last sync: 2020-Jul-02 13:28:37 UTC

Azure Policy

[Preview]: Manage certificate lifetime action triggers

Policy DisplayName [Preview]: Manage certificate lifetime action triggers
Policy Id 12ef42cb-9903-4e39-9c26-422d29570417
Policy Category Key Vault
Policy Description This policy manages the configuration for certificate lifetime action triggers before certificate expiration.
Policy Mode Microsoft.KeyVault.Data
Policy Type BuiltIn
Policy in Preview True
Policy Deprecated FALSE
Policy Effect Default: audit
Allowed: (audit,deny,disabled)
Roles used none
Policy Changes
Date/Time (UTC ymd) (i) Change Change detail
2019-11-19 11:26:09 change: DisplayName previous DisplayName: [Preview]: Certificates should have the specified lifetime action trigger
Used in Policy Initiative(s) none
Policy Rule
{
  "properties": {
  "displayName": "[Preview]: Manage certificate lifetime action triggers",
    "policyType": "BuiltIn",
    "mode": "Microsoft.KeyVault.Data",
    "description": "This policy manages the configuration for certificate lifetime action triggers before certificate expiration.",
    "metadata": {
      "version": "1.0.1-preview",
      "category": "Key Vault",
      "preview": true
    },
    "parameters": {
      "maximumPercentageLife": {
        "type": "Integer",
        "metadata": {
        "displayName": "[Preview]: The maximum lifetime percentage",
          "description": "Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, to trigger a policy action at 80% of the certificate's valid life, enter '80'."
        }
      },
      "minimumDaysBeforeExpiry": {
        "type": "Integer",
        "metadata": {
        "displayName": "[Preview]: The minimum days before expiry",
          "description": "Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'."
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Effect",
          "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy."
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.daysBeforeExpiry",
                "exists": true
              },
              {
                "field": "Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.daysBeforeExpiry",
              "less": "[parameters('minimumDaysBeforeExpiry')]"
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.lifetimePercentage",
                "exists": true
              },
              {
                "field": "Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.lifetimePercentage",
              "greater": "[parameters('maximumPercentageLife')]"
              }
            ]
          }
        ]
      },
      "then": {
      "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "12ef42cb-9903-4e39-9c26-422d29570417"
}