Storage Blob Service Container With Public Access
- Query id: a0ab985d-660b-41f7-ac81-70957ee8e627
- Query name: Storage Blob Service Container With Public Access
- Platform: AzureResourceManager
- Severity: High
- Category: Networking and Firewall
- URL: Github
Description¶
The Storage Blob Service Container should not be publicly accessible
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - bicep file
resource blob_container_example 'Microsoft.Storage/storageAccounts/blobServices/containers@2021-02-01' = {
name: 'blob/container/example'
properties: {
denyEncryptionScopeOverride: true
publicAccess: 'Container'
metadata: {}
}
}
Positive test num. 2 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"name": "blob/container/example",
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
"apiVersion": "2021-02-01",
"properties": {
"denyEncryptionScopeOverride": true,
"publicAccess": "Container",
"metadata": {}
},
"resources": []
}
],
"outputs": {}
}
Positive test num. 3 - bicep file
@description('Name of the virtual network to use for cloud shell containers.')
param existingVNETName string
@description('Name of the subnet to use for storage account.')
param existingStorageSubnetName string
@description('Name of the subnet to use for cloud shell containers.')
param existingContainerSubnetName string
@description('Name of the storage account in subnet.')
param storageAccountName string
@description('Location for all resources.')
param location string = resourceGroup().location
var containerSubnetRef = resourceId(
'Microsoft.Network/virtualNetworks/subnets',
existingVNETName,
existingContainerSubnetName
)
var storageSubnetRef = resourceId(
'Microsoft.Network/virtualNetworks/subnets',
existingVNETName,
existingStorageSubnetName
)
resource storageAccount 'Microsoft.Storage/storageAccounts@2019-06-01' = {
name: storageAccountName
location: location
sku: {
name: 'Standard_LRS'
tier: 'Standard'
}
kind: 'StorageV2'
properties: {
networkAcls: {
bypass: 'None'
virtualNetworkRules: [
{
id: containerSubnetRef
action: 'Allow'
}
{
id: storageSubnetRef
action: 'Allow'
}
]
defaultAction: 'Deny'
}
supportsHttpsTrafficOnly: true
encryption: {
services: {
file: {
keyType: 'Account'
enabled: true
}
blob: {
keyType: 'Account'
enabled: true
}
}
keySource: 'Microsoft.Storage'
}
accessTier: 'Cool'
}
}
resource storageAccountName_default 'Microsoft.Storage/storageAccounts/blobServices@2019-06-01' = {
parent: storageAccount
name: 'default'
sku: {
name: 'Standard_LRS'
tier: 'Standard'
}
properties: {
deleteRetentionPolicy: {
enabled: false
}
}
}
resource storageAccountName_default_container 'Microsoft.Storage/storageAccounts/blobServices/containers@2019-06-01' = {
parent: storageAccountName_default
name: 'container'
properties: {
denyEncryptionScopeOverride: true
publicAccess: 'Blob'
metadata: {}
}
}
Positive test num. 4 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"existingVNETName": {
"type": "string",
"metadata": {
"description": "Name of the virtual network to use for cloud shell containers."
}
},
"existingStorageSubnetName": {
"type": "string",
"metadata": {
"description": "Name of the subnet to use for storage account."
}
},
"existingContainerSubnetName": {
"type": "string",
"metadata": {
"description": "Name of the subnet to use for cloud shell containers."
}
},
"storageAccountName": {
"type": "string",
"metadata": {
"description": "Name of the storage account in subnet."
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Location for all resources."
}
}
},
"variables": {
"containerSubnetRef": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('existingVNETName'), parameters('existingContainerSubnetName'))]",
"storageSubnetRef": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('existingVNETName'), parameters('existingStorageSubnetName'))]"
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-06-01",
"name": "[parameters('storageAccountName')]",
"location": "[parameters('location')]",
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"kind": "StorageV2",
"properties": {
"networkAcls": {
"bypass": "None",
"virtualNetworkRules": [
{
"id": "[variables('containerSubnetRef')]",
"action": "Allow"
},
{
"id": "[variables('storageSubnetRef')]",
"action": "Allow"
}
],
"defaultAction": "Deny"
},
"supportsHttpsTrafficOnly": true,
"encryption": {
"services": {
"file": {
"keyType": "Account",
"enabled": true
},
"blob": {
"keyType": "Account",
"enabled": true
}
},
"keySource": "Microsoft.Storage"
},
"accessTier": "Cool"
}
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices",
"apiVersion": "2019-06-01",
"name": "[concat(parameters('storageAccountName'), '/default')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]"
],
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"properties": {
"deleteRetentionPolicy": {
"enabled": false
}
},
"resources": [
{
"type": "containers",
"apiVersion": "2019-06-01",
"name": "container",
"properties": {
"denyEncryptionScopeOverride": true,
"publicAccess": "Blob",
"metadata": {}
}
}
]
}
]
}
Positive test num. 5 - bicep file
@description('Specifies the name of the Azure Storage account.')
param storageAccountName string
@description('Specifies the name of the blob container.')
param containerName string = 'logs'
@description(
'Specifies the location in which the Azure Storage resources should be deployed.'
)
param location string = resourceGroup().location
resource storageAccount 'Microsoft.Storage/storageAccounts@2019-06-01' = {
name: storageAccountName
location: location
sku: {
name: 'Standard_LRS'
tier: 'Standard'
}
kind: 'StorageV2'
properties: {
accessTier: 'Hot'
}
}
resource storageAccountName_default_container 'Microsoft.Storage/storageAccounts/blobServices/containers@2019-06-01' = {
name: '${storageAccountName}/default/${containerName}'
properties: {
denyEncryptionScopeOverride: true
publicAccess: 'Blob'
metadata: {}
}
dependsOn: [storageAccount]
}
Positive test num. 6 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"storageAccountName": {
"type": "string",
"metadata": {
"description": "Specifies the name of the Azure Storage account."
