Governance Policies Azure Management Logic Apps - Azure/az-prototype GitHub Wiki
Governance policies for Logic Apps
Domain: azure-management
| Name | Description |
|---|---|
| Logic App with managed identity and access control | Secure Logic App with managed identity, IP restrictions, and Key Vault-backed parameters |
| Description | Instead |
|---|---|
| Do not hardcode credentials in workflow parameters | Use managed identity for API connections and Key Vault references for secrets |
| Do not expose trigger URLs without access restrictions | Configure allowedCallerIpAddresses to restrict trigger invocation |
| Check | Severity | Description |
|---|---|---|
| AZ-LA-001 | Required | Deploy Logic Apps Standard with managed identity, VNet integration, and disabled public access |
| AZ-LA-002 | Required | Use managed identity for all API connections instead of connection strings |
| AZ-LA-003 | Recommended | Configure IP-based access control for triggers, actions, and management endpoints |
| AZ-LA-004 | Recommended | Enable diagnostic logging for workflow runs and trigger history |
Deploy Logic Apps Standard with managed identity, VNet integration, and disabled public access
Severity: Required
Rationale: Logic Apps process business workflows that often handle sensitive data; managed identity eliminates connection credentials
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Logic/workflows
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Insights/diagnosticSettings | diag-logic-app | Diagnostic settings to route workflow run logs and trigger events to Log Analytics |
| Microsoft.Authorization/roleAssignments | Logic App Contributor | RBAC role assignments for Logic App management |
Use managed identity for all API connections instead of connection strings
Severity: Required
Rationale: Connection strings are shared secrets; managed identity provides per-connection, auditable access
Agents: terraform-agent, bicep-agent, cloud-architect, app-developer, csharp-developer, python-developer
- Microsoft.Logic/workflows
Configure IP-based access control for triggers, actions, and management endpoints
Severity: Recommended
Rationale: IP restrictions limit who can invoke workflows and access run history
Agents: terraform-agent, bicep-agent, cloud-architect, security-reviewer
- Microsoft.Logic/workflows
Enable diagnostic logging for workflow runs and trigger history
Severity: Recommended
Rationale: Workflow logs provide audit trail and troubleshooting data for business process execution
Agents: terraform-agent, bicep-agent, cloud-architect, monitoring-agent
- Microsoft.Logic/workflows