-
Notifications
You must be signed in to change notification settings - Fork 981
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NewlyCreatedDeployStoragePolices #1847
Open
BeckyHope19
wants to merge
21
commits into
Azure:policy-refresh-q2fy25
Choose a base branch
from
BeckyHope19:BeckysBranchALZ-07-08-24
base: policy-refresh-q2fy25
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
NewlyCreatedDeployStoragePolices #1847
BeckyHope19
wants to merge
21
commits into
Azure:policy-refresh-q2fy25
from
BeckyHope19:BeckysBranchALZ-07-08-24
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
… initiative: 72f8cee7-2937-403d-84a1-a4e3e57f3c21 (Azure#1682) Co-authored-by: Jonas Nørregaard Cordsen <[email protected]> Co-authored-by: Sacha Narinx <[email protected]> Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Jack Tracey <[email protected]>
… policy-refresh-q1fy25
…pe19/Enterprise-Scale into BeckysBranchALZ-07-08-24
Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Jack Tracey <[email protected]>
Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>
…pe19/Enterprise-Scale into BeckysBranchALZ-07-08-24
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overview/Summary
Replace this with a brief description of what this Pull Request fixes, changes, etc.
This PR adds
Enable Point in Time Restore for Blobs
Enable change feed for blobs
Enable Versioning for Blobs
Breaking Changes
N/A
Testing Evidence
Storage Accounts before testing
Amonsterpacks88 tags and data protection settings:
Below you will see the storage account with both tags applied for versioning and change feed.
For the data protection settings, you will also see point in time, change feed and versioning is enabled.
Expected outcome: This resource will be compliant all policies as versioning, change feed and point in time are already enabled.
satestnewpolicybh01 tags and data protection settings:
Below you will see the storage account with both tags applied for versioning and change feed.
For the data protection settings, you will also see point in time, change feed and versioning is disabled.
Expected outcome: This resource will not be compliant and will require remediation for versioning and change feed. For point in time restore, it will require a manual step to enable soft delete for blobs before the remediation can be run for point intime restore. After all remediation steps are taken, then it will show as compliant.
satestnotags01 tags and data protection settings
Below you will see the storage account with no tags applied for versioning and change feed. Due to this, on the point in time policy will be relevant.
For the data protection settings, you will also see point in time, change feed and versioning is disabled.
Expected outcome: This resource will not be compliant for point in time restore, it will require a manual step to enable soft delete for blobs, versioning and change feed before the remediation can be run for point intime restore. After all remediation steps are taken, then it will show as compliant.
Assigned policy without auto remediation:
Deploy-Storage-ChangefeedForBlobIfTagExists
Untick the “Only show parameters that need input or review” and entered the tag name and tag value.
Deploy-Storage-VersioningForBlobIfTagExists
Untick the “Only show parameters that need input or review” and entered the tag name and tag value.
Deploy-Storage-PointInTimeRestoreForBlob
Untick the “Only show parameters that need input or review” and entered days to retain for, the default is set to 6 as the soft delete blob and change feed is a default of 7 days and the point in time needs to be less than.
After policies are applied but before remediation:
Policies have been applied, the point in time is auditing 3 storage accounts to see if point in time is enabled, only 1(Amonsterpacks88) out of the 3 have it enabled. The other two storage accounts don’t have it enabled as shown in the screenshots from the beginning of testing.
The versioning and change feed policies are showing 1(Amonsterpacks88) of 2 resources compliant, this is the two storage accounts with tags, as tags are required for those policies. As shown in the screenshots at the beginning, only one of the storage accounts have data protection settings.
This screenshot shows the resources that require remediation.
After policies are applied and after remediation:
Once the remediation tasks are completed, you will see the point in time restore fail, this is because other data protection setting are needed, see in the example below. As for the change feed and versioning, they were successful.
Example:
Settings on the two-storage account that failed for remediation:
This storage account doesn’t have tags, so no changes were made for change feed or versioning, as for the point in time policy, it failed because soft delete, versioning and change feed are not enabled.
This storage account has tags, so only the versioning and change feed changes were made, as for point in time policy it failed because soft delete isn’t enabled.
Here you will see I have manually enabled soft delete on satestnewpolicybh01, and soft delete, versioning and change feed on satestnotags01.
After enabling soft delete on satestnewpolicybh01, and soft delete, versioning and change feed on satestnotags01, the remediation completed successfully.
All storage accounts config after remediations
All settings are configured with soft delete, versioning, change feed and point in time restore.
Testing URLs
The below URLs can be updated where the placeholders are, look for
{YOUR GITHUB BRANCH NAME HERE - Remove Curly Brackets Also}
&{YOUR GITHUB BRANCH NAME HERE - Remove Curly Brackets Also}
, to allow you to test your portal deployment experience.Azure Public
Azure US Gov (Fairfax)
As part of this Pull Request I have
main
branch/docs/wiki/whats-new.md
)