Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Create and deploy a custom policy
SCOPE=/subscriptions/$SUBSCRIPTION_ID
az policy assignment create --name "Require https for storage in subscription" --scope $SCOPE \
--policy "denyStorageAccountNotUsingHttps" \
--params '{ "effectType" : { "value": "Deny" } }'
SUBSCRIPTION_ID=c2b15f36-f522-451c-84e3-a4fc54056617
az policy definition create --name "denyStorageAccountNotUsingHttps" \
--display-name "Deny storage accounts not using only HTTPS" \
--description "Deny storage accounts that are not using only HTTPS. Checks the supportsHttpsTrafficOnly property on Microsoft.Storage/storageAccounts provider." \
--rules $RULES_FILE_URL \
--params $PARAMETERS_FILE_URL \
--subscription $SUBSCRIPTION_ID
mkdir requirehttps && cd requirehttps
cat <<EOF > requirehttps.azurepolicy.json
{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
{
"field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly",
"notEquals": "true"
}
]
},
"then": {
"effect": "[parameters('effectType')]"
}
}
EOF
RULES_FILE_URL="./requirehttps.azurepolicy.json"
cat <<EOF > requirehttps.azurepolicy.parameters.json
{
"effectType": {
"type": "string",
"defaultValue": "Deny",
"allowedValues": [
"Deny",
"Disabled"
],
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
}
}
}
EOF
PARAMETERS_FILE_URL="./requirehttps.azurepolicy.parameters.json"
RESOURCE_GROUP_NAME="rg-wus2-storagepolicy"
LOCATION="west us 2"
RANDOM=$$
STORAGE_ACCOUNT_NAME=ststoragepolicy$RANDOM
STORAGE_CONTAINER_NAME=thefolder
COST_CENTER=demo
ENVIRONMENT="testing it"
# create resource group
az group create \
--name $RESOURCE_GROUP_NAME \
--location "$LOCATION"
az group update -n $RESOURCE_GROUP_NAME \
--set tags.'Cost Center'="$COST_CENTER" tags.'Environment'="$ENVIRONMENT"
# get your sign in name and assign yourself 'Storage Blob Data Contributor'
# permissions to the resource group. The storage account will inherit your role
USER==$(az ad signed-in-user show --query userPrincipalName -o tsv)
az role assignment create --role "Storage Blob Data Contributor" \
--assignee $USER --resource-group $RESOURCE_GROUP_NAME
# it takes a couple minutes for the role to propogate once it is created
sleep 2m
az storage account create \
--name $STORAGE_ACCOUNT_NAME \
--resource-group $RESOURCE_GROUP_NAME \
--location "$LOCATION" \
--sku Standard_LRS \
--encryption-services blob \
--https-only false \
--tags Cost Center=$COST_CENTER Environment=$ENVIRONMENT
az storage container create \
--account-name $STORAGE_ACCOUNT_NAME \
--name $STORAGE_CONTAINER_NAME \
--auth-mode login
# create a helloworld.html page for storage
cat <<EOF > helloworld.html
<!DOCTYPE html>
<html>
<head>
<title>Hello World Page</title>
</head>
<body>
Hello World!
</body>
</html>
EOF
# upload the file
az storage blob upload \
--account-name $STORAGE_ACCOUNT_NAME \
--container-name $STORAGE_CONTAINER_NAME \
--name helloworld.html \
--file helloworld.html \
--auth-mode login
az storage blob list \
--account-name $STORAGE_ACCOUNT_NAME \
--container-name $STORAGE_CONTAINER_NAME \
--output table \
--auth-mode login
RESOURCE_GROUP_NAME="rg-wus2-storagepolicy"
LOCATION="west us 2"
RANDOM=$$
STORAGE_ACCOUNT_NAME=ststoragepolicy$RANDOM
STORAGE_CONTAINER_NAME=thefolder
COST_CENTER=demo
ENVIRONMENT="testing it"
az storage account create \
--name $STORAGE_ACCOUNT_NAME \
--resource-group $RESOURCE_GROUP_NAME \
--location "$LOCATION" \
--sku Standard_LRS \
--encryption-services blob \
--https-only false \
--tags Cost Center=$COST_CENTER Environment=$ENVIRONMENT
{
"properties": {
"displayName": "Deny storage accounts not using only HTTPS",
"description": "Deny storage accounts not using only HTTPS. Checks the supportsHttpsTrafficOnly property on StorageAccounts.",
"mode": "all",
"parameters": {
"effectType": {
"type": "string",
"defaultValue": "Deny",
"allowedValues": [
"Deny",
"Disabled"
],
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
{
"field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly",
"notEquals": "true"
}
]
},
"then": {
"effect": "[parameters('effectType')]"
}
}
}
}
az provider show --namespace Microsoft.Storage --expand "resourceTypes/aliases" --query "resourceTypes[].aliases[].name"
az provider list --query "[].{Provider:namespace, Status:registrationState}" --out table
az extension add --name resource-graph
az graph query -q "Resources | where type=~'microsoft.storage/storageaccounts' | limit 1 | project aliases"
Get-AzPolicyState -Filter "ResourceType eq '/Microsoft.Storage/storageAccounts'"
az policy definition show --name denyStorageAccountNotUsingHttps
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment