Create and deploy a custom policy

assign-policy-definition-to-scope.bash

SCOPE=/subscriptions/$SUBSCRIPTION_ID

az policy assignment create --name "Require https for storage in subscription" --scope $SCOPE \
  --policy "denyStorageAccountNotUsingHttps" \
  --params '{ "effectType" : { "value": "Deny" } }'

create-custom-policy-definition.bash

SUBSCRIPTION_ID=c2b15f36-f522-451c-84e3-a4fc54056617

az policy definition create --name "denyStorageAccountNotUsingHttps" \
  --display-name "Deny storage accounts not using only HTTPS" \
  --description "Deny storage accounts that are not using only HTTPS. Checks the supportsHttpsTrafficOnly property on Microsoft.Storage/storageAccounts provider." \
  --rules $RULES_FILE_URL \
  --params  $PARAMETERS_FILE_URL \
  --subscription $SUBSCRIPTION_ID

create-rules-and-params-files.bash

mkdir requirehttps && cd requirehttps
cat <<EOF > requirehttps.azurepolicy.json
{
  "if": {
    "allOf": [
      {
        "field": "type",
        "equals": "Microsoft.Storage/storageAccounts"
      },
      {
        "field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly",
        "notEquals": "true"
      }
    ]
  },
  "then": {
    "effect": "[parameters('effectType')]"
  }
}
EOF

RULES_FILE_URL="./requirehttps.azurepolicy.json"

cat <<EOF > requirehttps.azurepolicy.parameters.json
{
  "effectType": {
    "type": "string",
    "defaultValue": "Deny",
    "allowedValues": [
      "Deny",
      "Disabled"
    ],
    "metadata": {
      "displayName": "Effect",
      "description": "Enable or disable the execution of the policy"
    }
  }
}
EOF

PARAMETERS_FILE_URL="./requirehttps.azurepolicy.parameters.json"

create-storage-account-cli.bash

RESOURCE_GROUP_NAME="rg-wus2-storagepolicy"
LOCATION="west us 2"
RANDOM=$$
STORAGE_ACCOUNT_NAME=ststoragepolicy$RANDOM
STORAGE_CONTAINER_NAME=thefolder
COST_CENTER=demo
ENVIRONMENT="testing it"

# create resource group
az group create \
    --name $RESOURCE_GROUP_NAME \
    --location "$LOCATION" 
az group update -n $RESOURCE_GROUP_NAME \
    --set tags.'Cost Center'="$COST_CENTER" tags.'Environment'="$ENVIRONMENT"

# get your sign in name and assign yourself 'Storage Blob Data Contributor' 
# permissions to the resource group. The storage account will inherit your role
USER==$(az ad signed-in-user show --query userPrincipalName -o tsv)
az role assignment create --role "Storage Blob Data Contributor" \
    --assignee $USER --resource-group $RESOURCE_GROUP_NAME
 
# it takes a couple minutes for the role to propogate once it is created
sleep 2m

az storage account create \
    --name $STORAGE_ACCOUNT_NAME \
    --resource-group $RESOURCE_GROUP_NAME \
    --location "$LOCATION" \
    --sku Standard_LRS \
    --encryption-services blob \
    --https-only false \
    --tags Cost Center=$COST_CENTER Environment=$ENVIRONMENT

az storage container create \
    --account-name $STORAGE_ACCOUNT_NAME \
    --name $STORAGE_CONTAINER_NAME \
    --auth-mode login

# create a helloworld.html page for storage
cat <<EOF > helloworld.html
<!DOCTYPE html>
<html>
    <head>
        <title>Hello World Page</title>
    </head>
    <body>
Hello World!
    </body>
</html>
EOF

# upload the file
az storage blob upload \
    --account-name $STORAGE_ACCOUNT_NAME \
    --container-name $STORAGE_CONTAINER_NAME \
    --name helloworld.html \
    --file helloworld.html \
    --auth-mode login
    
az storage blob list \
    --account-name $STORAGE_ACCOUNT_NAME \
    --container-name $STORAGE_CONTAINER_NAME \
    --output table \
    --auth-mode login

create-storage-account.bash

RESOURCE_GROUP_NAME="rg-wus2-storagepolicy"
LOCATION="west us 2"
RANDOM=$$
STORAGE_ACCOUNT_NAME=ststoragepolicy$RANDOM
STORAGE_CONTAINER_NAME=thefolder
COST_CENTER=demo
ENVIRONMENT="testing it"

az storage account create \
    --name $STORAGE_ACCOUNT_NAME \
    --resource-group $RESOURCE_GROUP_NAME \
    --location "$LOCATION" \
    --sku Standard_LRS \
    --encryption-services blob \
    --https-only false \
    --tags Cost Center=$COST_CENTER Environment=$ENVIRONMENT

deny-storage-accounts-without-https.json

{
    "properties": {
        "displayName": "Deny storage accounts not using only HTTPS",
        "description": "Deny storage accounts not using only HTTPS. Checks the supportsHttpsTrafficOnly property on StorageAccounts.",
        "mode": "all",
        "parameters": {
            "effectType": {
                "type": "string",
                "defaultValue": "Deny",
                "allowedValues": [
                    "Deny",
                    "Disabled"
                ],
                "metadata": {
                    "displayName": "Effect",
                    "description": "Enable or disable the execution of the policy"
                }
            }
        },
        "policyRule": {
            "if": {
                "allOf": [
                    {
                        "field": "type",
                        "equals": "Microsoft.Storage/storageAccounts"
                    },
                    {
                        "field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly",
                        "notEquals": "true"
                    }
                ]
            },
            "then": {
                "effect": "[parameters('effectType')]"
            }
        }
    }
}

get-resource-property-alias.bash

az provider show --namespace Microsoft.Storage --expand "resourceTypes/aliases" --query "resourceTypes[].aliases[].name"

list-resource-providers.bash

az provider list --query "[].{Provider:namespace, Status:registrationState}" --out table

query-alias-using-azure-graph.bash

az extension add --name resource-graph
az graph query -q "Resources | where type=~'microsoft.storage/storageaccounts' | limit 1 | project aliases"

query-compliance.ps1

Get-AzPolicyState -Filter "ResourceType eq '/Microsoft.Storage/storageAccounts'"

show-policy-definition.bash

az policy definition show --name denyStorageAccountNotUsingHttps