Monday, April 18, 2022

Enable HTTPS setting on Azure App service using Azure policy

Use Case:

By default, clients can connect to Azure App Service endpoints by using both HTTP or HTTPS. However it is always recommended to redirect HTTP to HTTPs because HTTPS uses the SSL/TLS protocol to provide a secure connection, which is both encrypted and authenticated.

In this post , we will learn how to enable HTTPS Only setting on the Azure App service using Azure Policy.

 

Background:

Azure App Service is a fully managed platform as a service (PaaS) offering for developers. It is a HTTP-based service for hosting web applications, REST APIs, and mobile back ends. App Service not only adds the power of Microsoft Azure to your application, such as security, load balancing, autoscaling, and automated management , you can also take advantage of its DevOps capabilities, such as continuous deployment from Azure DevOps, GitHub, Docker Hub, and other sources, package management, staging environments, custom domain, and TLS/SSL certificates.

 

Azure Policy is a service in Azure which helps to enforce organizational standards and to assess compliance. Policy evaluates resources in Azure by comparing the properties of those resources to business rules which are defined in the Policy. These business rules, described in JSON format, are known as policy definitions.
To learn more about policy and how to create a policy you can refer this document.


To ensure proper governance and considering the organization has a requirement to enforce HTTPS on both new and existing App services within your environment we are going to achieve this using Azure Policy.

Prerequisites:

  1. An Azure Subscription. If you don't have an Azure subscription, create an Azure free account before you begin.
  2. You need to have required permissions to create and manage Azure policy definitions in your subscription. You can refer to Resource Policy Contributor or Security Admin role.
  3. Since this policy is using DeployIfNotExists effect, policy assignments will require a managed identity to do remediation.

Create a custom policy to Enable HTTPS on App Service:

  1. In the Azure portal, select All services > search for Policy > go to Definitions > click + Policy definition.

    TirumaleshSriram_0-1650021906741.png
  2. Select Definition location by clicking on the ellipsis [...] and choose your management group or subscription.
  3. Fill Name field with your policy definition name like 'Enable HTTPS on App Service' and add the Description.
  4. Select appropriate Category for your policy, you can create a new one or use existing one like 'App Service'.
    TirumaleshSriram_1-1650022674969.png
  5. Here is the JSON Policy definition which you need to add in the Policy Rule section and then click on Save.

    DISCLAIMER: Below sample policy definition is not supported under any Microsoft standard support program or service. This is intended to be used in non-production environment only. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, owners of this GitHub repro, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.


    	{
    	  "mode": "All",
    	  "policyRule": {
    	    "if": {
    	       "allOf": [
    	          {
    	            "field": "type",
    	            "equals": "Microsoft.Web/sites"
    	          },
    	          {
    	            "field": "kind",
    	            "like": "app*"
    	          }
    	        ]
    	    },
    	    "then": {
    	      "effect": "[parameters('effect')]",
    	      "details": {
    	        "type": "Microsoft.Web/sites",
    	        "name": "[field('name')]",
    	        "existenceCondition": {
    	          "field": "Microsoft.Web/sites/httpsOnly",
    	          "equals": "true"
    	        },
    	        "roleDefinitionIds": [
    	          "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
    	        ],
    	        "deployment": {
    	          "properties": {
    	            "mode": "incremental",
    	            "parameters": {
    	              "webAppName": {
    	                "value": "[field('name')]"
    	              },
    	              "location": {
    	                "value": "[field('location')]"
    	              },
    	              "kind": {
    	                "value": "[field('kind')]"
    	              }
    	            },
    	            "template": {
    	              "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    	              "contentVersion": "1.0.0.0",
    	              "parameters": {
    	                "webAppName": {
    	                  "type": "string"
    	                },
    	                "location": {
    	                  "type": "string"
    	                },
    	                "kind": {
    	                  "type": "string"
    	                }
    	              },
    	              "resources": [
    	                {
    	                  "type": "Microsoft.Web/sites",
    	                  "apiVersion": "2021-02-01",
    	                  "name": "[parameters('webAppName')]",
    	                  "location": "[parameters('location')]",
    	                  "kind": "[parameters('kind')]",
    	                  "properties": {
    	                    "httpsOnly": "true"
    	                  }
    	                }
    	              ]
    	            }
    	          }
    	        }
    	      }
    	    }
    	  },
    	  "parameters": {
    	    "effect": {
    	      "type": "String",
    	      "metadata": {
    	        "displayName": "Effect",
    	        "description": "Enable or disable the execution of the policy"
    	      },
    	      "allowedValues": [
    	        "DeployIfNotExists",
    	        "AuditIfNotExists",
    	        "Disabled"
    	      ],
    	      "defaultValue": "DeployIfNotExists"
    	    }
    	  }
    	}
    ​
  6. Ensure that the roleDefinitionIds contains enough permissions to enable HTTPS settings on the resource, you can select Contributor role.
  7. If the ExistenceCondition evaluates to true, the policy doesn't trigger the deployment and if the condition evaluates to false the HTTPS deployment happens. Refer to this document to learn more about DeployIfNotExists and ExistenceCondition.

