-
Notifications
You must be signed in to change notification settings - Fork 2
/
New-PolicyStorageNetworkAclsDeny.ps1
64 lines (52 loc) · 2.44 KB
/
New-PolicyStorageNetworkAclsDeny.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
<#
.SYNOPSIS
Deploy and assign a policy.
.NOTES
Coding style 'JustForHandsonLab'.
The policy deployed here appears to be a dupe of 'Audit unrestricted network access to storage accounts'
.AUTHOR
BernardB https://github.com/baidarka/meetup-azure-governance
#>
[CmdletBinding()]
param (
[Parameter (Mandatory=$false)]
[string]$SubscriptionName = "Visual Studio Enterprise",
[Parameter (Mandatory=$false)]
[string]$ResourceGroupName = "rg-euw-meetup-demo",
[Parameter (Mandatory=$false)]
[string]$Location = "westeurope"
)
# https://docs.microsoft.com/en-us/azure/governance/policy/samples/ensure-https-storage-account
# Get-Module -ListAvailable Az
# Login #######################################################################
if (!(Get-AzContext)) {
Write-Warning "AzContext is null. Please login..."
Connect-AzAccount
}
Set-AzContext -Subscription $SubscriptionName
# Ensure that the resource provider is registered #############################
Register-AzResourceProvider -ProviderNamespace 'Microsoft.PolicyInsights'
# Get the id of the demo resource group #######################################
$rg = Get-AzResourceGroup -Name $ResourceGroupName
# Add policy definition ########################################################
# A policy definition can be added to a management group or a subscription.
$args = @{
Name = "meetup-storage-networkAcls-deny"
DisplayName = "Audit storage accounts that allow access from all networks"
Description = "Storage accounts should specify allowed subnets and/or ip ranges, and should not allow access from all networks."
Subscription = (Get-AzContext).Subscription.Id
Policy = "https://raw.githubusercontent.com/baidarka/meetup-azure-governance/master/2-deploy-policy-definition/policies/Storage/audit-networkacls-deny/azurepolicy.rules.json"
Parameter = "https://raw.githubusercontent.com/baidarka/meetup-azure-governance/master/2-deploy-policy-definition/policies/Storage/audit-networkacls-deny/azurepolicy.parameters.json"
Metadata = '{ "category" : "Storage" }'
Mode = "All"
}
$definition = New-AzPolicyDefinition @args
$definition
# Assign policy definition to the resource group ##############################
$args = @{
Name = "Meetup audit storage networkAcls deny"
Scope = $rg.ResourceId
PolicyDefinition = $definition
}
$assignment = New-AzPolicyAssignment @args
$assignment