Hi @Monalla-MSFT ,
Thanks for writing back and my apologies for the late response.
This policy is working well to identify non-compliant windows function apps.
{
"displayName":"Function App should have client certificate enabled",
"policyType": "Custom",
"mode": "Indexed",
"description": "Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app.",
"metadata": {
"version": "1.0.1",
"category": "App Service"
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Web/sites"
},
{
"field": "kind",
"like": "functionapp"
}
]
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.Web/sites",
"name": "[field('name')]",
"existenceCondition": {
"field": "Microsoft.Web/sites/clientCertEnabled",
"equals": true
},
"evaluationDelay": "AfterProvisioningSuccess",
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772"
],
"deployment": {
"properties": {
"mode": "incremental",
"parameters": {
"name": {
"value": "[field('name')]"
},
"location": {
"value": "[field('location')]"
}
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"name": {
"type": "string"
},
"location": {
"type": "string"
}
},
"resources": [
{
"name": "[parameters('name')]",
"type": "Microsoft.Web/sites",
"location": "[parameters('location')]",
"apiVersion":"2018-11-01",
"properties": {
"clientCertEnabled": true
}
}
]
}
}
}
}
}
},
"name":"Enforce-FncApp-ClintCert"
}
Secon thing as you said I have tried by creating test linux function app with kind property as functionapp* and app service plan as premium(EP1) and it is working fine to identify non-compliant linux function apps.
{
"displayName":"Function App should have client certificate enabled",
"policyType": "Custom",
"mode": "Indexed",
"description": "Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app.",
"metadata": {
"version": "1.0.1",
"category": "App Service"
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Web/sites"
},
{
"field": "kind",
"like": "functionapp*"
}
]
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.Web/sites",
"name": "[field('name')]",
"existenceCondition": {
"field": "Microsoft.Web/sites/clientCertEnabled",
"equals": true
},
"evaluationDelay": "AfterProvisioningSuccess",
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772"
],
"deployment": {
"properties": {
"mode": "incremental",
"parameters": {
"name": {
"value": "[field('name')]"
},
"location": {
"value": "[field('location')]"
}
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"name": {
"type": "string"
},
"location": {
"type": "string"
}
},
"resources": [
{
"name": "[parameters('name')]",
"type": "Microsoft.Web/sites",
"location": "[parameters('location')]",
"apiVersion":"2018-11-01",
"properties": {
"clientCertEnabled": true
}
}
]
}
}
}
}
}
},
"name":"Enforce-FncApp-ClintCert"
}
But strnage thing is second one is not able to identify windows function apps although i have given function app kind as functionapp*.. Please correct me if i am wrong or add your inputs if there is any common policy to identify both windows and linux function apps.