Promoted Azure.AppConfig.GeoReplica to GA #2592

Azure · Dec 11, 2023 · c63a990 · c63a990
1 parent 9e9da84
commit c63a990
Show file tree

Hide file tree

Showing 11 changed files with 217 additions and 109 deletions.
diff --git a/docs/CHANGELOG-v1.md b/docs/CHANGELOG-v1.md
@@ -35,6 +35,9 @@ See [upgrade notes][1] for helpful information when upgrading from previous vers
 What's changed since pre-release v1.32.0-B0053:
 
 - Updated rules:
+  - App Configuration:
+    - Promoted `Azure.AppConfig.GeoReplica` to GA rule set by @BernieWhite.
+      [#2592](https://github.com/Azure/PSRule.Rules.Azure/issues/2592)
   - Azure Kubernetes Service:
     - Updated `Azure.AKS.Version` to use latest stable version `1.27.7` by @BernieWhite.
       [#2581](https://github.com/Azure/PSRule.Rules.Azure/issues/2581)

diff --git a/docs/en/rules/Azure.AppConfig.DisableLocalAuth.md b/docs/en/rules/Azure.AppConfig.DisableLocalAuth.md
@@ -1,8 +1,8 @@
 ---
-reviewed: 2023-07-15
+reviewed: 2023-12-11
 severity: Important
 pillar: Security
-category: Authentication
+category: SE:05 Identity and access management
 resource: App Configuration
 online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.AppConfig.DisableLocalAuth/
 ---
@@ -11,26 +11,29 @@ online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.AppCon
 
 ## SYNOPSIS
 
-Authenticate App Configuration clients with Azure AD identities.
+Authenticate App Configuration clients with Entra ID identities.
 
 ## DESCRIPTION
 
 Every request to an Azure App Configuration resource must be authenticated.
-By default, requests can be authenticated with either Azure Active Directory (Azure AD) credentials,
-or by using an access key.
-Of these two types of authentication schemes, Azure AD provides superior
-security and ease of use over access keys, and is recommended by Microsoft.
-To require clients to use Azure AD to authenticate requests, you can disable the usage of access keys for an Azure App Configuration
+App Configuration supports authenticating requests using either Entra ID (previously Azure AD) identities or access keys.
+Using Entra ID identities:
+
+- Centralizes identity management and auditing.
+- Allows granting of permissions using role-based access control (RBAC).
+- Provides support for advanced security features such as conditional access and multi-factor authentication (MFA) when applicable.
+
+To require clients to use Entra ID to authenticate requests, you can disable the usage of access keys for an Azure App Configuration
 resource.
 
 When you disable access key authentication for an Azure App Configuration resource, any existing access
 keys for that resource are deleted.
 Any subsequent requests to the resource using the previously existing access keys will be rejected.
-Only requests that are authenticated using Azure AD will succeed.
+Only requests that are authenticated using Entra ID will succeed.
 
 ## RECOMMENDATION
 
-Consider only using Azure AD identities to access App Configuration data.
+Consider only using Entra ID identities to access App Configuration data.
 Then disable authentication based on access keys or SAS tokens.
 
 ## EXAMPLES
@@ -92,22 +95,39 @@ To deploy App Configuration Stores that pass this rule:
 For example:
 
 ```bicep
-module store 'br/public:app/app-configuration:1.1.1' = {
+module br_public_store 'br/public:app/app-configuration:1.1.2' = {
   name: 'store'
   params: {
     skuName: 'Standard'
     disableLocalAuth: true
     enablePurgeProtection: true
     publicNetworkAccess: 'Disabled'
+    replicas: [
+      {
+        name: 'eastus'
+        location: 'eastus'
+      }
+    ]
   }
 }
 ```
 
+### Configure with Azure Policy
+
+To address this issue at runtime use the following policies:
+
+Name | Resource
+---- | --------
+App Configuration stores should have local authentication methods disabled | `/providers/Microsoft.Authorization/policyDefinitions/b08ab3ca-1062-4db3-8803-eec9cae605d6`
+Configure App Configuration stores to disable local authentication methods | `/providers/Microsoft.Authorization/policyDefinitions/72bc14af-4ab8-43af-b4e4-38e7983f9a1f`
+
 ## LINKS
 
