Governance Policies Azure Data Postgresql Flexible - Azure/az-prototype GitHub Wiki
Governance policies for Postgresql Flexible
Domain: azure-data
| Name | Description |
|---|---|
| PostgreSQL Flexible Server with Entra auth and VNet integration | Production PostgreSQL with Entra-only auth, VNet integration, HA, and diagnostics |
| Description | Instead |
|---|---|
| Do not expose PostgreSQL to the public internet | Use VNet integration with delegated subnet or private endpoints |
| Do not use password authentication when Entra auth is available | Set passwordAuth to Disabled and use Entra authentication |
| Check | Severity | Description |
|---|---|---|
| AZ-PG-001 | Required | Deploy PostgreSQL Flexible Server with Microsoft Entra authentication, VNet integration, and TLS 1.2 |
| AZ-PG-002 | Required | Configure Entra admin for PostgreSQL Flexible Server |
| AZ-PG-003 | Required | Enable diagnostic settings for PostgreSQL audit and slow query logs |
| AZ-PG-004 | Recommended | Enable zone-redundant high availability for production databases |
Deploy PostgreSQL Flexible Server with Microsoft Entra authentication, VNet integration, and TLS 1.2
Severity: Required
Rationale: Entra auth centralizes identity; VNet integration eliminates public exposure; TLS 1.2 prevents downgrade attacks
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.DBforPostgreSQL/flexibleServers
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Network/virtualNetworks/subnets | snet-postgresql | Delegated subnet with Microsoft.DBforPostgreSQL/flexibleServers service delegation |
| Microsoft.Network/privateDnsZones | privatelink.postgres.database.azure.com | Private DNS zone for PostgreSQL Flexible Server VNet-integrated name resolution |
| Microsoft.Network/privateDnsZones/virtualNetworkLinks | link-pg-dns | VNet link connecting the PostgreSQL private DNS zone to the virtual network |
| Microsoft.DBforPostgreSQL/flexibleServers/administrators | entra-admin | Entra ID admin assignment enabling Azure AD authentication on the server |
| Microsoft.Insights/diagnosticSettings | diag-postgresql | Diagnostic settings routing PostgreSQL logs to Log Analytics |
Configure Entra admin for PostgreSQL Flexible Server
Severity: Required
Rationale: Entra admin is required for Entra authentication to function
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.DBforPostgreSQL/flexibleServers
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.DBforPostgreSQL/flexibleServers | pg-server | Parent PostgreSQL server with activeDirectoryAuth enabled in authConfig |
Enable diagnostic settings for PostgreSQL audit and slow query logs
Severity: Required
Rationale: PostgreSQL logs track queries, connections, and errors for troubleshooting and compliance
Agents: terraform-agent, bicep-agent, cloud-architect, monitoring-agent
- Microsoft.DBforPostgreSQL/flexibleServers
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.OperationalInsights/workspaces | log-analytics | Log Analytics workspace as destination for PostgreSQL diagnostic logs |
Enable zone-redundant high availability for production databases
Severity: Recommended
Rationale: Zone-redundant HA provides automatic failover with near-zero data loss across zones
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.DBforPostgreSQL/flexibleServers