Governance Policies Azure Data Mysql Flexible - Azure/az-prototype GitHub Wiki
Governance policies for Mysql Flexible
Domain: azure-data
| Name | Description |
|---|---|
| MySQL Flexible Server with VNet integration and HA | Production MySQL with zone-redundant HA, VNet integration, and audit logging |
| Description | Instead |
|---|---|
| Do not expose MySQL to the public internet | Use VNet integration with delegated subnet or private endpoints |
| Do not store database passwords in plain text | Use Key Vault references for administratorLoginPassword |
| Check | Severity | Description |
|---|---|---|
| AZ-MYSQL-001 | Required | Deploy MySQL Flexible Server with Microsoft Entra authentication and TLS 1.2 enforcement |
| AZ-MYSQL-002 | Required | Enforce TLS 1.2 via server configuration parameters |
| AZ-MYSQL-003 | Required | Enable audit logging for MySQL Flexible Server |
| AZ-MYSQL-004 | Recommended | Enable zone-redundant high availability for production |
Deploy MySQL Flexible Server with Microsoft Entra authentication and TLS 1.2 enforcement
Severity: Required
Rationale: Entra auth eliminates password management; TLS 1.2 prevents protocol downgrade attacks
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.DBforMySQL/flexibleServers
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Network/virtualNetworks/subnets | snet-mysql | Delegated subnet with Microsoft.DBforMySQL/flexibleServers service delegation |
| Microsoft.Network/privateDnsZones | privatelink.mysql.database.azure.com | Private DNS zone for MySQL Flexible Server VNet-integrated name resolution |
| Microsoft.Network/privateDnsZones/virtualNetworkLinks | link-mysql-dns | VNet link connecting the MySQL private DNS zone to the virtual network |
| Microsoft.DBforMySQL/flexibleServers/configurations | tls_version | Server configuration enforcing TLS 1.2 and audit log settings |
| Microsoft.Insights/diagnosticSettings | diag-mysql | Diagnostic settings routing MySQL audit and slow query logs to Log Analytics |
Enforce TLS 1.2 via server configuration parameters
Severity: Required
Rationale: TLS version enforcement must be set at the server parameter level in addition to network config
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.DBforMySQL/flexibleServers
Enable audit logging for MySQL Flexible Server
Severity: Required
Rationale: Audit logs track connection attempts, DDL changes, and DML operations for compliance
Agents: terraform-agent, bicep-agent, cloud-architect, monitoring-agent
- Microsoft.DBforMySQL/flexibleServers
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.OperationalInsights/workspaces | log-analytics | Log Analytics workspace as destination for MySQL audit logs |
Enable zone-redundant high availability for production
Severity: Recommended
Rationale: Zone-redundant HA provides automatic failover across availability zones
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.DBforMySQL/flexibleServers