Risk Level: Medium
Cloud Entity: Spring Cloud
CloudGuard Rule ID: D9.AZU.IAM.33
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

SpringCloud should have apps contain-all [ identity.type='SystemAssigned' ]

REMEDIATION

From Portal

Go to 'Azure Spring Cloud' and choose your Spring Cloud resource
Under 'Settings', select 'Apps' on the navigation menu
For each Spring Cloud app:
Under 'Settings', select 'Identity' on the navigation menu
Under the 'System assigned' tab, set 'Status' to 'On'
Save

From TF
Set the identity 'type' argument to 'SystemAssigned':

resource "azurerm_spring_cloud_app" "example" {
	..
	identity {
		type = "SystemAssigned"
	}
	..
}

From Command Line
To enable system-assigned managed identity on an existing app, run:

az spring-cloud app identity assign --name APP-NAME --resource-group RESOURCE-GROUP --service SPRING-CLOUD-SERVICE

References

Spring Cloud

Azure Spring Cloud makes it easy to deploy Spring Boot applications to Azure without any code changes.

Compliance Frameworks

Azure CloudGuard Best Practices
Azure NIST 800-53 Rev 5
CloudGuard Azure All Rules Ruleset