dmauser · December 4, 2025 20:16
diff --git a/sample-deploy.sh b/sample-deploy.sh

 #!/bin/bash

 # Variables
 subscriptionId="<YOUR_SUBSCRIPTION_ID>"
 resourceGroup="rg-storage-lab"
 location="eastus"
 storageAccount="storagelab$(date +%s)"
 retentionDays=7

 # Login and set subscription
 az login
 az account set --subscription $subscriptionId

 # 1. Create Resource Group
 echo "Creating Resource Group..."
 az group create --name $resourceGroup --location $location -o none

 # 2. Deploy Storage Account
 echo "Creating Storage Account..."
 az storage account create \
  --name $storageAccount \
  --resource-group $resourceGroup \
  --location $location \
  --sku Standard_LRS \
  --kind StorageV2 \
  --enable-hierarchical-namespace false \
  --min-tls-version TLS1_2

 # 3. Enable Blob Soft Delete on the Storage Account
 echo "Enabling Blob Soft Delete..."
 az storage blob service-properties delete-policy update \
  --account-name $storageAccount \
  --auth-mode login \
  --enable true \
  --days-retained $retentionDays

 # 4. Create and assign Azure Policy for Blob Soft Delete

 echo "Creating custom Policy Definition: Blob Soft Delete..."
 policyDefName="EnforceBlobSoftDeleteDef"

 # Create a temporary policy definition file
 cat > /tmp/blob-soft-delete-policy.json << 'JSON'
 {
    "properties": {
        "displayName": "Require Blob Soft Delete with minimum retention",
        "policyType": "Custom",
        "mode": "Indexed",
        "parameters": {
            "minDays": {
                "type": "Integer",
                "metadata": {
                    "displayName": "Minimum retention days",
                    "description": "Minimum number of days soft delete must retain blobs"
                }
            },
            "effect": {
                "type": "String",
                "allowedValues": [
                    "Audit",
                    "Deny"
                ],
                "defaultValue": "Deny",
                "metadata": {
                    "displayName": "Effect"
                }
            }
        },
        "policyRule": {
            "if": {
                "allOf": [
                    {
                        "field": "type",
                        "equals": "Microsoft.Storage/storageAccounts/blobServices"
                    },
                    {
                        "anyOf": [
                            {
                                "field": "Microsoft.Storage/storageAccounts/blobServices/deleteRetentionPolicy.enabled",
                                "notEquals": true
                            },
                            {
                                "field": "Microsoft.Storage/storageAccounts/blobServices/deleteRetentionPolicy.days",
                                "less": "[parameters('minDays')]"
                            }
                        ]
                    }
                ]
            },
            "then": {
                "effect": "[parameters('effect')]"
            }
        }
    }
 }
 JSON

 # Create or update the custom policy definition
 az policy definition create \
    --name $policyDefName \
    --display-name "Require Blob Soft Delete with minimum retention" \
    --description "Ensures blob soft delete is enabled with at least the specified retention days." \
    --rules /tmp/blob-soft-delete-policy.json \
    --mode Indexed \
    --subscription $subscriptionId

 echo "Assigning Policy: Blob Soft Delete..."
 az policy assignment create \
    --name "EnforceBlobSoftDelete" \
    --scope "/subscriptions/$subscriptionId/resourceGroups/$resourceGroup" \
    --policy-definition $policyDefName \
    --params "{ \"minDays\": { \"value\": $retentionDays }, \"effect\": { \"value\": \"Deny\" } }" \
    --assign-identity

 # Cleanup temp file
 rm -f /tmp/blob-soft-delete-policy.json

 # 5. Assign Azure Policy for Minimum TLS Version
 echo "Assigning Policy: Minimum TLS Version..."
 az policy assignment create \
  --name "EnforceTLS" \
  --scope "/subscriptions/$subscriptionId/resourceGroups/$resourceGroup" \
  --policy "Storage accounts should restrict minimum TLS version" \
  --params "{ \"effect\": { \"value\": \"Deny\" }, \"minimumTlsVersion\": { \"value\": \"TLS1_2\" } }" \
  --assign-identity

 echo "✅ Lab setup complete! Storage Account deployed and policies enforced."

