Share via

Can I create an Azure Policy that disables both FTP and FTPS deployment?

Darragh Martin 86 Reputation points
2023-07-03T16:16:39.48+00:00

I am wondering if there is way to disable both FTP and FTPS web app deployments. I have a policy but it doesnt enforce it unless I manually disable it and then the policy becomes compliant. Can a policy automatically do this for me to make it compliant or will I have to go each of my web apps and go to general settings and select it to 'Disabled'?

This part of how my policy looks below

[17:14] Darragh Martin

{

  "properties": {

    "displayName": "Web apps should disable FTP and FTPS deployment methods [custom]",

    "policyType": "Custom",

    "mode": "Indexed",

    "description": "Deny both FTP and FTPS",

    "metadata": {

      "category": "App Service",

      "createdBy": "ba2ab840-e590-4920-b854-886b7475e545",

      "createdOn": "2023-07-03T11:09:55.2369855Z",

      "updatedBy": null,

      "updatedOn": null

    },

    "parameters": {

      "allowFTPS": {

        "type": "Boolean",

        "metadata": {

          "displayName": "Allow FTPS",

          "description": "Allow FtpsOnly as a valid configuration. FTP will still be disabled."

        },

        "defaultValue": false

      },

      "effect": {

        "type": "String",

        "metadata": {

          "displayName": "Effect",

          "description": "DeployIfNotExists, AuditIfNotExists or Disabled the execution of the Policy"

        },

        "allowedValues": [

          "DeployIfNotExists",

          "AuditIfNotExists",

[17:14] Darragh Martin

"Disabled"

        ],

        "defaultValue": "DeployIfNotExists"

      }

    },

    "policyRule": {

      "if": {

        "allOf": [

          {

            "field": "type",

            "equals": "Microsoft.Web/sites"

          },

          {

            "field": "kind",

            "like": "app*"

          }

        ]

      },

      "then": {

        "effect": "[parameters('effect')]",

        "details": {

          "type": "Microsoft.Web/sites/config",

          "name": "web",

          "existenceCondition": {

            "field": "Microsoft.Web/sites/config/ftpsState",

            "in": "[if(parameters('allowFTPS'), createArray('FtpsOnly', 'Disabled'), createArray('Disabled'))]"

          },

[17:15] Darragh Martin

 "roleDefinitionIds": [

            "/providers/Microsoft.Authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772"

          ],

          "deployment": {

            "properties": {

              "mode": "incremental",

              "parameters": {

                "name": {

                  "value": "[field('name')]"

                },

                "allowFTPS": {

                  "value": "[parameters('allowFTPS')]"

                },

                "location": {

                  "value": "[field('location')]"

                }

              },

              "template": {

                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",

                "contentVersion": "1.0.0.0",

                "parameters": {

                  "name": {

                    "type": "string"

                  },

                  "allowFTPS": {

                    "type": "bool"

                  },

                  "location": {

[17:15] Darragh Martin

 "type": "string"

                  }

                },

                "resources": [

                  {

                    "name": "[concat(parameters('name'), '/web')]",

                    "type": "Microsoft.Web/sites/config",

                    "location": "[parameters('location')]",

                    "apiVersion": "2018-11-01",

                    "properties": {

                      "ftpsState": "[if(parameters('allowFTPS'), 'FtpsOnly', 'Disabled')]"

                    }

                  }

                ]

              }

            }

          }

        }

      }

    }

  },
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
941 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,139 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. AnuragSingh-MSFT 21,466 Reputation points
    2023-07-04T05:50:18.2466667+00:00

    @Darragh Martin , Thank you for posting this question.

    I took a summary view of the policy and the requirement in the question, and it seems that you are not using Policy Remediation to deploy required changes to non-compliant resource.

    When you assign policy with DeployIfNotExists effect, the existing resources which are under the scope of policy assignment (the resources that were already created before the policy was assigned) do not get the required changes deployed to them through the policy. Instead, you can use remediation tasks to achieve that. For more details, see Create a remediation task.

    In case the deployment template has some issue, the remediation task would fail with the error which could be rectified. For new resources (scoped) getting created after the policy assignment, the policy itself would take care of the remediation without manually creating the remediation task.

    Hope this helps.

    If the answer did not help, please add more context/follow-up question for it, and we will help you out. Else, if the answer helped, please click Accept answer so that it can help others in the community looking for help on similar topics.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.