Share via

Azure Remediation Policy to restrict storage accounts without Vnet and subnet

Ralphael Johnson 1 Reputation point
2021-02-05T20:28:03.017+00:00

What I would like to happen is take storage accounts like this:
64650-untitled.png

To become a storage account that looks like this:
64637-image.png

When I run this code to remediate azure storage I get the below error. I am new to azure policy and any help would be appreciated. 

{  
  "properties": {  
    "displayName": "storage3",  
    "policyType": "Custom",  
    "mode": "All",  
    "parameters": {  
      "effect": {  
        "type": "String",  
        "metadata": {  
          "displayName": "Effect",  
          "description": "Enable or disable the execution of the policy"  
        },  
        "allowedValues": [  
          "DeployIfNotExists",  
          "Disabled"  
        ],  
        "defaultValue": "DeployIfNotExists"  
      }  
    },  
    "policyRule": {  
      "if": {  
        "allOf": [  
          {  
            "field": "type",  
            "equals": "Microsoft.Storage/storageAccounts"  
          },  
          {  
            "field": "Microsoft.Storage/storageAccounts/networkAcls.defaultAction",  
            "notEquals": "Deny"  
          }  
        ]  
      },  
      "then": {  
        "effect": "[parameters('effect')]",  
        "details": {  
          "type": "Microsoft.Storage/storageAccounts",  
          "name": "[field('name')]",  
          "existenceCondition": {  
            "field": "Microsoft.Storage/storageAccounts/networkAcls.defaultAction",  
            "equals": "Deny"  
          },  
          "roleDefinitionIds": [  
            "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"  
  
          ],  
          "deployment": {  
            "properties": {  
              "mode": "incremental",  
              "template": {  
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",  
                "contentVersion": "1.0.0.0",  
                "parameters": {  
                  "name": {  
                    "type": "string"  
                  },  
                  "sku": {  
                    "type": "string"  
                  },  
                  "location": {  
                    "type": "string"  
                  },  
                  "kind": {  
                    "type": "string"  
                  }  
                },  
                "resources": [  
                  {  
                    "name": "[parameters('name')]",  
                    "type": "Microsoft.Storage/storageAccounts",  
                    "apiVersion": "2019-06-01",  
                    "location": "[parameters('location')]",  
                    "properties": {  
                      "networkAcls": {  
                        "bypass": "AzureServices",  
                        "virtualNetworkRules": [  
                          {  
                            "id": "",  
                            "action": "Allow"  
                          }  
                        ],  
                        "ipRules": [],  
                        "defaultAction": "Deny"  
                      }  
                    },  
                    "dependsOn": [],  
                    "sku": {  
                      "name": "[parameters('sku')]"  
                    },  
                    "kind": "[parameters('kind')]"  
                  }  
                ]  
              },  
              "parameters": {  
                "name": {  
                  "value": "[field('name')]"  
                },  
                "sku": {  
                  "value": "[field('Microsoft.Storage/storageAccounts/sku.name')]"  
                },  
                "location": {  
                  "value": "[field('location')]"  
                },  
                "kind": {  
                  "value": "[field('kind')]"  
                }  
              }  
            }  
          }  
        }  
      }  
    }  
  }  
}

ERROR
Deployment creation for policy definition '/subscriptions/xxxx-xxxx-xxxx-xxxx-xxxx/providers/Microsoft.Authorization/policyDefinitions/35df2d75-9090-45d4-8620-eca3e33bd5ac/' and assignment '/subscriptions/xxxx-xxxx-xxxx-xxxx-xxxx/providers/Microsoft.Authorization/policyAssignments/1ea05f4943d848dea7864f26/' was unsuccessful.

