Skip to content

Commit

Permalink
change category from 'tags' to 'storage' and move policy definition f…
Browse files Browse the repository at this point in the history 
…older from 'tags' to 'storage' (#391)

* Enforce or extend Storage Account IPRules if tag match

* change category and move to storage (from tags)
  • Loading branch information
@JulianHayward
JulianHayward authored Oct 20, 2023
1 parent 1c7df82 commit 9f4fe94
Show file tree
Hide file tree
Showing 6 changed files with 369 additions and 1 deletion.
190 changes: 190 additions & 0 deletions Policies/Storage/enforce-or-extend-storage-account-iprules-if-tag-match/azurepolicy.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,190 @@
{
"name": "7e5e7a22-32fe-4537-aca8-786a5f871e13",
"properties": {
"displayName": "Enforce or extend Storage Account IPRules if tag match",
"description": "This policy enforces or extends IP ranges if the Storage Account has a matching tag/value (deviating existing IP ranges may be kept or overwritten (parameter: existingIPRangesHandling)). 'publicNetworkAccess' will be enabled if disabled.",
"mode": "Indexed",
"metadata": {
"version": "1.0.0",
"category": "Storage"
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "effect",
"description": "policy effect"
},
"allowedValues": [
"DeployIfNotExists",
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists"
},
"tagName": {
"type": "String",
"metadata": {
"displayName": "tagName",
"description": "name of the tag that must exist for the Storage Account"
}
},
"tagValue": {
"type": "String",
"metadata": {
"displayName": "tagValue",
"description": "value of the tagName that must match in order to apply the policy"
}
},
"enforceIPRanges": {
"type": "Array",
"metadata": {
"displayName": "enforceIPRanges",
"description": "IP/ranges that must be applied"
},
"defaultValue": [
"219.94.47.192/28",
"209.127.0.0/16"
]
},
"existingIPRangesHandling": {
"type": "String",
"metadata": {
"displayName": "existingIPRangesHandling",
"description": "retain: keep existing IP/ranges that are not defined in 'enforceIPRanges' (union exiting and enforced IP/ranges); remove: enforce 'enforceIPRanges' and remove the existing IP/ranges that are not defined in 'enforceIPRanges'"
},
"allowedValues": [
"retain",
"remove"
],
"defaultValue": "retain"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
{
"field": "[concat('tags[', parameters('tagName'), ']')]",
"equals": "[parameters('tagValue')]"
}
]
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"evaluationDelay": "AfterProvisioningSuccess",
"type": "Microsoft.Storage/storageAccounts",
"name": "[field('name')]",
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Storage/storageAccounts/networkAcls.ipRules",
"exists": "true"
},
{
"field": "Microsoft.Storage/storageAccounts/networkAcls.defaultAction",
"equals": "Deny"
},
{
"field": "Microsoft.Storage/storageAccounts/publicNetworkAccess",
"equals": "Enabled"
},
{
"count": {
"field": "Microsoft.Storage/storageAccounts/networkAcls.ipRules[*]",
"where": {
"anyOf": [
{
"field": "Microsoft.Storage/storageAccounts/networkAcls.ipRules[*].value",
"in": "[parameters('enforceIPRanges')]"
}
]
}
},
"equals": "[length(parameters('enforceIPRanges'))]"
}
]
},
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"
],
"deployment": {
"properties": {
"mode": "Incremental",
"template": {
"`$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"resourceName": {
"type": "String"
},
"enforceIPRanges": {
"type": "Array"
},
"location": {
"type": "String"
},
"ipRulesExisting": {
"type": "Array"
},
"existingIPRangesHandling": {
"type": "String"
}
},
"variables": {
"varIPRangesToApply": "[if(equals(parameters('existingIPRangesHandling'), 'retain'), union(parameters('enforceIPRanges'), parameters('ipRulesExisting')), parameters('enforceIPRanges'))]"
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2022-09-01",
"name": "[parameters('resourceName')]",
"location": "[parameters('location')]",
"properties": {
"publicNetworkAccess": "Enabled",
"networkAcls": {
"defaultAction": "Deny",
"copy": [
{
"name": "ipRules",
"count": "[length(variables('varIPRangesToApply'))]",
"input": {
"value": "[variables('varIPRangesToApply')[copyIndex('ipRules')]]",
"action": "Allow"
}
}
]
}
}
}
],
"outputs": {}
},
"parameters": {
"resourceName": {
"value": "[field('name')]"
},
"enforceIPRanges": {
"value": "[parameters('enforceIPRanges')]"
},
"location": {
"value": "[field('location')]"
},
"ipRulesExisting": {
"value": "[field('Microsoft.Storage/storageAccounts/networkAcls.ipRules[*].value')]"
},
"existingIPRangesHandling": {
"value": "[parameters('existingIPRangesHandling')]"
}
}
}
}
}
}
}
}
}
52 changes: 52 additions & 0 deletions ...torage/enforce-or-extend-storage-account-iprules-if-tag-match/azurepolicy.parameters.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
