question

DanieleMellinoIT-3925 avatar image
0 Votes"
DanieleMellinoIT-3925 asked sadomovalex commented

Policy error when creating a function App

Hi, I am not able to understand why since yesterday I can not create any Functions App on Azure with my Visual Studio Enterprise Subscription. Here the details of the errors :

  • Deployment validation failed.
    Additional details from the underlying API that might be helpful: The template deployment failed because of policy violation. Please see details for more information.

  • in the JSON in 'deny' Policy Action :

"policies": "[{\"policyDefinitionId\":\"/providers/Microsoft.Management/managementGroups/MG-01-0006/providers/Microsoft.Authorization/policyDefinitions/cs-secure-Storage-sa-blob-prevent-public-access/\",\"policyDefinitionName\":\"cs-secure-Storage-sa-blob-prevent-public-access\",\"policyDefinitionEffect\":\"deny\",\"policyAssignmentId\":\"/providers/Microsoft.Management/managementGroups/MG-01-0006/providers/Microsoft.Authorization/policyAssignments/MG-01-0006-cs-071-deny/\",\"policyAssignmentName\":\"MG-01-0006-cs-071-deny\",\"policyAssignmentScope\":\"/providers/Microsoft.Management/managementGroups/MG-01-0006\",\"policyExemptionIds\":[]}]"

I don' t understand how to tackle this error since some days ago it worked. I tried to look at the policy but do not know how to move on

I also have problem accessing




azure-functionsazure-policy
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

sadomovalex avatar image
1 Vote"
sadomovalex answered sadomovalex commented

based on policy definition "cs-secure-Storage-sa-blob-prevent-public-access" I would assume that you need to configure storage account related with function app so it will have public access disabled. If you provision function app via ARM template it can be done like that:

   "resources": [
     {
       "type": "Microsoft.Storage/storageAccounts",
       "name": "[parameters('storageName')]",
       "apiVersion": "2019-04-01",
       "kind": "StorageV2",
       "location": "[parameters('location')]",
       "sku": {
         "name": "Standard_LRS"
       },
       "properties": {
         "supportsHttpsTrafficOnly": true,
         "allowBlobPublicAccess": false,
         "minimumTlsVersion": "TLS1_2"
       }
     },

(pay attention on allowBlobPublicAccess: false property)

· 2
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DanieleMellinoIT-3925 avatar image DanieleMellinoIT-3925 ·

Thank you, I did not realize that the function app needs a storage on their own with private access. Therefore the default one created by the portal was not good.

0 Votes 0 ·
sadomovalex avatar image sadomovalex DanieleMellinoIT-3925 ·

yes, when Azure function app is provisioned its associated storage account is created under the hood. It is used e.g. for storing metrics (if you will expand Tables node there will be tables which name start with "$Metric...") and binaries files with functions code (they are stored under Blob containers node). However it is also possible to use this Storage account for creating custom artifacts (tables, queues, etc) - in this case you won't need to provision separate Storage account for that.

0 Votes 0 ·