	#!/bin/bash

	# Variables
	subscriptionId="<YOUR_SUBSCRIPTION_ID>"
	resourceGroup="rg-storage-lab"
	location="eastus"
	storageAccount="storagelab$(date +%s)"
	retentionDays=7

	# Login and set subscription
	az login
	az account set --subscription $subscriptionId

	# 1. Create Resource Group
	echo "Creating Resource Group..."
	az group create --name $resourceGroup --location $location -o none

	# 2. Deploy Storage Account
	echo "Creating Storage Account..."
	az storage account create \
	--name $storageAccount \
	--resource-group $resourceGroup \
	--location $location \
	--sku Standard_LRS \
	--kind StorageV2 \
	--enable-hierarchical-namespace false \
	--min-tls-version TLS1_2

	# 3. Enable Blob Soft Delete on the Storage Account
	echo "Enabling Blob Soft Delete..."
	az storage blob service-properties delete-policy update \
	--account-name $storageAccount \
	--auth-mode login \
	--enable true \
	--days-retained $retentionDays

	# 4. Create and assign Azure Policy for Blob Soft Delete

	echo "Creating custom Policy Definition: Blob Soft Delete..."
	policyDefName="EnforceBlobSoftDeleteDef"

	# Create a temporary policy definition file
	cat > /tmp/blob-soft-delete-policy.json << 'JSON'
	{
	"properties": {
	"displayName": "Require Blob Soft Delete with minimum retention",
	"policyType": "Custom",
	"mode": "Indexed",
	"parameters": {
	"minDays": {
	"type": "Integer",
	"metadata": {
	"displayName": "Minimum retention days",
	"description": "Minimum number of days soft delete must retain blobs"
	}
	},
	"effect": {
	"type": "String",
	"allowedValues": [
	"Audit",
	"Deny"
	],
	"defaultValue": "Deny",
	"metadata": {
	"displayName": "Effect"
	}
	}
	},
	"policyRule": {
	"if": {
	"allOf": [
	{
	"field": "type",
	"equals": "Microsoft.Storage/storageAccounts/blobServices"
	},
	{
	"anyOf": [
	{
	"field": "Microsoft.Storage/storageAccounts/blobServices/deleteRetentionPolicy.enabled",
	"notEquals": true
	},
	{
	"field": "Microsoft.Storage/storageAccounts/blobServices/deleteRetentionPolicy.days",
	"less": "[parameters('minDays')]"
	}
	]
	}
	]
	},
	"then": {
	"effect": "[parameters('effect')]"
	}
	}
	}
	}
	JSON

	# Create or update the custom policy definition
	az policy definition create \
	--name $policyDefName \
	--display-name "Require Blob Soft Delete with minimum retention" \
	--description "Ensures blob soft delete is enabled with at least the specified retention days." \
	--rules /tmp/blob-soft-delete-policy.json \
	--mode Indexed \
	--subscription $subscriptionId

	echo "Assigning Policy: Blob Soft Delete..."
	az policy assignment create \
	--name "EnforceBlobSoftDelete" \
	--scope "/subscriptions/$subscriptionId/resourceGroups/$resourceGroup" \
	--policy-definition $policyDefName \
	--params "{ \"minDays\": { \"value\": $retentionDays }, \"effect\": { \"value\": \"Deny\" } }" \
	--assign-identity

	# Cleanup temp file
	rm -f /tmp/blob-soft-delete-policy.json

	# 5. Assign Azure Policy for Minimum TLS Version
	echo "Assigning Policy: Minimum TLS Version..."
	az policy assignment create \
	--name "EnforceTLS" \
	--scope "/subscriptions/$subscriptionId/resourceGroups/$resourceGroup" \
	--policy "Storage accounts should restrict minimum TLS version" \
	--params "{ \"effect\": { \"value\": \"Deny\" }, \"minimumTlsVersion\": { \"value\": \"TLS1_2\" } }" \
	--assign-identity

	echo "✅ Lab setup complete! Storage Account deployed and policies enforced."
No results found