@Vasudev Gupta Below mentioned template worked for me where the policy takes effect on newly created resources. Existing resources can be updated via a remediation task after the policy is assigned. For deployIfNotExists policies, the remediation task will deploy the specified template. To your question, Storage Account Contributor role should be enough to perform the deployment operation. Kindly try below template and revert if you have further questions.
{
"properties": {
"displayName": "Enable",
"policyType": "Custom",
"mode": "All",
"parameters": {},
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
"then": {
"effect": "deployIfNotExists",
"details": {
"type": "Microsoft.Storage/storageAccounts",
"name": "[field('name')]",
"roleDefinitionIds": [
"/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"
],
"existenceCondition": {
"field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly",
"equals": "true"
},
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"storageAccountName": {
"type": "string"
},
"storageAccountLocation": {
"type": "string"
}
},
"resources": [
{
"name": "[parameters('storageAccountName')]",
"type": "Microsoft.Storage/storageAccounts",
"location": "[parameters('storageAccountLocation')]",
"apiVersion": "2021-01-01",
"properties": {
"status": "Enabled",
"supportsHttpsTrafficOnly": "true"
}
}
]
},
"parameters": {
"storageAccountName": {
"value": "[field('name')]"
},
"storageAccountLocation": {
"value": "[field('location')]"
}
}
}
}
}
}
}
},
"id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/providers/Microsoft.Authorization/policyDefinitions/cd7cfe24-17fb-4265-ac32-266bf50dfbe9",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "cd7cfe24-17fb-4265-ac32-266bf50dfbe9"
}