Configure Function
Agent Function must be configured with parameters recorded in steps above.
To configure Function:
Open Function App service from the Azure console. Select the Function App created for policy agent in previous steps.
Navigate to Settings > Environment variables .
On the App Settings pane, click on Show values to reveal all configuration values
To modify multiple parameters, click the pencil icon Advanced edit at the top. Alternatively you may click on the environment variable name to edit single values.
Modify parameters according to the table below. If configuration has a default value you don’t have to change it
Parameter | Notes |
|---|---|
AZURE_KEY_VAULT_NAME | |
AZURE_POLICY_BLOB_URL | URL of the Azure Blob file which is used to store Protegrity security policies for protector consumption. See ProtectFuncPolicyBlobUrl in Protect Function Policy Blob |
AZURE_RETAIN_POLICY_BLOB | The amount of policy backups to retain. Default: 10. Allowed values: -1, >1. Value of -1 will disable cleanup of backup policies. |
PROTEGRITY_PROTECT_FUNCTION | Protegrity function to be updated when new policy is deployed. Provide a comma separated list of protect function app names for updating multiple protectors: |
PTY_ESA_IP | |
AZURE_ESA_CREDENTIALS_SECRET_ID | |
AZURE_ENCRYPTION_KEY_ID | |
PEP_CONFIG_CASE_SENSITIVE | Default: No Allowed values: yes/no Specifies whether policy usernames should be case sensitive |
PTY_ADDIPADDRESSHEADER | When enabled, agent will send its source IP address in the request header. This configuration works in conjunction with ESA hubcontroller configuration ASSIGN_DATASTORE_USING_NODE_IP (default=false). See Associating ESA Data Store With Cloud Protect Agent for more information. Default: yes Allowed values: yes no |
PEP_CONFIG_EMPTY_STRING | Default: empty Allowed values: null empty Determines outcome of empty value operation. For example, (un)protect(’’) -> null (un)protect(’’) -> |
DISABLE_DEPLOY | Default: 0 |
POLICY_PULL_TIMEOUT | Default: 20s |
ESA_CONNECTION_TIMEOUT | Default: 5s |
LOG_LEVEL | Default: INFO. Allowed values: DEBUG, INFO, WARNING, ERROR |
AZURE_SUBSCRIPTION_ID | Default: Same as ARM Resource group |
AZURE_RESOURCE_GROUP_NAME | Default: Same as ARM Resource group |
POLICY_DOWNLOAD_CRON_EXPRESSION | Describes how often Agent Function will run Default: 0 0 * * * * (Every hour) |
PTY_ESA_CA_SERVER_CERT | ESA self-signed CA certificate used by policy Agent function to ensure ESA is the trusted server. Recorded in step Certificates on ESA In case ESA is configured with publicly signed certificates, the PTY_ESA_CA_SERVER_CERT configuration will be ignored. |
PTY_ESA_CREDENTIALS_FUNCTION | Instead of supplying AZURE_ESA_CREDENTIALS_SECRET_ID environment variable, ESA credentials can be provided by a custom Azure Function App. Provide a value recorded for EsaCredentialsFnUrl |
PTY_ESA_CREDENTIALS_FUNCTION_KEY | When ESA credentials are provided by a custom Azure Function App, Policy Agent can request credentials using function app key. Provide a value recorded for EsaCredentialsFnKey |
PTY_ESA_CREDENTIALS_FUNCTION_KEY_SECRET | When ESA credentials are provided by a custom Azure Function App, Policy Agent can request credentials using function app key stored in Azure Key Vault. Provide a value recorded for EsaCredentialsFnKeySecretName |
PTY_ESA_CREDENTIALS_FUNCTION_SCOPE | When ESA credentials are provided by a custom Azure Function App, Policy Agent can request credentials using its own identity. Provide a value here recorded for EsaCredentialsFnAppIdUri appended with /.default to create authentication scope. Review Microsoft identity platform default scope |
PTY_SYNC_DATASTORE | NoteThis configuration is not applicable for ESA versions lower than 10.2. |
PTY_DATASTORE_KEY | NoteThis configuration is not applicable for ESA versions lower than 10.2.The export key is the public part of an asymmetric key pair created in a Create Policy Encryption Key. A user with Security Officer permissions adds the public key to the data store in ESA via Policy Management > Data Stores > Export Keys. The fingerprint can then be copied using the Copy Fingerprint icon next to the key. Refer to Exporting Keys to Datastore for details. NoteFor PPC deployments, see PPC Appendix: Policy Agent Certificate and Key Guidance for details on obtaining and using the datastore key fingerprint. |
- Click Apply at the bottom of the screen and then Confirm to save the changes.
Note
The following environment variables are listed for completeness, however they are maintained by Protegrity ARM templates and users are not expected to manually update them.Parameter | Notes |
|---|---|
AZURE_CLIENT_ID | Sets the Managed Identity Client ID for Function App runtime. System-Assigned Identity is used when variable is not set. |
APPLICATIONINSIGHTS_AUTHENTICATION_STRING | Define identity for Application Insights access. Managed Identity Client ID is provided to this setting with Function App Managed Identity ARM template parameter. See the corresponding Azure AD Authentication documentation: Azure AD authentication |
APPLICATIONINSIGHTS_CONNECTION_STRING | Connection String for Application Insights instance. See the corresponding Azure Connection String documentation: Connection strings |
FUNCTIONS_EXTENSION_VERSION | Azure Functions extension version |
FUNCTIONS_WORKER_RUNTIME | Runtime of the function |
WEBSITE_RUN_FROM_PACKAGE | URL to the zip file in blob storage with function runtime source |
WEBSITE_RUN_FROM_PACKAGE_BLOB_MI_RESOURCE_ID | Managed Identity used to load function runtime source |
AzureWebJobsStorage__blobServiceUri | URL of the storage account which hosts the blob identified in WEBSITE_RUN_FROM_PACKAGE |
Feedback
Was this page helpful?