Azure · robga · Mar 13, 2024 · Mar 4, 2024
@@ -0,0 +1,54 @@
+{
+  "properties": {
+    "displayName": "API Management subscriptions should not be scoped to all APIs",
+    "policyType": "BuiltIn",
+    "mode": "All",
+    "description": "API Management subscriptions should be scoped to a product or an individual API instead of all APIs, which could result in an excessive data exposure.",
+    "metadata": {
+      "version": "1.1.0",
+      "category": "API Management"
+    },
+    "version": "1.1.0",
+    "policyRule": {
+      "if": {
+        "allOf": [
+          {
+            "field": "type",
+            "equals": "Microsoft.ApiManagement/service/subscriptions"
+          },
+          {
+            "field": "Microsoft.ApiManagement/service/subscriptions/scope",
+            "like": "*/apis"
+          },
+          {
+            "field": "Microsoft.ApiManagement/service/subscriptions/state",
+            "equals": "active"
+          }
+        ]
+      },
+      "then": {
+        "effect": "[parameters('effect')]"
+      }
+    },
+    "parameters": {
+      "effect": {
+        "type": "string",
+        "metadata": {
+          "displayName": "Effect",
+          "description": "Enable or disable the execution of the policy"
+        },
+        "allowedValues": [
+          "Audit",
+          "Disabled",
+          "Deny"
+        ],
+        "defaultValue": "Audit"
+      }
+    },
+    "versions": [
+      "1.1.0"
+    ]
+  },
+  "id": "/providers/Microsoft.Authorization/policyDefinitions/3aa03346-d8c5-4994-a5bc-7652c2a2aef1",
+  "name": "3aa03346-d8c5-4994-a5bc-7652c2a2aef1"
+}
@@ -0,0 +1,72 @@
+{
+  "properties": {
+    "displayName": "API Management service should use a SKU that supports virtual networks",
+    "policyType": "BuiltIn",
+    "mode": "Indexed",
+    "description": "With supported SKUs of API Management, deploying service into a virtual network unlocks advanced API Management networking and security features which provides you greater control over your network security configuration. Learn more at: https://aka.ms/apimvnet.",
+    "metadata": {
+      "version": "1.0.0",
+      "category": "API Management"
+    },
+    "version": "1.0.0",
+    "parameters": {
+      "effect": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Effect",
+          "description": "Enable or disable the execution of the policy"
+        },
+        "allowedValues": [
+          "Audit",
+          "Deny",
+          "Disabled"
+        ],
+        "defaultValue": "Audit"
+      },
+      "listOfAllowedSKUs": {
+        "type": "Array",
+        "metadata": {
+          "description": "The list of SKUs that can be specified for Azure API Management service.",
+          "displayName": "Allowed SKUs"
+        },
+        "allowedValues": [
+          "Developer",
+          "Basic",
+          "Standard",
+          "Premium",
+          "Isolated",
+          "Consumption"
+        ],
+        "defaultValue": [
+          "Developer",
+          "Premium",
+          "Isolated"
+        ]
+      }
+    },
+    "policyRule": {
+      "if": {
+        "allOf": [
+          {
+            "field": "type",
+            "equals": "Microsoft.ApiManagement/service"
+          },
+          {
+            "not": {
+              "field": "Microsoft.ApiManagement/service/sku.name",
+              "in": "[parameters('listOfAllowedSKUs')]"
+            }
+          }
+        ]
+      },
+      "then": {
+        "effect": "[parameters('effect')]"
+      }
+    },
+    "versions": [
+      "1.0.0"
+    ]
+  },
+  "id": "/providers/Microsoft.Authorization/policyDefinitions/73ef9241-5d81-4cd4-b483-8443d1730fe5",
+  "name": "73ef9241-5d81-4cd4-b483-8443d1730fe5"
+}