Details
Code InvalidTemplateDeployment
Message The template deployment 'PolicyDeployment_1961206787044174973' is not valid according to the validation procedure. The tracking id is '24b01fc6-b536-4422-b4bd-fdcc2fc14d87'. See inner errors for details.
Code PreflightValidationCheckFailed
Message Preflight validation failed. Please refer to the details for the specific errors.
Code InvalidValuesForRequestParameters
Message Values for request parameters are invalid: networkAcls.virtualNetworkRules[*].id. For more information, see - https://aka.ms/storagenetworkruleset

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,226 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ralphael Johnson 1 Reputation point
    2021-02-11T18:36:20.647+00:00

    So I made some progress, but what is happening now is the unsecure storage accounts I am trying to remediate are being marked as compliant by the remeidation policy but its not changing anything but saying its secure. So I am thinking something could be backwards not quite sure yet. Below is my updated code: 

        {
      "properties": {
        "displayName": "2nd Attempt At STG Remediation",
        "policyType": "Custom",
        "mode": "All",
        "metadata": {
          "category": "Storage",
          "createdBy": "0ab1a11f-97b1-4515-937b-0714f36c5bfe",
          "createdOn": "2021-02-09T17:58:39.5407427Z",
          "updatedBy": null,
          "updatedOn": null
        },
        "parameters": {
          "effect": {
            "type": "String",
            "metadata": {
              "displayName": "Effect",
              "description": "Enable or disable the execution of the policy"
            },
            "allowedValues": [
              "DeployIfNotExists",
              "Disabled"
            ],
            "defaultValue": "DeployIfNotExists"
          },
          "subnetRssId": {
            "type": "String",
            "metadata": {
              "displayName": "Azure Subnet Resource Id",
              "description": "The subnet resource id to add to access rules"
            }
          }
        },
        "policyRule": {
          "if": {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Storage/storageAccounts"
              },
              {
                "field": "Microsoft.Storage/storageAccounts/networkAcls.defaultAction",
                "notEquals": "Deny"
              }
            ]
          },
          "then": {
            "effect": "[parameters('effect')]",
            "details": {
              "type": "Microsoft.Storage/storageAccounts",
              "roleDefinitionIds": [
                "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
              ],
              "existenceCondition": {
                "field": "Microsoft.Storage/storageAccounts/networkAcls.defaultAction",
                "equals": "Deny"
              },
              "deployment": {
                "properties": {
                  "mode": "incremental",
                  "template": {
                    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                    "contentVersion": "1.0.0.0",
                    "parameters": {
                      "name": {
                        "type": "string"
                      },
                      "sku": {
                        "type": "string"
                      },
                      "kind": {
                        "type": "string"
                      },
                      "location": {
                        "type": "string"
                      },
                      "subnetRssId": {
                        "type": "string"
                      }
                    },
                    "resources": [
                      {
                        "name": "[parameters('name')]",
                        "type": "Microsoft.Storage/storageAccounts",
                        "apiVersion": "2019-06-01",
                        "location": "[parameters('location')]",
                        "properties": {
                          "networkAcls": {
                            "bypass": "AzureServices",
                            "virtualNetworkRules": [
                              {
                                "id": "[parameters('subnetRssId')]",
                                "action": "Allow"
                              }
                            ],
                            "ipRules": [],
                            "defaultAction": "Deny"
                          }
                        },
                        "dependsOn": [],
                        "sku": {
                          "name": "[parameters('sku')]"
                        },
                        "kind": "[parameters('kind')]"
                      }
                    ]
                  },
                  "parameters": {
                    "name": {
                      "value": "[field('name')]"
                    },
                    "sku": {
                      "value": "[field('Microsoft.Storage/storageAccounts/sku.name')]"
                    },
                    "location": {
                      "value": "[field('location')]"
                    },
                    "kind": {
                      "value": "[field('kind')]"
                    },
                    "subnetRssId": {
                      "value": "[parameters('subnetRssId')]"
                    }
                  }
                }
              }
            }
          }
        }
      },
      "id": "/subscriptions/58ea3f61-3761-430f-8b7b-5869717c74e8/providers/Microsoft.Authorization/policyDefinitions/3426f245-86db-4ea7-935f-30b5011df9cd",
      "type": "Microsoft.Authorization/policyDefinitions",
      "name": "3426f245-86db-4ea7-935f-30b5011df9cd"
    }
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.