-
Notifications
You must be signed in to change notification settings - Fork 6
Governance Policies Azure Management Logic Apps
Governance policies for Logic Apps
Domain: azure-management
| Name | Description |
|---|---|
| Logic App with managed identity and access control | Secure Logic App with managed identity, IP restrictions, and Key Vault-backed parameters |
| Description | Instead |
|---|---|
| Do not hardcode credentials in workflow parameters | Use managed identity for API connections and Key Vault references for secrets |
| Do not expose trigger URLs without access restrictions | Configure allowedCallerIpAddresses to restrict trigger invocation |
| Check | Severity | Description |
|---|---|---|
| AZ-LA-001 | Required | Deploy Logic Apps Standard with managed identity, VNet integration, and disabled public access |
| AZ-LA-002 | Required | Use managed identity for all API connections instead of connection strings |
| AZ-LA-003 | Recommended | Configure IP-based access control for triggers, actions, and management endpoints |
| AZ-LA-004 | Recommended | Enable diagnostic logging for workflow runs and trigger history |
Deploy Logic Apps Standard with managed identity, VNet integration, and disabled public access
Severity: Required
Rationale: Logic Apps process business workflows that often handle sensitive data; managed identity eliminates connection credentials
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Logic/workflows
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Insights/diagnosticSettings | diag-logic-app | Diagnostic settings to route workflow run logs and trigger events to Log Analytics |
| Microsoft.Authorization/roleAssignments | Logic App Contributor | RBAC role assignments for Logic App management |
Use managed identity for all API connections instead of connection strings
Severity: Required
Rationale: Connection strings are shared secrets; managed identity provides per-connection, auditable access
Agents: terraform-agent, bicep-agent, cloud-architect, app-developer, csharp-developer, python-developer
- Microsoft.Logic/workflows
Configure IP-based access control for triggers, actions, and management endpoints
Severity: Recommended
Rationale: IP restrictions limit who can invoke workflows and access run history
Agents: terraform-agent, bicep-agent, cloud-architect, security-reviewer
- Microsoft.Logic/workflows
Enable diagnostic logging for workflow runs and trigger history
Severity: Recommended
Rationale: Workflow logs provide audit trail and troubleshooting data for business process execution
Agents: terraform-agent, bicep-agent, cloud-architect, monitoring-agent
- Microsoft.Logic/workflows
Getting Started
Stages
Interfaces
Configuration
Agent System
Features
- Backlog Generation
- Cost Analysis
- Error Analysis
- Docs & Spec Kit
- MCP Integration
- Knowledge System
- Escalation
Quality
Help
Policies — Azure
AI Services
Compute
Data Services
- Azure SQL
- Backup Vault
- Cosmos Db
- Data Factory
- Databricks
- Event Grid
- Event Hubs
- Fabric
- IoT Hub
- Mysql Flexible
- Postgresql Flexible
- Recovery Services
- Redis Cache
- Service Bus
- Stream Analytics
- Synapse Workspace
Identity
Management
Messaging
Monitoring
Networking
- Application Gateway
- Bastion
- CDN
- DDoS Protection
- DNS Zones
- Expressroute
- Firewall
- Load Balancer
- Nat Gateway
- Network Interface
- Private Endpoints
- Public Ip
- Route Tables
- Traffic Manager
- Virtual Network
- Vpn Gateway
- WAF Policy
Security
Storage
Web & App
Policies — Well-Architected
Reliability
Security
Cost Optimization
Operational Excellence
Performance Efficiency
Integration