{
"effect": {
"type": "String",
"metadata": {
"displayName": "effect",
"description": "policy effect"
},
"allowedValues": [
"DeployIfNotExists",
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists"
},
"tagName": {
"type": "String",
"metadata": {
"displayName": "tagName",
"description": "name of the tag that must exist for the Storage Account"
}
},
"tagValue": {
"type": "String",
"metadata": {
"displayName": "tagValue",
"description": "value of the tagName that must match in order to apply the policy"
}
},
"enforceIPRanges": {
"type": "Array",
"metadata": {
"displayName": "enforceIPRanges",
"description": "IP/ranges that must be applied"
},
"defaultValue": [
"219.94.47.192/28",
"209.127.0.0/16"
]
},
"existingIPRangesHandling": {
"type": "String",
"metadata": {
"displayName": "existingIPRangesHandling",
"description": "retain: keep existing IP/ranges that are not defined in 'enforceIPRanges' (union exiting and enforced IP/ranges); remove: enforce 'enforceIPRanges' and remove the existing IP/ranges that are not defined in 'enforceIPRanges'"
},
"allowedValues": [
"retain",
"remove"
],
"defaultValue": "retain"
}
}
126 changes: 126 additions & 0 deletions ...ies/Storage/enforce-or-extend-storage-account-iprules-if-tag-match/azurepolicy.rules.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,126 @@
{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
{
"field": "[concat('tags[', parameters('tagName'), ']')]",
"equals": "[parameters('tagValue')]"
}
]
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"evaluationDelay": "AfterProvisioningSuccess",
"type": "Microsoft.Storage/storageAccounts",
"name": "[field('name')]",
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Storage/storageAccounts/networkAcls.ipRules",
"exists": "true"
},
{
"field": "Microsoft.Storage/storageAccounts/networkAcls.defaultAction",
"equals": "Deny"
},
{
"field": "Microsoft.Storage/storageAccounts/publicNetworkAccess",
"equals": "Enabled"
},
{
"count": {
"field": "Microsoft.Storage/storageAccounts/networkAcls.ipRules[*]",
"where": {
"anyOf": [
{
"field": "Microsoft.Storage/storageAccounts/networkAcls.ipRules[*].value",
"in": "[parameters('enforceIPRanges')]"
}
]
}
},
"equals": "[length(parameters('enforceIPRanges'))]"
}
]
},
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"
],
"deployment": {
"properties": {
"mode": "Incremental",
"template": {
"`$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"resourceName": {
"type": "String"
},
"enforceIPRanges": {
"type": "Array"
},
"location": {
"type": "String"
},
"ipRulesExisting": {
"type": "Array"
},
"existingIPRangesHandling": {
"type": "String"
}
},
"variables": {
"varIPRangesToApply": "[if(equals(parameters('existingIPRangesHandling'), 'retain'), union(parameters('enforceIPRanges'), parameters('ipRulesExisting')), parameters('enforceIPRanges'))]"
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2022-09-01",
"name": "[parameters('resourceName')]",
"location": "[parameters('location')]",
"properties": {
"publicNetworkAccess": "Enabled",
"networkAcls": {
"defaultAction": "Deny",
"copy": [
{
"name": "ipRules",
"count": "[length(variables('varIPRangesToApply'))]",
"input": {
"value": "[variables('varIPRangesToApply')[copyIndex('ipRules')]]",
"action": "Allow"
}
}
]
}
}
}
],
"outputs": {}
},
"parameters": {
"resourceName": {
"value": "[field('name')]"
},
"enforceIPRanges": {
"value": "[parameters('enforceIPRanges')]"
},
"location": {
"value": "[field('location')]"
},
"ipRulesExisting": {
"value": "[field('Microsoft.Storage/storageAccounts/networkAcls.ipRules[*].value')]"
},
"existingIPRangesHandling": {
"value": "[parameters('existingIPRangesHandling')]"
}
}
}
}
}
}
}
2 changes: 1 addition & 1 deletion ...storage-account-creation/azurepolicy.json → ...storage-account-creation/azurepolicy.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
"displayName": "Restrict cloud shell storage account creation",
"description": "Storage accounts that you create in Cloud Shell are tagged with ms-resource-usage:azure-cloud-shell. If you want to disallow users from creating storage accounts in Cloud Shell, create an Azure resource policy for tags that is triggered by this specific tag. https://learn.microsoft.com/en-us/azure/cloud-shell/persisting-shell-storage#restrict-resource-creation-with-an-azure-resource-policy",
"metadata": {
"category": "Tags",
"category": "Storage",
"version": "1.0.0"
},
"mode": "All",
Expand Down
0 ...ount-creation/azurepolicy.parameters.json → ...ount-creation/azurepolicy.parameters.json
View file
File renamed without changes.
0 ...e-account-creation/azurepolicy.rules.json → ...e-account-creation/azurepolicy.rules.json
View file
File renamed without changes.

0 comments on commit 9f4fe94

Please sign in to comment.