Assign the custom policy:

  1. Open the Azure portal ,select All services > search for Policy > go to Assignments> select Assign policy.

    TirumaleshSriram_2-1650023249364.png

     

  2. On the Assign Policy page, set the Scope by selecting the ellipsis and then selecting either a management group or subscription. Optionally, select a resource group. A scope determines what resources or grouping of resources the policy assignment gets enforced on. Then use the Select button at the bottom of the Scope page.
  3. Resources can be excluded based on the Scope. Exclusions start at one level lower than the level of the Scope. Exclusions are optional, so leave it blank for now.
  4. Select the Policy definition ellipsis to open the list of available definitions. Search for the custom policy 'Enable HTTPS on App Service' that you have created in the previous step and then click on Select.
  5. The Assignment name is automatically populated with the policy name you selected, but you can change it. For this example, leave Enable HTTPS on App Service. You can also add an optional Description. The description provides details about this policy assignment. Assigned by will automatically fill based on who is logged in. This field is optional, so custom values can be entered.
  6. Leave policy enforcement Enabled. For more information, see Policy assignment - enforcement mode.
  7. Select Next at the bottom of the page or the Parameters tab at the top of the page to move to the next segment of the assignment wizard.
  8. If the policy definition selected on the Basics tab included parameters, they are configured on this tab. Since our definition has parameters (DeployIfNotExists , AuditIfNotExists , Disabled) , by default DeployIfNotExists is selected.

    TirumaleshSriram_0-1650024180978.png

     

     

  9. In the Remediation tab, you can see that "Create a Managed Identity" is selected by default as the policy effect is DeployIfNotExists. Policies with the deployIfNotExists and modify effect types need the ability to deploy or modify the resources To do this, choose between an existing user assigned managed identity or creating a system assigned managed identity. This identity will also be given the Contributor permissions. For more information , refer managed identities.

    TirumaleshSriram_1-1650024326362.png

    To evaluate the existing resources, you can select "Create a remediation task" as shown below.

     

    TirumaleshSriram_2-1650024413690.png

     

  10. In the next page, set your desired message in Non-compliance message field. This custom message is displayed when a resource is denied or for non-compliant resources during regular evaluation. Then click Review + Create.

    TirumaleshSriram_3-1650024668291.png

     

  11. Review the selected options, then select Create at the bottom of the page.

Verify if the policy evaluation triggered:

It takes around 30 minutes for the policy assignment to be applied to the defined scope and then the evaluation cycle begins for resources within that scope against the newly assigned policy and depending on the effects used by the policy or initiative, resources are marked as compliant, non-compliant, or exempt.
Also for every 24 hours, there is a standard compliance evaluation cycle which will trigger and assignments are automatically reevaluated. Also you can trigger an On demand evaluation scan.

 

You're now ready to identify non-compliant resources to understand the compliance state of your environment.

 

Identify non-compliant resources:

Select Compliance in the left side of the page. Then locate the 'Enable HTTPS on App Service' policy assignment you created. If there are any existing App Service resources that don't have HTTPS enabled, they appear under Non-compliant resources.

TirumaleshSriram_4-1650024897941.png

Remember that when a condition is evaluated against your existing App Service resources and HTTPS is not enabled, then those resources are marked as non-compliant but no action is taken on these existing resources. For this reason, we have created a remediation task during the policy assignment.

On the left side, click on Remediation and locate with your Policy definition name and you can see that the existing non-compliant resources got remediated successfully.

TirumaleshSriram_5-1650025019053.png

And after the remediation run, all the App Services in your environment will get marked as compliant.

 

TirumaleshSriram_6-1650025115191.png

 

Now that you can verify the HTTPS setting is enabled on your App Service now.
Go to your App Service > TLS/SSL settings > HTTPS Only

TirumaleshSriram_7-1650025173610.png

 

Note : This Policy is used to enable HTTPS setting for App Service resources only. But you can use the same policy rule for function app by modifying the below field.

 

{
"field": "kind",
"like": "functionapp*"
}

 

This way, we can use Azure Policy to Enable HTTPS setting on Azure App Services.
To learn more about Azure Policy, refer to the following documentation Azure Policy

Posted at https://sl.advdat.com/3xxE46Hhttps://sl.advdat.com/3xxE46H