question

VasudevGupta-0242 avatar image
0 Votes"
VasudevGupta-0242 asked SwathiDhanwada-MSFT commented

Policy Problem

We are trying to create a custom 'DeployifNotExists' policy that creates a storage account when a storage account with the the property of 'supportHttpsTraffic' is disabled. The policy is able to deploy and no syntax error, but no storage account is being created. When I check the activity logs it says we don't have permission to create the storage account through the policy, even though we have full permissions. We can create a storage account very easily through the GUI and powershell.

And as well is there a way just to edit the existing storage account to change its 'supportHTTPSTraffic' property, through policy?

The error is:

"errorMessage": "Evaluation of DeployIfNotExists policy was unsuccessful. The policy assignment '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourceGroups/Team-India/providers/Microsoft.Authorization/policyAssignments/024a600a12104121bc14c1b4/' resource identity does not have the necessary permissions to create deployment '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourceGroups/Team-India/providers/Microsoft.Resources/deployments/PolicyDeployment_3208714533499929033'. Please see https://aka.ms/arm-policy-identity for usage details."

Our definition:

{
"properties": {
"displayName": "HTTPS_Traffic_enabled",
"policyType": "Custom",
"mode": "All",
"description": "If HTTPS traffic is not enabled, it will be enabled. ",
"metadata": {
"createdBy": "6da87e93-2ab2-40bc-b058-ee88658eee21",
"createdOn": "2021-03-11T10:29:19.1663781Z",
"updatedBy": "6da87e93-2ab2-40bc-b058-ee88658eee21",
"updatedOn": "2021-03-11T15:26:19.8292658Z"
},
"parameters": {},
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
"then": {
"effect": "deployIfNotExists",
"details": {
"type": "Microsoft.Storage/storageAccounts",
"name": "[field('name')]",
"roleDefinitionIds": [
"/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"
],
"existenceCondition": {
"field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly",
"equals": "true"
},
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"storageAccountName": {
"type": "string"
},
"storageAccountLocation": {
"type": "string"
}
},
"resources": [
{
"name": "parameters('storageAccountName')",
"type": "Microsoft.Storage/storageAccounts",
"location": "parameters('storageAccountLocation')",
"apiVersion": "2014-04-01",
"properties": {
"status": "Enabled"
}
}
]
},
"parameters": {
"storageAccountName": {
"value": "vasustorage"
},
"storageAccountLocation": {
"value": "resourceGroup().location"
}
}
}
}
}
}
}
},
"id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/providers/Microsoft.Authorization/policyDefinitions/6f70fe54-503a-4520-ada1-9d3ae52fcb0c",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "6f70fe54-503a-4520-ada1-9d3ae52fcb0c"
}

azure-policy
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@VasudevGupta-0242 Thank you for your query. Please give some more time for Community SME's on the topic or our team review your scenario and get back to you at the earliest.

1 Vote 1 ·

1 Answer

SwathiDhanwada-MSFT avatar image
0 Votes"
SwathiDhanwada-MSFT answered SwathiDhanwada-MSFT commented

@VasudevGupta-0242 Below mentioned template worked for me where the policy takes effect on newly created resources. Existing resources can be updated via a remediation task after the policy is assigned. For deployIfNotExists policies, the remediation task will deploy the specified template. To your question, Storage Account Contributor role should be enough to perform the deployment operation. Kindly try below template and revert if you have further questions.

 {
     "properties": {
       "displayName": "Enable",
       "policyType": "Custom",
       "mode": "All",
       "parameters": {},
       "policyRule": {
         "if": {
           "field": "type",
           "equals": "Microsoft.Storage/storageAccounts"
         },
         "then": {
           "effect": "deployIfNotExists",
           "details": {
             "type": "Microsoft.Storage/storageAccounts",
             "name": "[field('name')]",
             "roleDefinitionIds": [
               "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"
             ],
             "existenceCondition": {
               "field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly",
               "equals": "true"
             },
             "deployment": {
               "properties": {
                 "mode": "incremental",
                 "template": {
                   "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                   "contentVersion": "1.0.0.0",
                   "parameters": {
                     "storageAccountName": {
                       "type": "string"
                     },
                     "storageAccountLocation": {
                       "type": "string"
                     }
                   },
                   "resources": [
                     {
                       "name": "[parameters('storageAccountName')]",
                       "type": "Microsoft.Storage/storageAccounts",
                       "location": "[parameters('storageAccountLocation')]",
                       "apiVersion": "2021-01-01",
                       "properties": {
                         "status": "Enabled",
                         "supportsHttpsTrafficOnly": "true"
                       }
                     }
                   ]
                 },
                 "parameters": {
                   "storageAccountName": {
                     "value": "[field('name')]"
                   },
                   "storageAccountLocation": {
                     "value": "[field('location')]"
                   }
                 }
               }
             }
           }
         }
       }
     },
     "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/providers/Microsoft.Authorization/policyDefinitions/cd7cfe24-17fb-4265-ac32-266bf50dfbe9",
     "type": "Microsoft.Authorization/policyDefinitions",
     "name": "cd7cfe24-17fb-4265-ac32-266bf50dfbe9"
   }

· 8
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

No, I just tried your policy definition, it gives me the same error as not authorized permission to create the deployment.

0 Votes 0 ·

@VasudevGupta-0242 Once the policy is assigned and evaluated, you will be getting of complaint and non-complaint resources. Based on that, you need to create remediation task, which will update the existing resources. This is the process I have followed in Azure Portal. Also note, if you have assigned the definition via SDK, then you have to manually give the managed identity the role defined in the policy definition. So are you assigning the policy via SDK or via portal ?

1 Vote 1 ·

I see. I though if we assign the policy and create a new storage account after that, the policy's effect will take place. I will create a remediation task to fix it. I did not use sdk to create the policy. And I see 2 storage accounts that are not compliant with the policy.

0 Votes 0 ·
Show more comments

Okay, I figured out the problem. It is the managed identity I'm providing to the template. It doesn't have the right role to be able to create a new storage account. I have tried contributor and 'storage account contributor' neither of them work.

0 Votes 0 ·

@VasudevGupta-0242 The policy has role definitions property which assigns the necessary roles required for the deployment created via Remediation task. If you are using the policy template I have provided, you should be able to deploy it with ease.

81865-image.png

Note : Replace <xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx> with your subscription id.


0 Votes 0 ·
image.png (14.0 KiB)
Show more comments