last sync: 2021-May-10 15:04:35 UTC

Azure Policy definition

Azure Media Services jobs with HTTPS inputs should limit input URIs to permitted URI patterns

Name Azure Media Services jobs with HTTPS inputs should limit input URIs to permitted URI patterns
Azure Portal
Id e9914afe-31cd-4b8a-92fa-c887f847d477
Version 1.0.0
details on versioning
Category Media Services
Microsoft docs
Description Restrict HTTPS inputs used by Media Services jobs to known endpoints. Inputs from HTTPS endpoints can be disabled entirely by setting an empty list of allowed job input patterns. Where job inputs specify a 'baseUri' the patterns will be matched against this value; when 'baseUri' is not set, the pattern is matched against the 'files' property.
Mode All
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Default: Deny
Allowed: (Deny, Disabled)
Used RBAC Role none
History
Date/Time (UTC ymd) (i) Change type Change detail
2021-05-04 14:34:06 add e9914afe-31cd-4b8a-92fa-c887f847d477
Used in Initiatives none
JSON
{
  "properties": {
    "displayName": "Azure Media Services jobs with HTTPS inputs should limit input URIs to permitted URI patterns",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Restrict HTTPS inputs used by Media Services jobs to known endpoints. Inputs from HTTPS endpoints can be disabled entirely by setting an empty list of allowed job input patterns. Where job inputs specify a 'baseUri' the patterns will be matched against this value; when 'baseUri' is not set, the pattern is matched against the 'files' property.",
    "metadata": {
      "version": "1.0.0",
      "category": "Media Services"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Block jobs with unknown endpoints, or disable the execution of the policy"
        },
        "allowedValues": [
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Deny"
      },
      "allowedJobInputHttpUriPatterns": {
        "type": "Array",
        "metadata": {
          "displayName": "Allowed job input HTTPS URI patterns",
        "description": "Permitted URI patterns for HTTPS job inputs, for example [ 'https://store.contoso.com/media1/*', 'https://store.contoso.com/media2/*' ] or [ ] to block all HTTPS job inputs. URI patterns may contain a single asterisk which should be at the end of the URI to allow any file for a given URI prefix."
        },
        "defaultValue": [
          
