azure.mgmt.storage resources

azure.storage

Storage Account Resource

example

Finds all Storage Accounts in the subscription.

policies:
    - name: find-all-storage-accounts
      resource: azure.storage

Filters

• cost

• event

• firewall-rules

• marked-for-op

• metric

• offhour

• onhour

• policy-compliant

• resource-lock

• storage-diagnostic-settings

• value

Actions

• auto-tag-date

• auto-tag-user

• delete

• lock

• logic-app

• mark-for-op

• notify

• set-log-settings

• set-network-rules

• tag

• tag-trim

• untag

• webhook

set-log-settings

Action that updates the logging settings on storage accounts. The action requires specifying an array of storage types that will be impacted by the action (blob, queue, table), retention (number in days; 0-365), and an array of log settings to enable (read, write, delete). The action will disable any settings not listed (e.g. by providing log: [write, delete], the action will disable read).

example

Enable write and delete logging and disable read logging on blob storage, and retain logs for 5 days.

policies:
    - name: enable-blob-storage-logging
      resource: azure.storage
      actions:
        - type: set-log-settings
          storage-types: [blob]
          retention: 5
          log: [write, delete]

properties:
  log:
    items:
      enum:
      - read
      - write
      - delete
      type: string
    type: array
  retention:
    type: number
  storage-types:
    items:
      enum:
      - blob
      - queue
      - table
      type: string
    type: array
  type:
    enum:
    - set-log-settings
required:
- storage-types
- log
- retention
- type

set-network-rules

Set Network Rules Action

Updates Azure Storage Firewalls and Virtual Networks settings.

example

Find storage accounts without any firewall rules.

Configure default-action to Deny and then allow: - Azure Logging and Metrics services - Two specific IPs - Two subnets

policies:
    - name: add-storage-firewall
      resource: azure.storage

    filters:
        - type: value
          key: properties.networkAcls.ipRules
          value_type: size
          op: eq
          value: 0

    actions:
        - type: set-network-rules
          default-action: Deny
          bypass: [Logging, Metrics]
          ip-rules:
              - ip-address-or-range: 11.12.13.14
              - ip-address-or-range: 21.22.23.24
          virtual-network-rules:
              - virtual-network-resource-id: <subnet_resource_id>
              - virtual-network-resource-id: <subnet_resource_id>

properties:
  bypass:
    items:
      enum:
      - AzureServices
      - Logging
      - Metrics
    type: array
  default-action:
    enum:
    - Allow
    - Deny
  ip-rules:
    items:
      ip-address-or-range:
        type: string
    type: array
  type:
    enum:
    - set-network-rules
  virtual-network-rules:
    items:
      virtual-network-resource-id:
        type: string
    type: array
required:
- default-action
- type