Need help in creating a custom policy which will auto remediate MySQL Flexible servers to TLS Version 1.2

Sumeet Upadhyay 25 Reputation points
2024-10-25T15:03:20.06+00:00

I need help in creating a azure policy which will auto remediate MySQL Flexible Server from Older TLS Versions to Newer TLS Version (Version 1.2).

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
945 questions
0 comments No comments
{count} votes

Accepted answer
  1. Vinodh247 27,096 Reputation points MVP
    2024-10-27T13:29:57.2266667+00:00

    Hi ,

    Thanks for reaching out to Microsoft Q&A.

    To create a custom Azure Policy that auto-remediates MySQL Flexible Servers to enforce TLS 1.2, you can use the following steps to define and assign the policy. This policy will enforce TLS 1.2 on all MySQL Flexible Servers within a specified scope (e.g., subscription or resource group) and will also create a remediation task to apply it to existing non-compliant servers.

    Step 1: Define the Custom Policy

    Below is a sample JSON for the custom Azure Policy definition to enforce and auto-remediate MySQL Flexible Servers to TLS 1.2:

    {
      "properties": {
        "displayName": "Enforce TLS 1.2 on MySQL Flexible Servers",
        "policyType": "Custom",
        "mode": "Indexed",
        "description": "This policy ensures that all MySQL Flexible Servers are using TLS Version 1.2 for secure connections.",
        "metadata": {
          "category": "MySQL"
        },
        "parameters": {},
        "policyRule": {
          "if": {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.DBforMySQL/flexibleServers"
              },
              {
                "field": "Microsoft.DBforMySQL/flexibleServers/minimalTlsVersion",
                "notEquals": "TLS1_2"
              }
            ]
          },
          "then": {
            "effect": "modify",
            "details": {
              "roleDefinitionIds": [
                "/providers/Microsoft.Authorization/roleDefinitions/<Contributor Role ID>"
              ],
              "operations": [
                {
                  "operation": "addOrReplace",
                  "field": "Microsoft.DBforMySQL/flexibleServers/minimalTlsVersion",
                  "value": "TLS1_2"
                }
              ]
            }
          }
        }
      }
    }
    
    
    

    In this JSON:

    • The "if" condition checks if the resource type is Microsoft.DBforMySQL/flexibleServers and whether the TLS version is set to anything other than TLS1_2.
    • The "then" block specifies the "modify" effect to change the TLS version to TLS1_2.

    Note: Replace <Contributor Role ID> with the role ID for Contributor (or any role that has permissions to modify MySQL configurations).

    Step 2: Deploy the Policy Definition

    1. Go to Azure Portal > Policy > Definitions.
    2. Select + Policy definition.
    3. Paste the policy JSON, set the Definition location (scope), and Category (e.g., "MySQL").
    4. Click Save.

    Step 3: Assign the Policy

    1. In the Azure Policy section, go to Assignments.
    2. Click on Assign policy.
    3. Select your newly created custom policy and specify the Scope (e.g., a subscription or resource group).
    4. Under Remediation, ensure Create a remediation task is checked to apply it to existing MySQL Flexible Servers with non-compliant TLS versions.
    5. Review and Create the assignment.

    Step 4: Monitor and Validate

    After assigning the policy, Azure will automatically enforce TLS 1.2 on all MySQL Flexible Servers in the specified scope. You can check compliance status under Compliance in the Azure Policy section to monitor policy enforcement and remediation results.

    Please feel free to click the 'Upvote' (Thumbs-up) button and 'Accept as Answer'. This helps the community by allowing others with similar queries to easily find the solution.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.