Thursday, 9 July 2026

Filled under:

 

Below are copy-ready GitLab issue titles and user stories.

1. Change DENY-COS-DBPublicEP assignment to Deny

As a developer,
I want to change the DENY-COS-DBPublicEP policy assignments from Audit to Deny in BA and BARZ,
so that Cosmos DB resources using public endpoints are actively restricted instead of only being reported.


2. Change Deny-COS-DB-ServerlesPrd assignment to Deny

As a developer,
I want to change the Deny-COS-DB-ServerlesPrd policy assignments from Audit to Deny in BA and BARZ,
so that non-compliant serverless Cosmos DB deployments are prevented.


3. Change Cosmos DB naming-policy assignments to Deny

As a developer,
I want to change the Deny-COS-vCoreName and Deny-COS-Name policy assignments from Audit to Deny in BA and BARZ,
so that Cosmos DB resources that do not follow the approved naming standards are blocked.


4. Assign Deny-COS-wo-ZoneRedundant in Audit mode

As a developer,
I want to assign the Deny-COS-wo-ZoneRedundant policy in Audit mode in BARZ,
so that non-zone-redundant Cosmos DB deployments can be identified before enforcement is enabled.


5. Review Cosmos DB backup policies with Murali

As a developer,
I want to confirm the required behavior and rollout scope for Deny-COS-BackupConfig, Modify-COSContBackup, and Modify-COSPeriodicBackup with Murali,
so that the backup policies can be implemented with the correct effects and assignments.


6. Validate and enforce Deny-COS-vCore-create-WOEID

As a developer,
I want to validate the requirement with Murali and change the Deny-COS-vCore-create-WOEID assignments from Audit to Deny in BA and BARZ,
so that non-compliant Cosmos DB vCore creation is prevented after approval.


7. Convert MongoDB vCore HA policy from JSON to Bicep

As a developer,
I want to convert policydefinition_DENY-COS-MongoVCoreDBHA.json to Bicep, rename the policy to DENY-COS-vCoreDBHA-LE, and deploy it in Audit mode in BA and BARZ,
so that the lower-environment HA policy is managed through the standard infrastructure-as-code approach before enforcement.

Follow-up issue for the next iteration

Title: Change DENY-COS-vCoreDBHA-LE assignment to Deny

As a developer,
I want to change the DENY-COS-vCoreDBHA-LE policy assignments from Audit to Deny for lower environments,
so that non-compliant MongoDB vCore HA configurations are actively blocked after audit validation.


8. Enforce MongoDB vCore SKU policy in lower environments

As a developer,
I want to change the deny-cos-vcore-sku-LE policy assignments from Audit to Deny in BA and BARZ for DEV, TEST, and UAT,
so that unsupported MongoDB vCore SKUs cannot be deployed in lower environments.


9. Enforce AMR HA policy in lower environments

As a developer,
I want to change the Deny-AMR-HA-LE policy assignments from Audit to Deny in BA and BARZ for DEV, TEST, and UAT,
so that non-compliant Azure Managed Redis HA configurations are blocked in lower environments.


10. Enforce AMR SKU restriction policy in lower environments

As a developer,
I want to change the Deny-AMR-SKU-Restrict-LE policy assignments from Audit to Deny in BA and BARZ for DEV, TEST, and UAT,
so that only approved Azure Managed Redis SKUs can be deployed in lower environments.


11. Change Deny-AMR-Auto-Update assignment to Deny

As a developer,
I want to change the Deny-AMR-Auto-Update policy assignments from Audit to Deny in BA and BARZ,
so that Azure Managed Redis resources cannot be configured with a non-compliant automatic-update setup.

Please verify the exact policy spellings—particularly ServerlesPrd and WOEID—as I retained them from the engineer’s notes.

0 comments:

Post a Comment