skip to Main Content

I am trying to make an Azure policy that adds a RBAC role assignment to each existing and future storage account.
The code shown below works on the hard coded hardcodedstorageaccountname and performs remediation without a problem.
Next step, in order to make it work at any storage account, is that the hardcoded storage account name is replaced by some function or variable, I’d think.
Am I on the right path here? Should I use another pattern? I’m kind of stuck here.

{
    "properties": {
        "displayName": "Assign Owner RBAC role for an AD group",
        "policyType": "Custom",
        "mode": "All",
        "description": "Assigns Owner RBAC role for storage account'. Existing strorage accounts can be remediated by triggering a remediation task.",
        "metadata": {
            "category": "Role Assignments",
        },
        "parameters": {},
        "policyRule": {
            "if": {
                "allOf": [
                    {
                        "field": "type",
                        "equals": "Microsoft.Storage/StorageAccounts"
                    }
                ]
            },
            "then": {
                "effect": "deployIfNotExists",
                "details": {
                    "type": "Microsoft.Authorization/roleAssignments",
                    "roleDefinitionIds": [
                        "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635"
                    ],
                    "existenceCondition": {
                        "allOf": [
                            {
                                "field": "Microsoft.Authorization/roleAssignments/roleDefinitionId",
                                "equals": "/subscriptions/cc34d277-fb3f-475c-ba74-280d3ea9ecae/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
                            },
                            {
                                "field": "Microsoft.Authorization/roleAssignments/principalId",
                                "equals": "d3e968d0-586a-4058-8f0e-d54ca380a61f"
                            },
                            {
                                "field": "Microsoft.Authorization/roleAssignments/scope",
                                "equals": "/subscriptions/cc34d277-fb3f-475c-ba74-280d3ea9ecae/resourceGroups/az104/providers/Microsoft.Storage/storageAccounts/hardcodedstorageaccountname"
                            }
                        ]
                    },
                    "deployment": {
                        "properties": {
                            "mode": "incremental",
                            "template": {
                                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                                "contentVersion": "1.0.0.0",
                                "parameters": {
                                    "adGroupId": {
                                        "type": "string",
                                        "defaultValue": "d3e968d0-586a-4058-8f0e-d54ca380a61f",
                                        "metadata": {
                                            "description": "ObjectId of an AD group"
                                        }
                                    },
                                    "contributorRbacRole": {
                                        "type": "string",
                                        "defaultValue": "/subscriptions/cc34d277-fb3f-475c-ba74-280d3ea9ecae/resourceGroups/az104/providers/Microsoft.Storage/storageAccounts/hardcodedstorageaccountname/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
                                        "metadata": {
                                            "description": "Contributor RBAC role definition ID"
                                        }
                                    }
                                },
                                "resources": [
                                    {
                                        "type": "Microsoft.Authorization/roleAssignments",
                                        "apiVersion": "2018-09-01-preview",
                                        "name": "[guid(resourceGroup().id, deployment().name)]",
                                        "scope": "/subscriptions/cc34d277-fb3f-475c-ba74-280d3ea9ecae/resourceGroups/az104/providers/Microsoft.Storage/storageAccounts/hardcodedstorageaccountname",
                                        "properties": {
                                            "roleDefinitionId": "[parameters('contributorRbacRole')]",
                                            "principalId": "[parameters('adGroupId')]"
                                        }
                                    }
                                ]
                            }
                        }
                    }
                }
            }
        }
    }
}

2

Answers


  1. Chosen as BEST ANSWER

    Helped by the hint given by @andreas-wendl I changed my code to this policy that assigns the role owner to a group (d3e968d0-586a-4058-8f0e-d54ca380a61f) on every storage account

    {
        "properties": {
            "displayName": "Assign Contributor RBAC role for an AD group",
            "policyType": "Custom",
            "mode": "All",
            "description": "Assigns Contributor RBAC role for AD group resource groups with Tag 'RbacAssignment = true' and name prefix 'my-rg-prefix'. Existing resource groups can be remediated by triggering a remediation task.",
            "metadata": {
                "category": "Role Assignments",
            },
            "parameters": {},
            "policyRule": {
                "if": {
                    "allOf": [
                        {
                            "field": "type",
                            "equals": "Microsoft.Storage/StorageAccounts"
                        }
                    ]
                },
                "then": {
                    "effect": "deployIfNotExists",
                    "details": {
                        "type": "Microsoft.Authorization/roleAssignments",
                        "roleDefinitionIds": [
                            "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635"
                        ],
                        "existenceCondition": {
                            "allOf": [
                                {
                                    "field": "Microsoft.Authorization/roleAssignments/roleDefinitionId",
                                    "like": "*/8e3af657-a8ff-443c-a75c-2fe8c4bcb635"
                                },
                                {
                                    "field": "Microsoft.Authorization/roleAssignments/principalId",
                                    "equals": "d3e968d0-586a-4058-8f0e-d54ca380a61f"
                                },
                                {
                                    "field": "Microsoft.Authorization/roleAssignments/scope",
                                    "equals": "[field('id')]"
                                }
                            ]
                        },
                        "deployment": {
                            "properties": {
                                "mode": "incremental",
                                "parameters": {
                                    "saId": {
                                        "value": "[field('id')]"
                                    }
                                },
                                "template": {
                                    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                                    "contentVersion": "1.0.0.0",
                                    "parameters": {
                                        "saId": {
                                            "type": "string",
                                            "metadata": {
                                                "description": "Full Id of the storage account"
                                            }
                                        },
                                        "adGroupId": {
                                            "type": "string",
                                            "defaultValue": "d3e968d0-586a-4058-8f0e-d54ca380a61f",
                                            "metadata": {
                                                "description": "ObjectId of an AD group"
                                            }
                                        },
                                        "ownerRbacRole": {
                                            "type": "string",
                                            "defaultValue": "[concat(parameters('saId'),'/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]",
                                            "metadata": {
                                                "description": "Owner RBAC role definition ID"
                                            }
                                        }
                                    },
                                    "resources": [
                                        {
                                            "type": "Microsoft.Authorization/roleAssignments",
                                            "apiVersion": "2018-09-01-preview",
                                            "name": "[guid(resourceGroup().id, deployment().name)]",
                                            "scope": "[parameters('saId')]",
                                            "properties": {
                                                "roleDefinitionId": "[parameters('ownerRbacRole')]",
                                                "principalId": "[parameters('adGroupId')]"
                                            }
                                        }
                                    ]
                                }
                            }
                        }
                    }
                }
            }
        }
    }
    

  2. You can use the function

    field(fieldName)

    to access properties of the currently evaluated resource as described in the official docs.

    You can find a sample deployIfNotExists policy here.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search