Policy Problem

Question

We are trying to create a custom 'DeployifNotExists' policy that creates a storage account when a storage account with the the property of 'supportHttpsTraffic' is disabled. The policy is able to deploy and no syntax error, but no storage account is being created. When I check the activity logs it says we don't have permission to create the storage account through the policy, even though we have full permissions. We can create a storage account very easily through the GUI and powershell.

And as well is there a way just to edit the existing storage account to change its 'supportHTTPSTraffic' property, through policy?

The error is:

"errorMessage": "Evaluation of DeployIfNotExists policy was unsuccessful. The policy assignment '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourceGroups/Team-India/providers/Microsoft.Authorization/policyAssignments/024a600a12104121bc14c1b4/' resource identity does not have the necessary permissions to create deployment '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourceGroups/Team-India/providers/Microsoft.Resources/deployments/PolicyDeployment_3208714533499929033'. Please see https://aka.ms/arm-policy-identity for usage details."

Our definition:

{
"properties": {
"displayName": "HTTPS_Traffic_enabled",
"policyType": "Custom",
"mode": "All",
"description": "If HTTPS traffic is not enabled, it will be enabled. ",
"metadata": {
"createdBy": "6da87e93-2ab2-40bc-b058-ee88658eee21",
"createdOn": "2021-03-11T10:29:19.1663781Z",
"updatedBy": "6da87e93-2ab2-40bc-b058-ee88658eee21",
"updatedOn": "2021-03-11T15:26:19.8292658Z"
},
"parameters": {},
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
"then": {
"effect": "deployIfNotExists",
"details": {
"type": "Microsoft.Storage/storageAccounts",
"name": "[field('name')]",
"roleDefinitionIds": [
"/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"
],
"existenceCondition": {
"field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly",
"equals": "true"
},
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"storageAccountName": {
"type": "string"
},
"storageAccountLocation": {
"type": "string"
}
},
"resources": [
{
"name": "parameters('storageAccountName')",
"type": "Microsoft.Storage/storageAccounts",
"location": "parameters('storageAccountLocation')",
"apiVersion": "2014-04-01",
"properties": {
"status": "Enabled"
}
}
]
},
"parameters": {
"storageAccountName": {
"value": "vasustorage"
},
"storageAccountLocation": {
"value": "resourceGroup().location"
}
}
}
}
}
}
}
},
"id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/providers/Microsoft.Authorization/policyDefinitions/6f70fe54-503a-4520-ada1-9d3ae52fcb0c",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "6f70fe54-503a-4520-ada1-9d3ae52fcb0c"
}

Answer 1

@Vasudev Gupta Below mentioned template worked for me where the policy takes effect on newly created resources. Existing resources can be updated via a remediation task after the policy is assigned. For deployIfNotExists policies, the remediation task will deploy the specified template. To your question, Storage Account Contributor role should be enough to perform the deployment operation. Kindly try below template and revert if you have further questions.

{  
    "properties": {  
      "displayName": "Enable",  
      "policyType": "Custom",  
      "mode": "All",  
      "parameters": {},  
      "policyRule": {  
        "if": {  
          "field": "type",  
          "equals": "Microsoft.Storage/storageAccounts"  
        },  
        "then": {  
          "effect": "deployIfNotExists",  
          "details": {  
            "type": "Microsoft.Storage/storageAccounts",  
            "name": "[field('name')]",  
            "roleDefinitionIds": [  
              "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"  
            ],  
            "existenceCondition": {  
              "field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly",  
              "equals": "true"  
            },  
            "deployment": {  
              "properties": {  
                "mode": "incremental",  
                "template": {  
                  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",  
                  "contentVersion": "1.0.0.0",  
                  "parameters": {  
                    "storageAccountName": {  
                      "type": "string"  
                    },  
                    "storageAccountLocation": {  
                      "type": "string"  
                    }  
                  },  
                  "resources": [  
                    {  
                      "name": "[parameters('storageAccountName')]",  
                      "type": "Microsoft.Storage/storageAccounts",  
                      "location": "[parameters('storageAccountLocation')]",  
                      "apiVersion": "2021-01-01",  
                      "properties": {  
                        "status": "Enabled",  
                        "supportsHttpsTrafficOnly": "true"  
                      }  
                    }  
                  ]  
                },  
                "parameters": {  
                  "storageAccountName": {  
                    "value": "[field('name')]"  
                  },  
                  "storageAccountLocation": {  
                    "value": "[field('location')]"  
                  }  
                }  
              }  
            }  
          }  
        }  
      }  
    },  
    "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/providers/Microsoft.Authorization/policyDefinitions/cd7cfe24-17fb-4265-ac32-266bf50dfbe9",  
    "type": "Microsoft.Authorization/policyDefinitions",  
    "name": "cd7cfe24-17fb-4265-ac32-266bf50dfbe9"  
  }