-- [Centralize all identity systems](https://learn.microsoft.com/azure/architecture/framework/security/design-identity-authentication#centralize-all-identity-systems)
+- [SE:05 Identity and access management](https://learn.microsoft.com/azure/well-architected/security/identity-access)
 - [IM-1: Use centralized identity and authentication system](https://learn.microsoft.com/security/benchmark/azure/security-controls-v3-identity-management#im-1-use-centralized-identity-and-authentication-system)
-- [Authorize access to Azure App Configuration using Azure Active Directory](https://learn.microsoft.com/azure/azure-app-configuration/concept-enable-rbac)
+- [Authorize access to Azure App Configuration using Microsoft Entra ID](https://learn.microsoft.com/azure/azure-app-configuration/concept-enable-rbac)
 - [Disable access key authentication](https://learn.microsoft.com/azure/azure-app-configuration/howto-disable-access-key-authentication)
-- [Public registry](https://azure.github.io/bicep-registry-modules/#app)
+- [Azure security baseline for Azure App Configuration](https://learn.microsoft.com/security/benchmark/azure/baselines/azure-app-configuration-security-baseline)
+- [Azure Policy built-in definitions for Azure App Configuration](https://learn.microsoft.com/azure/azure-app-configuration/policy-reference)
+- [Bicep public registry](https://azure.github.io/bicep-registry-modules/#app)
 - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.appconfiguration/configurationstores)
diff --git a/docs/en/rules/Azure.AppConfig.GeoReplica.md b/docs/en/rules/Azure.AppConfig.GeoReplica.md
@@ -1,7 +1,8 @@
 ---
+reviewed: 2023-12-11
 severity: Important
 pillar: Reliability
-category: Data management
+category: RE:05 Redundancy
 resource: App Configuration
 online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.AppConfig.GeoReplica/
 ---
@@ -10,29 +11,31 @@ online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.AppCon
 
 ## SYNOPSIS
 
-Consider replication for app configuration store to ensure resiliency to region outages.
+Replicate app configuration store across all points of presence for an application.
 
 ## DESCRIPTION
 
-A app configuration store is stored and maintained by default in a single region.
+By default, an app configuration store is stored and maintained in a single region.
 
-The app configuration geo-replication feature allows you to replicate your configuration store at-will to the regions of your choice.
-Each new `replica` will be in a different region and creates a new endpoint for your applications to send requests to.
-The original endpoint of your configuration store is called the `Origin`.
+The app configuration geo-replication feature allows you to replicate your configuration store to additional regions.
+Each new _replica_ will be in a different region with a new endpoint for your applications to send requests to.
+The original endpoint of your configuration store is called the _origin_.
 The origin can't be removed, but otherwise behaves like any replica.
 
 Replicating your configuration store adds the following benefits:
 
-- Added resiliency for Azure outages.
+- Added resiliency for localized outages contained to a region.
 - Redistribution of request limits.
 - Regional compartmentalization.
 
-Geo-replication is currently a **preview** feature.
-During the preview geo-replication has additional limitations including support and regional availability.
+When considering where to place replicas, consider the following; where does the application run from?
+
+- For server-side applications, consider deploying replicas to regions where the application is hosted and recovered.
+- For client-side applications, consider deploying replicas to regions closest to where the users are located.
 
 ## RECOMMENDATION
 
-Consider replication for app configuration store to ensure resiliency to region outages.
+Consider replicating app configuration stores to improve resiliency to region outages.
 
