I'm using the code below to monitor for retention policy on storage accounts. Seems I have the right alias but when I see the Compliance report is shows "100% Compliant 0 out of 0". Same issue with versioning and private link policies. I have policies for storage accounts similar to these one but they actually return the number of storage accounts targeted, only difference is that they are not referencing the blob services alias as these are. Thanks for any answers.
resource "azurerm_policy_definition" "sa-ensure-versioning-enabled-policy" {
name = "sa-ensure-versioning-enabled-policy-definition"
policy_type = "Custom"
mode = "All"
#management_group_name = var.management_group_name
display_name = "Ensure versioning enabled policy"
metadata = <<METADATA
{
"version": "1.0.0",
"category": "Storage"
}
METADATA
policy_rule = <<POLICY_RULE
{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
{
"not": {
"field":"Microsoft.Storage/storageAccounts/blobServices/default.isVersioningEnabled",
"equals": "true"
}
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
}
POLICY_RULE
parameters = <<PARAMETERS
{
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy."
},
"allowedValues": [
"audit",
"deny",
"disabled"
],
"defaultValue": "audit"
}
}
PARAMETERS
}
resource "azurerm_policy_assignment" "sa-ensure-versioning-enabled-policy-assignment" {
name = "sa-ensure-versioning-enabled-policy-assignment"
scope = data.azurerm_subscription.current.id
policy_definition_id = azurerm_policy_definition.sa-ensure-versioning-enabled-policy.id
description = "Storage Account ensure delete retention policy."
display_name = "Ensure versioning enabled policy"
parameters = <<PARAMETERS
{
"effect": {
"value": "audit"
}
}
PARAMETERS
}
Added this code to get the policy to work properly.
{
"mode": "All",
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
"then": {
"effect": "auditIfNotExists",
"details": {
"type": "Microsoft.Storage/storageAccounts/blobServices",
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"existenceCondition": {
"field": "Microsoft.Storage/storageAccounts/blobServices/deleteRetentionPolicy.enabled",
"equals": "true"
}
}
}
},
"parameters": {}
}
Seems this ia bug in Azure, documented here : https://github.com/Azure/azure-policy/issues/377 . Apparently the Microsoft.Storage/storageAccounts/blobServices is not yet operational. ETA for solution says Sept 2020 but that date and some previous ones have already passed.