        ]
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Media/mediaservices/transforms/jobs"
          },
          {
            "anyOf": [
              {
                "allOf": [
                  {
                    "field": "Microsoft.Media/mediaServices/transforms/jobs/input.#Microsoft-Media-JobInputHttp.baseUri",
                    "exists": "true"
                  },
                  {
                    "count": {
                    "value": "[parameters('allowedJobInputHttpUriPatterns')]",
                      "name": "pattern",
                      "where": {
                        "field": "Microsoft.Media/mediaServices/transforms/jobs/input.#Microsoft-Media-JobInputHttp.baseUri",
                      "like": "[current('pattern')]"
                      }
                    },
                    "equals": 0
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Media/mediaServices/transforms/jobs/input.#Microsoft-Media-JobInputHttp.baseUri",
                    "exists": "false"
                  },
                  {
                    "count": {
                    "field": "Microsoft.Media/mediaServices/transforms/jobs/input.#Microsoft-Media-JobInputClip.files[*]",
                      "where": {
                        "count": {
                        "value": "[parameters('allowedJobInputHttpUriPatterns')]",
                          "name": "pattern",
                          "where": {
                          "field": "Microsoft.Media/mediaServices/transforms/jobs/input.#Microsoft-Media-JobInputClip.files[*]",
                          "like": "[current('pattern')]"
                          }
                        },
                        "equals": 0
                      }
                    },
                    "greater": 0
                  }
                ]
              },
              {
                "count": {
                "field": "Microsoft.Media/mediaServices/transforms/jobs/input.#Microsoft-Media-JobInputs.inputs[*]",
                  "where": {
                    "anyOf": [
                      {
                        "allOf": [
                          {
                          "field": "Microsoft.Media/mediaServices/transforms/jobs/input.#Microsoft-Media-JobInputs.inputs[*].#Microsoft-Media-JobInputHttp.baseUri",
                            "exists": "true"
                          },
                          {
                            "count": {
                            "value": "[parameters('allowedJobInputHttpUriPatterns')]",
                              "name": "pattern",
                              "where": {
                              "field": "Microsoft.Media/mediaServices/transforms/jobs/input.#Microsoft-Media-JobInputs.inputs[*].#Microsoft-Media-JobInputHttp.baseUri",
                              "like": "[current('pattern')]"
                              }
                            },
                            "equals": 0
                          }
                        ]
                      },
                      {
                        "allOf": [
                          {
                          "field": "Microsoft.Media/mediaServices/transforms/jobs/input.#Microsoft-Media-JobInputs.inputs[*].#Microsoft-Media-JobInputHttp.baseUri",
                            "exists": "false"
                          },
                          {
                            "count": {
                            "field": "Microsoft.Media/mediaServices/transforms/jobs/input.#Microsoft-Media-JobInputs.inputs[*].#Microsoft-Media-JobInputClip.files[*]",
                              "where": {
                                "count": {
                                "value": "[parameters('allowedJobInputHttpUriPatterns')]",
                                  "name": "pattern",
                                  "where": {
                                  "field": "Microsoft.Media/mediaServices/transforms/jobs/input.#Microsoft-Media-JobInputs.inputs[*].#Microsoft-Media-JobInputClip.files[*]",
                                  "like": "[current('pattern')]"
                                  }
                                },
                                "equals": 0
                              }
                            },
                            "greater": 0
                          }
                        ]
                      }
                    ]
                  }
                },
                "greater": 0
              },
              {
                "count": {
                "field": "Microsoft.Media/mediaServices/transforms/jobs/input.#Microsoft-Media-JobInputs.inputs[*].#Microsoft-Media-JobInputs.inputs[*]",
                  "where": {
                    "anyOf": [
                      {
                        "allOf": [
                          {
                          "field": "Microsoft.Media/mediaServices/transforms/jobs/input.#Microsoft-Media-JobInputs.inputs[*].#Microsoft-Media-JobInputs.inputs[*].#Microsoft-Media-JobInputHttp.baseUri",
                            "exists": "true"
                          },
                          {
                            "count": {
                            "value": "[parameters('allowedJobInputHttpUriPatterns')]",
                              "name": "pattern",
                              "where": {
                              "field": "Microsoft.Media/mediaServices/transforms/jobs/input.#Microsoft-Media-JobInputs.inputs[*].#Microsoft-Media-JobInputs.inputs[*].#Microsoft-Media-JobInputHttp.baseUri",
                              "like": "[current('pattern')]"
                              }
                            },
                            "equals": 0
                          }
                        ]
                      },
                      {
                        "allOf": [
                          {
                          "field": "Microsoft.Media/mediaServices/transforms/jobs/input.#Microsoft-Media-JobInputs.inputs[*].#Microsoft-Media-JobInputs.inputs[*].#Microsoft-Media-JobInputHttp.baseUri",
                            "exists": "false"
                          },
                          {
                            "count": {
                            "field": "Microsoft.Media/mediaServices/transforms/jobs/input.#Microsoft-Media-JobInputs.inputs[*].#Microsoft-Media-JobInputs.inputs[*].#Microsoft-Media-JobInputClip.files[*]",
                              "where": {
                                "count": {
                                "value": "[parameters('allowedJobInputHttpUriPatterns')]",
                                  "name": "pattern",
                                  "where": {
                                  "field": "Microsoft.Media/mediaServices/transforms/jobs/input.#Microsoft-Media-JobInputs.inputs[*].#Microsoft-Media-JobInputs.inputs[*].#Microsoft-Media-JobInputClip.files[*]",
                                  "like": "[current('pattern')]"
                                  }
                                },
                                "equals": 0
                              }
                            },
                            "greater": 0
                          }
                        ]
                      }
                    ]
                  }
                },
                "greater": 0
              }
            ]
          }
        ]
      },
      "then": {
      "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/e9914afe-31cd-4b8a-92fa-c887f847d477",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "e9914afe-31cd-4b8a-92fa-c887f847d477"
}