From 604991d19326c566a95f0abda92b96f379860384 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20=C3=96rn?= <daniel.orn@microsoft.com>
Date: Tue, 26 Sep 2023 12:08:20 +0200
Subject: [PATCH] Audit -  StorageAccounts Should Have Lifecycle Policy Enabled

---
 .../azurepolicy.json                          | 58 +++++++++++++++++++
 .../azurepolicy.parameters.json               | 14 +++++
 .../azurepolicy.rules.json                    | 31 ++++++++++
 3 files changed, 103 insertions(+)
 create mode 100644 policyDefinitions/Storage/audit-storageaccounts-should-have-lifecycle-policy-enabled/azurepolicy.json
 create mode 100644 policyDefinitions/Storage/audit-storageaccounts-should-have-lifecycle-policy-enabled/azurepolicy.parameters.json
 create mode 100644 policyDefinitions/Storage/audit-storageaccounts-should-have-lifecycle-policy-enabled/azurepolicy.rules.json

diff --git a/policyDefinitions/Storage/audit-storageaccounts-should-have-lifecycle-policy-enabled/azurepolicy.json b/policyDefinitions/Storage/audit-storageaccounts-should-have-lifecycle-policy-enabled/azurepolicy.json
new file mode 100644
index 00000000..71de9e96
--- /dev/null
+++ b/policyDefinitions/Storage/audit-storageaccounts-should-have-lifecycle-policy-enabled/azurepolicy.json
@@ -0,0 +1,58 @@
+{
+  "name": "bc1e3f2c-692d-4e3e-ab47-9273a71d8079",
+  "type": "Microsoft.Authorization/policyDefinitions",
+  "properties": {
+    "displayName": "Audit -  StorageAccounts Should Have Lifecycle Policy Enabled",
+    "description": "This policy audits storage accounts that do not have at least one management policy of type lifecycle enabled.",
+    "metadata": {
+      "version": "1.0.0",
+      "category": "Storage"
+    },
+    "mode": "All",
+    "parameters": {
+      "effect": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Effect",
+          "description": "AuditIfNotExists or Disabled the execution of the Policy"
+        },
+        "allowedValues": [
+          "AuditIfNotExists",
+          "Disabled"
+        ],
+        "defaultValue": "AuditIfNotExists"
+      }
+    },
+    "policyRule": {
+      "if": {
+        "field": "type",
+        "equals": "Microsoft.Storage/storageAccounts"
+      },
+      "then": {
+        "effect": "[parameters('effect')]",
+        "details": {
+          "type": "Microsoft.Storage/storageAccounts/managementPolicies",
+          "name": "[concat(field('name'), '/default')]",
+          "existenceCondition": {
+            "count": {
+              "field": "Microsoft.Storage/storageAccounts/managementPolicies/policy.rules[*]",
+              "where": {
+                "allOf": [
+                  {
+                    "field": "Microsoft.Storage/storageAccounts/managementPolicies/policy.rules[*].enabled",
+                    "equals": true
+                  },
+                  {
+                    "field": "Microsoft.Storage/storageAccounts/managementPolicies/policy.rules[*].type",
+                    "equals": "Lifecycle"
+                  }
+                ]
+              }
+            },
+            "greater": 0
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/policyDefinitions/Storage/audit-storageaccounts-should-have-lifecycle-policy-enabled/azurepolicy.parameters.json b/policyDefinitions/Storage/audit-storageaccounts-should-have-lifecycle-policy-enabled/azurepolicy.parameters.json
new file mode 100644
index 00000000..fb8acc98
--- /dev/null
+++ b/policyDefinitions/Storage/audit-storageaccounts-should-have-lifecycle-policy-enabled/azurepolicy.parameters.json
@@ -0,0 +1,14 @@
+{
+  "effect": {
+    "type": "String",
+    "metadata": {
+      "displayName": "Effect",
+      "description": "AuditIfNotExists or Disabled the execution of the Policy"
+    },
+    "allowedValues": [
+      "AuditIfNotExists",
+      "Disabled"
+    ],
+    "defaultValue": "AuditIfNotExists"
+  }
+}
diff --git a/policyDefinitions/Storage/audit-storageaccounts-should-have-lifecycle-policy-enabled/azurepolicy.rules.json b/policyDefinitions/Storage/audit-storageaccounts-should-have-lifecycle-policy-enabled/azurepolicy.rules.json
new file mode 100644
index 00000000..06f5690b
--- /dev/null
+++ b/policyDefinitions/Storage/audit-storageaccounts-should-have-lifecycle-policy-enabled/azurepolicy.rules.json
@@ -0,0 +1,31 @@
+{
+  "if": {
+    "field": "type",
+    "equals": "Microsoft.Storage/storageAccounts"
+  },
+  "then": {
+    "effect": "[parameters('effect')]",
+    "details": {
+      "type": "Microsoft.Storage/storageAccounts/managementPolicies",
+      "name": "[concat(field('name'), '/default')]",
+      "existenceCondition": {
+        "count": {
+          "field": "Microsoft.Storage/storageAccounts/managementPolicies/policy.rules[*]",
+          "where": {
+            "allOf": [
+              {
+                "field": "Microsoft.Storage/storageAccounts/managementPolicies/policy.rules[*].enabled",
+                "equals": true
+              },
+              {
+                "field": "Microsoft.Storage/storageAccounts/managementPolicies/policy.rules[*].type",
+                "equals": "Lifecycle"
+              }
+            ]
+          }
+        },
+        "greater": 0
+      }
+    }
+  }
+}