Slider 1 mini Slider 2 mini

Friday, 10 July 2026

Filled under:

 https://chatgpt.com/share/6a5104dd-756c-83ec-a355-4906a9cbcdb2

Posted By Nikhil07:43

Thursday, 9 July 2026

Filled under:

 

Below are copy-ready GitLab issue titles and user stories.

1. Change DENY-COS-DBPublicEP assignment to Deny

As a developer,
I want to change the DENY-COS-DBPublicEP policy assignments from Audit to Deny in BA and BARZ,
so that Cosmos DB resources using public endpoints are actively restricted instead of only being reported.


2. Change Deny-COS-DB-ServerlesPrd assignment to Deny

As a developer,
I want to change the Deny-COS-DB-ServerlesPrd policy assignments from Audit to Deny in BA and BARZ,
so that non-compliant serverless Cosmos DB deployments are prevented.


3. Change Cosmos DB naming-policy assignments to Deny

As a developer,
I want to change the Deny-COS-vCoreName and Deny-COS-Name policy assignments from Audit to Deny in BA and BARZ,
so that Cosmos DB resources that do not follow the approved naming standards are blocked.


4. Assign Deny-COS-wo-ZoneRedundant in Audit mode

As a developer,
I want to assign the Deny-COS-wo-ZoneRedundant policy in Audit mode in BARZ,
so that non-zone-redundant Cosmos DB deployments can be identified before enforcement is enabled.


5. Review Cosmos DB backup policies with Murali

As a developer,
I want to confirm the required behavior and rollout scope for Deny-COS-BackupConfig, Modify-COSContBackup, and Modify-COSPeriodicBackup with Murali,
so that the backup policies can be implemented with the correct effects and assignments.


6. Validate and enforce Deny-COS-vCore-create-WOEID

As a developer,
I want to validate the requirement with Murali and change the Deny-COS-vCore-create-WOEID assignments from Audit to Deny in BA and BARZ,
so that non-compliant Cosmos DB vCore creation is prevented after approval.


7. Convert MongoDB vCore HA policy from JSON to Bicep

As a developer,
I want to convert policydefinition_DENY-COS-MongoVCoreDBHA.json to Bicep, rename the policy to DENY-COS-vCoreDBHA-LE, and deploy it in Audit mode in BA and BARZ,
so that the lower-environment HA policy is managed through the standard infrastructure-as-code approach before enforcement.

Follow-up issue for the next iteration

Title: Change DENY-COS-vCoreDBHA-LE assignment to Deny

As a developer,
I want to change the DENY-COS-vCoreDBHA-LE policy assignments from Audit to Deny for lower environments,
so that non-compliant MongoDB vCore HA configurations are actively blocked after audit validation.


8. Enforce MongoDB vCore SKU policy in lower environments

As a developer,
I want to change the deny-cos-vcore-sku-LE policy assignments from Audit to Deny in BA and BARZ for DEV, TEST, and UAT,
so that unsupported MongoDB vCore SKUs cannot be deployed in lower environments.


9. Enforce AMR HA policy in lower environments

As a developer,
I want to change the Deny-AMR-HA-LE policy assignments from Audit to Deny in BA and BARZ for DEV, TEST, and UAT,
so that non-compliant Azure Managed Redis HA configurations are blocked in lower environments.


10. Enforce AMR SKU restriction policy in lower environments

As a developer,
I want to change the Deny-AMR-SKU-Restrict-LE policy assignments from Audit to Deny in BA and BARZ for DEV, TEST, and UAT,
so that only approved Azure Managed Redis SKUs can be deployed in lower environments.


11. Change Deny-AMR-Auto-Update assignment to Deny

As a developer,
I want to change the Deny-AMR-Auto-Update policy assignments from Audit to Deny in BA and BARZ,
so that Azure Managed Redis resources cannot be configured with a non-compliant automatic-update setup.

Please verify the exact policy spellings—particularly ServerlesPrd and WOEID—as I retained them from the engineer’s notes.

Posted By Nikhil23:49
Filled under:

 Policy Governance and Cost Optimization across AMR, Redis, Cosmos DB and DocumentDB: Introduced audit-mode policies to identify HA-enabled instances in dev/test environments and implemented SKU restriction policies for Cosmos DB and Redis in lower environments. These changes provide visibility into unnecessary HA usage, reduce cost exposure from non-standard SKU provisioning, and strengthen governance by ensuring lower environments follow approved configuration standards. Additional AM18 compliance-related policies were also implemented for zone redundancy and private endpoints.

Then the remaining points become:

Azure Cosmos DB Pipeline and Key Vault Migration Enhancements: Enhanced Cosmos DB pipelines to dynamically select agent pools based on the requested region and added pipeline support for Key Vault migration activities. These changes improve pipeline stability, reduce dependency on hardcoded infrastructure, and enable controlled migration of keys from the infra-global subscription to application-owned subscriptions.

MongoDB vCore TPAC Access Enablement: Updated the TPAI pipeline to enable TPAC access for MongoDB vCore Red Zone, ensuring that only authorized TPAC users can execute the pipeline and provide access in a controlled, compliant, and auditable manner.

Posted By Nikhil04:53

Wednesday, 8 July 2026

Filled under:

 Azure Cosmos DB: Application-owned Key Vault enablement for CMK

Application teams can now use their own Key Vault for data-at-rest encryption key management instead of relying on the shared CMK Key Vault flow. This improves ownership, governance, and alignment with a controlled application-owned encryption model.

Posted By Nikhil23:38
Filled under:

 Azure Cosmos DB NoSQL: MIM group enablement for access continuity

Checks are being performed to ensure the required MIM group is available for Cosmos NoSQL APIs. This helps ensure user accounts remain functional and access management continues to work as expected.

Posted By Nikhil23:38
Filled under:

 MongoDB vCore / Cosmos RU to vCore: Cross-tenant migration enablement

The required changes have been released to support cross-tenant migration from RU-based accounts to vCore without enabling public endpoints. This helps ensure the migration approach remains secure, controlled, and aligned with internal connectivity standards.

Posted By Nikhil23:37

Tuesday, 7 July 2026

Filled under:

 

Title:
Cosmos DB | Update Add Account Pipeline to Configure 7-Day Continuous Backup in Lower Environments

Story:
As a developer,
I want to update the Cosmos DB add account pipeline to configure continuous backup with 7-day retention for lower environments,
so that new Cosmos DB accounts remain compliant with the backup policy before it is moved from Audit mode to Deny mode.

Description:
A backup-related policy has recently been implemented in Audit mode for Cosmos DB. Before this policy is moved to Deny mode, the add Cosmos account pipeline needs to be updated to ensure that Cosmos DB accounts created in lower environments are configured with continuous backup using 7-day retention.

This change will help avoid future policy non-compliance and prevent account creation failures once the policy enforcement is changed to Deny.

Scope:

  • Review the current add Cosmos account pipeline.
  • Identify where backup configuration is handled during account creation.
  • Update the pipeline to configure continuous backup with 7-day retention for lower environments.
  • Validate the change in applicable lower environments.
  • Capture test evidence and update issue comments.

Acceptance Criteria:

  • Add Cosmos account pipeline is updated with 7-day continuous backup configuration for lower environments.
  • Backup policy compliance is validated after pipeline change.
  • Testing evidence is added to the issue.
  • Any dependency or blocker is documented.
  • Change is ready before policy moves from Audit to Deny mode.

Impacted Product:
Azure Cosmos DB

Impacted Environments:
Dev, Test, UAT / lower environments

Dependency:
Pipeline / Control Plane / Policy implementation, as applicable.

Posted By Nikhil07:43