others added 21 commits July 2, 2024 13:49
… initiative: 72f8cee7-2937-403d-84a1-a4e3e57f3c21 (Azure#1682)

Co-authored-by: Jonas Nørregaard Cordsen <[email protected]>
Co-authored-by: Sacha Narinx <[email protected]>
Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Jack Tracey <[email protected]>
Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>
@BeckyHope19 BeckyHope19 marked this pull request as ready for review November 25, 2024 15:54
@BeckyHope19 BeckyHope19 requested a review from a team as a code owner November 25, 2024 15:54
@jtracey93 jtracey93 requested a review from Springstone January 9, 2025 08:54
@Springstone Springstone added the Area: Policy 📝 Issues / PR's related to Policy label Jan 14, 2025
@Springstone
Copy link
Member

Due to the large number of incoming changes in the Q2FY25 policy refresh, need to push this out to next release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Area: Policy 📝 Issues / PR's related to Policy
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants