Storage

Filters

  • Standard Value Filter (see Generic Filters)
  • ARM Resource Filters (see Generic Filters)
    • Metric Filter - Filter on metrics from Azure Monitor - (see Storage Account Supported Metrics)

    • Tag Filter - Filter on tag presence and/or values

    • Marked-For-Op Filter - Filter on tag that indicates a scheduled operation for a resource

  • Firewall Rules Filter (see Generic Filters)

    Schema:

    {
      "equal": {
        "items": {
          "type": "string"
        },
        "type": "array"
      },
      "include": {
        "items": {
          "type": "string"
        },
        "type": "array"
      }
    }
    

Actions

  • ARM Resource Actions (see Generic Actions)

  • set-network-rules Set network (firewall) rules.
    • default-action: Required. Can be either Allow or Deny.

    • bypass: Optional. List of services that are allowed to bypass the rules. Any combination of AzureServices,

      Logging and Metrics, e.g. [Logging, Metrics]. If not specified the property is not changed.

    • ip-rules: Optional. List of allowed ip-s or addresses. Specify empty list [] to remove all items. - ip-address-or-range: Ip address or range that is allowed.

    • virtual-network-rules: Optional. List of allowed virtual networks. Specify empty list [] to remove all items. - virtual-network-resource-id: Azure id of a subnet of a virtual network.

    Schema:

    {
      "bypass": {
        "items": {
          "enum": [
            "AzureServices",
            "Logging",
            "Metrics"
          ]
        },
        "type": "array"
      },
      "default-action": {
        "enum": [
          "Allow",
          "Deny"
        ],
        "required": true
      },
      "ip-rules": {
        "items": {
          "ip-address-or-range": {
            "type": "string"
          }
        },
        "type": "array"
      },
      "virtual-network-rules": {
        "items": {
          "virtual-network-resource-id": {
            "type": "string"
          }
        },
        "type": "array"
      }
    }
    

Example Policies

This set of policies will mark all storage accounts for deletion in 7 days that have ‘test’ in name (ignore case), and then perform the delete operation on those ready for deletion.

policies:
  - name: mark-test-storage-for-deletion
    resource: azure.storage
    filters:
      - type: value
        key: name
        op: in
        value_type: normalize
        value: test
     actions:
      - type: mark-for-op
        op: delete
        days: 7
  - name: delete-test-storage
    resource: azure.storage
    filters:
      - type: marked-for-op
        op: delete
    actions:
      - type: delete

This policy will find all Storage Accounts with 100 or less transactions over the 72 hours and notify user@domain.com

policies:
  - name: notify-storage-dropping-messages
    resource: azure.storage
    filters:
      - type: metric
        metric: Transactions
        op: le
        aggregation: total
        threshold: 100
        timeframe: 72
     actions:
      - type: notify
        template: default
        priority_header: 2
        subject: Inactive Storage Account
        to:
          - user@domain.com
        transport:
          - type: asq
            queue: https://accountname.queue.core.windows.net/queuename