 ## EXAMPLES
 
@@ -48,57 +51,28 @@ For example:
 
 ```json
 {
-  "parameters": {
-    "appConfigName": {
-      "type": "string",
-      "defaultValue": "configstore01",
-      "metadata": {
-        "description": "The name of the app configuration store."
-      }
-    },
-    "replicaName": {
-      "type": "string",
-      "defaultValue": "replica01",
-      "metadata": {
-        "description": "The name of the replica."
-      }
-    },
-    "appConfigLocation": {
-      "type": "string",
-      "defaultValue": "[resourceGroup().location]",
-      "metadata": {
-        "description": "The location resources will be deployed."
-      }
-    },
-    "replicaLocation": {
-      "type": "string",
-      "defaultValue": "northeurope",
-      "metadata": {
-        "description": "The location where the replica will be deployed."
-      }
-    }
-  },
   "resources": [
     {
       "type": "Microsoft.AppConfiguration/configurationStores",
-      "apiVersion": "2022-05-01",
-      "name": "[parameters('appConfigName')]",
-      "location": "[parameters('appConfigLocation')]",
+      "apiVersion": "2023-03-01",
+      "name": "[parameters('name')]",
+      "location": "[parameters('location')]",
       "sku": {
         "name": "standard"
       },
       "properties": {
         "disableLocalAuth": true,
-        "enablePurgeProtection": true
+        "enablePurgeProtection": true,
+        "publicNetworkAccess": "Disabled"
       }
     },
     {
       "type": "Microsoft.AppConfiguration/configurationStores/replicas",
-      "apiVersion": "2022-03-01-preview",
-      "name": "[format('{0}/{1}', parameters('appConfigName'), parameters('replicaName'))]",
+      "apiVersion": "2023-03-01",
+      "name": "[format('{0}/{1}', parameters('name'), parameters('replicaName'))]",
       "location": "[parameters('replicaLocation')]",
       "dependsOn": [
-        "[resourceId('Microsoft.AppConfiguration/configurationStores', parameters('appConfigName'))]"
+        "[resourceId('Microsoft.AppConfiguration/configurationStores', parameters('name'))]"
       ]
     }
   ]
@@ -116,41 +90,59 @@ To deploy App Configuration Stores that pass this rule:
 For example:
 
 ```bicep
-@description('The name of the app configuration store.')
-param appConfigName string = 'configstore01'
-
-@description('The name of the replica.')
-param replicaName string = 'replica01'
-
-@description('The location resources will be deployed.')
-param appConfigLocation string = resourceGroup().location
-
-@description('The location where the replica will be deployed.')
-param replicaLocation string = 'northeurope'
-
-resource store 'Microsoft.AppConfiguration/configurationStores@2022-05-01' = {
-  name: appConfigName
-  location: appConfigLocation
+resource store 'Microsoft.AppConfiguration/configurationStores@2023-03-01' = {
+  name: name
+  location: location
   sku: {
     name: 'standard'
   }
   properties: {
     disableLocalAuth: true
     enablePurgeProtection: true
+    publicNetworkAccess: 'Disabled'
   }
 }
 
-resource replica 'Microsoft.AppConfiguration/configurationStores/replicas@2022-03-01-preview' = {
+resource replica 'Microsoft.AppConfiguration/configurationStores/replicas@2023-03-01' = {
+  parent: store
   name: replicaName
   location: replicaLocation
-  parent: store
+}
+```
+
+### Configure with Bicep Public Registry
+
+To deploy App Configuration Stores that pass this rule:
+
+- Set `params.skuName` to `Standard` (required for geo-replication).
+- Configure one or more replicas by setting `params.replicas` to an array of objects.
+- Set `location` on each replica to a different location than the app configuration store.
+
+For example:
+
+```bicep
+module br_public_store 'br/public:app/app-configuration:1.1.2' = {
+  name: 'store'
+  params: {
+    skuName: 'Standard'
+    disableLocalAuth: true
+    enablePurgeProtection: true
+    publicNetworkAccess: 'Disabled'
+    replicas: [
+      {
+        name: 'eastus'
+        location: 'eastus'
+      }
+    ]
+  }
 }
 ```
 
 ## LINKS
 
-- [Resiliency and dependencies](https://learn.microsoft.com/azure/architecture/framework/resiliency/design-resiliency)
+- [RE:05 Redundancy](https://learn.microsoft.com/azure/well-architected/reliability/redundancy)
 - [Resiliency and diaster recovery](https://learn.microsoft.com/azure/azure-app-configuration/concept-disaster-recovery)
 - [Geo-replication overview](https://learn.microsoft.com/azure/azure-app-configuration/concept-geo-replication)
 - [Enable geo-replication](https://learn.microsoft.com/azure/azure-app-configuration/howto-geo-replication)
+- [Bicep public registry](https://azure.github.io/bicep-registry-modules/#app)
 - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.appconfiguration/configurationstores/replicas)
diff --git a/docs/en/rules/Azure.AppConfig.Name.md b/docs/en/rules/Azure.AppConfig.Name.md
@@ -76,6 +76,32 @@ resource store 'Microsoft.AppConfiguration/configurationStores@2022-05-01' = {
 }
 ```
 
