I am trying to make an Azure policy that adds a RBAC role assignment to each existing and future storage account.
The code shown below works on the hard coded hardcodedstorageaccountname and performs remediation without a problem.
Next step, in order to make it work at any storage account, is that the hardcoded storage account name is replaced by some function or variable, I’d think.
Am I on the right path here? Should I use another pattern? I’m kind of stuck here.
{
"properties": {
"displayName": "Assign Owner RBAC role for an AD group",
"policyType": "Custom",
"mode": "All",
"description": "Assigns Owner RBAC role for storage account'. Existing strorage accounts can be remediated by triggering a remediation task.",
"metadata": {
"category": "Role Assignments",
},
"parameters": {},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/StorageAccounts"
}
]
},
"then": {
"effect": "deployIfNotExists",
"details": {
"type": "Microsoft.Authorization/roleAssignments",
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635"
],
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Authorization/roleAssignments/roleDefinitionId",
"equals": "/subscriptions/cc34d277-fb3f-475c-ba74-280d3ea9ecae/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
},
{
"field": "Microsoft.Authorization/roleAssignments/principalId",
"equals": "d3e968d0-586a-4058-8f0e-d54ca380a61f"
},
{
"field": "Microsoft.Authorization/roleAssignments/scope",
"equals": "/subscriptions/cc34d277-fb3f-475c-ba74-280d3ea9ecae/resourceGroups/az104/providers/Microsoft.Storage/storageAccounts/hardcodedstorageaccountname"
}
]
},
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"adGroupId": {
"type": "string",
"defaultValue": "d3e968d0-586a-4058-8f0e-d54ca380a61f",
"metadata": {
"description": "ObjectId of an AD group"
}
},
"contributorRbacRole": {
"type": "string",
"defaultValue": "/subscriptions/cc34d277-fb3f-475c-ba74-280d3ea9ecae/resourceGroups/az104/providers/Microsoft.Storage/storageAccounts/hardcodedstorageaccountname/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"metadata": {
"description": "Contributor RBAC role definition ID"
}
}
},
"resources": [
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2018-09-01-preview",
"name": "[guid(resourceGroup().id, deployment().name)]",
"scope": "/subscriptions/cc34d277-fb3f-475c-ba74-280d3ea9ecae/resourceGroups/az104/providers/Microsoft.Storage/storageAccounts/hardcodedstorageaccountname",
"properties": {
"roleDefinitionId": "[parameters('contributorRbacRole')]",
"principalId": "[parameters('adGroupId')]"
}
}
]
}
}
}
}
}
}
}
}
2
Answers
Helped by the hint given by @andreas-wendl I changed my code to this policy that assigns the role owner to a group (d3e968d0-586a-4058-8f0e-d54ca380a61f) on every storage account
You can use the function
to access properties of the currently evaluated resource as described in the official docs.
You can find a sample deployIfNotExists policy here.