We are trying to create a custom 'DeployifNotExists' policy that creates a storage account when a storage account with the the property of 'supportHttpsTraffic' is disabled. The policy is able to deploy and no syntax error, but no storage account is being created. When I check the activity logs it says we don't have permission to create the storage account through the policy, even though we have full permissions. We can create a storage account very easily through the GUI and powershell.
And as well is there a way just to edit the existing storage account to change its 'supportHTTPSTraffic' property, through policy?
The error is:
"errorMessage": "Evaluation of DeployIfNotExists policy was unsuccessful. The policy assignment '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourceGroups/Team-India/providers/Microsoft.Authorization/policyAssignments/024a600a12104121bc14c1b4/' resource identity does not have the necessary permissions to create deployment '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourceGroups/Team-India/providers/Microsoft.Resources/deployments/PolicyDeployment_3208714533499929033'. Please see https://aka.ms/arm-policy-identity for usage details."
Our definition:
{
"properties": {
"displayName": "HTTPS_Traffic_enabled",
"policyType": "Custom",
"mode": "All",
"description": "If HTTPS traffic is not enabled, it will be enabled. ",
"metadata": {
"createdBy": "6da87e93-2ab2-40bc-b058-ee88658eee21",
"createdOn": "2021-03-11T10:29:19.1663781Z",
"updatedBy": "6da87e93-2ab2-40bc-b058-ee88658eee21",
"updatedOn": "2021-03-11T15:26:19.8292658Z"
},
"parameters": {},
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
"then": {
"effect": "deployIfNotExists",
"details": {
"type": "Microsoft.Storage/storageAccounts",
"name": "[field('name')]",
"roleDefinitionIds": [
"/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"
],
"existenceCondition": {
"field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly",
"equals": "true"
},
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"storageAccountName": {
"type": "string"
},
"storageAccountLocation": {
"type": "string"
}
},
"resources": [
{
"name": "parameters('storageAccountName')",
"type": "Microsoft.Storage/storageAccounts",
"location": "parameters('storageAccountLocation')",
"apiVersion": "2014-04-01",
"properties": {
"status": "Enabled"
}
}
]
},
"parameters": {
"storageAccountName": {
"value": "vasustorage"
},
"storageAccountLocation": {
"value": "resourceGroup().location"
}
}
}
}
}
}
}
},
"id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/providers/Microsoft.Authorization/policyDefinitions/6f70fe54-503a-4520-ada1-9d3ae52fcb0c",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "6f70fe54-503a-4520-ada1-9d3ae52fcb0c"
}