+### Configure with Bicep Public Registry
+
+To deploy App Configuration Stores that pass this rule:
+
+- Set `params.name` to a value that meets the requirements.
+
+For example:
+
+```bicep
+module br_public_store 'br/public:app/app-configuration:1.1.2' = {
+  name: 'store'
+  params: {
+    skuName: 'Standard'
+    disableLocalAuth: true
+    enablePurgeProtection: true
+    publicNetworkAccess: 'Disabled'
+    replicas: [
+      {
+        name: 'eastus'
+        location: 'eastus'
+      }
+    ]
+  }
+}
+```
+
 ## NOTES
 
 This rule does not check if App Configuration store names are unique.

diff --git a/docs/en/rules/Azure.AppConfig.PurgeProtect.md b/docs/en/rules/Azure.AppConfig.PurgeProtect.md
@@ -84,13 +84,19 @@ To deploy App Configuration Stores that pass this rule:
 For example:
 
 ```bicep
-module store 'br/public:app/app-configuration:1.1.1' = {
+module br_public_store 'br/public:app/app-configuration:1.1.2' = {
   name: 'store'
   params: {
     skuName: 'Standard'
     disableLocalAuth: true
     enablePurgeProtection: true
     publicNetworkAccess: 'Disabled'
+    replicas: [
+      {
+        name: 'eastus'
+        location: 'eastus'
+      }
+    ]
   }
 }
 ```
@@ -99,5 +105,5 @@ module store 'br/public:app/app-configuration:1.1.1' = {
 
 - [Data management for reliability](https://learn.microsoft.com/azure/architecture/framework/resiliency/data-management)
 - [Purge protection](https://learn.microsoft.com/azure/azure-app-configuration/concept-soft-delete#purge-protection)
-- [Public registry](https://azure.github.io/bicep-registry-modules/#app)
+- [Bicep public registry](https://azure.github.io/bicep-registry-modules/#app)
 - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.appconfiguration/configurationstores)
diff --git a/docs/en/rules/Azure.AppConfig.SKU.md b/docs/en/rules/Azure.AppConfig.SKU.md
@@ -83,13 +83,19 @@ To deploy App Configuration Stores that pass this rule:
 For example:
 
 ```bicep
-module store 'br/public:app/app-configuration:1.1.1' = {
+module br_public_store 'br/public:app/app-configuration:1.1.2' = {
   name: 'store'
   params: {
     skuName: 'Standard'
     disableLocalAuth: true
     enablePurgeProtection: true
     publicNetworkAccess: 'Disabled'
+    replicas: [
+      {
+        name: 'eastus'
+        location: 'eastus'
+      }
+    ]
   }
 }
 ```
@@ -99,5 +105,5 @@ module store 'br/public:app/app-configuration:1.1.1' = {
 - [Meet application platform requirements](https://learn.microsoft.com/azure/architecture/framework/resiliency/design-requirements#meet-application-platform-requirements)
 - [App Configuration pricing](https://azure.microsoft.com/pricing/details/app-configuration/)
 - [Which App Configuration tier should I use?](https://learn.microsoft.com/azure/azure-app-configuration/faq#which-app-configuration-tier-should-i-use)
-- [Public registry](https://azure.github.io/bicep-registry-modules/#app)
+- [Bicep public registry](https://azure.github.io/bicep-registry-modules/#app)
 - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.appconfiguration/configurationstores)