}
},
"containerName": {
"type": "string",
"defaultValue": "logs",
"metadata": {
"description": "Specifies the name of the blob container."
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Specifies the location in which the Azure Storage resources should be deployed."
}
}
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-06-01",
"name": "[parameters('storageAccountName')]",
"location": "[parameters('location')]",
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"kind": "StorageV2",
"properties": {
"accessTier": "Hot"
},
"resources": [
{
"type": "blobServices/containers",
"apiVersion": "2019-06-01",
"name": "[concat('default/', parameters('containerName'))]",
"dependsOn": [
"[parameters('storageAccountName')]"
],
"properties": {
"denyEncryptionScopeOverride": true,
"publicAccess": "Blob",
"metadata": {}
}
}
]
}
]
}
Positive test num. 7 - json file
{
"properties": {
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"name": "blob/container/example",
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
"apiVersion": "2021-02-01",
"properties": {
"denyEncryptionScopeOverride": true,
"publicAccess": "Container",
"metadata": {}
},
"resources": []
}
],
"outputs": {}
},
"resourceGroup": "storageRG",
"parameters": {
"storageAccountType": {
"value": "[parameters('storageAccountType')]"
}
}
},
"kind": "template",
"id": "/providers/Microsoft.Management/managementGroups/ContosoOnlineGroup/providers/Microsoft.Blueprint/blueprints/simpleBlueprint/artifacts/storageTemplate",
"type": "Microsoft.Blueprint/blueprints/artifacts",
"name": "storageTemplate"
}
Positive test num. 8 - json file
{
"properties": {
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"existingVNETName": {
"type": "string",
"metadata": {
"description": "Name of the virtual network to use for cloud shell containers."
}
},
"existingStorageSubnetName": {
"type": "string",
"metadata": {
"description": "Name of the subnet to use for storage account."
}
},
"existingContainerSubnetName": {
"type": "string",
"metadata": {
"description": "Name of the subnet to use for cloud shell containers."
}
},
"storageAccountName": {
"type": "string",
"metadata": {
"description": "Name of the storage account in subnet."
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Location for all resources."
}
}
},
"variables": {
"containerSubnetRef": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('existingVNETName'), parameters('existingContainerSubnetName'))]",
"storageSubnetRef": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('existingVNETName'), parameters('existingStorageSubnetName'))]"
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-06-01",
"name": "[parameters('storageAccountName')]",
"location": "[parameters('location')]",
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"kind": "StorageV2",
"properties": {
"networkAcls": {
"bypass": "None",
"virtualNetworkRules": [
{
"id": "[variables('containerSubnetRef')]",
"action": "Allow"
},
{
"id": "[variables('storageSubnetRef')]",
"action": "Allow"
}
],
"defaultAction": "Deny"
},
"supportsHttpsTrafficOnly": true,
"encryption": {
"services": {
"file": {
"keyType": "Account",
"enabled": true
},
"blob": {
"keyType": "Account",
"enabled": true
}
},
"keySource": "Microsoft.Storage"
},
"accessTier": "Cool"
}
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices",
"apiVersion": "2019-06-01",
"name": "[concat(parameters('storageAccountName'), '/default')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]"
],
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"properties": {
"deleteRetentionPolicy": {
"enabled": false
}
},
"resources": [
{
"type": "containers",
"apiVersion": "2019-06-01",
"name": "container",
"properties": {
"denyEncryptionScopeOverride": true,
"publicAccess": "Blob",
"metadata": {}
}
}
]
}
]
},
"resourceGroup": "storageRG",
"parameters": {
"storageAccountType": {
"value": "[parameters('storageAccountType')]"
}
}
},
"kind": "template",
"id": "/providers/Microsoft.Management/managementGroups/ContosoOnlineGroup/providers/Microsoft.Blueprint/blueprints/simpleBlueprint/artifacts/storageTemplate",
"type": "Microsoft.Blueprint/blueprints/artifacts",
"name": "storageTemplate"
}
Positive test num. 9 - json file
{
"properties": {
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"storageAccountName": {
"type": "string",
"metadata": {
"description": "Specifies the name of the Azure Storage account."
}
},
"containerName": {
"type": "string",
"defaultValue": "logs",
"metadata": {
"description": "Specifies the name of the blob container."
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Specifies the location in which the Azure Storage resources should be deployed."
}
}
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-06-01",
"name": "[parameters('storageAccountName')]",
"location": "[parameters('location')]",
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"kind": "StorageV2",
"properties": {
"accessTier": "Hot"
},
"resources": [
{
"type": "blobServices/containers",
"apiVersion": "2019-06-01",
"name": "[concat('default/', parameters('containerName'))]",
"dependsOn": [
"[parameters('storageAccountName')]"
],
"properties": {
"denyEncryptionScopeOverride": true,
"publicAccess": "Blob",
"metadata": {}
}
}
]
}
]
},
"resourceGroup": "storageRG",
"parameters": {
"storageAccountType": {
"value": "[parameters('storageAccountType')]"
}
}
},
"kind": "template",
"id": "/providers/Microsoft.Management/managementGroups/ContosoOnlineGroup/providers/Microsoft.Blueprint/blueprints/simpleBlueprint/artifacts/storageTemplate",
"type": "Microsoft.Blueprint/blueprints/artifacts",
"name": "storageTemplate"
}
Positive test num. 10 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"existingVNETName": {
"type": "string",
"metadata": {
"description": "Name of the virtual network to use for cloud shell containers."
}
},
"existingStorageSubnetName": {
"type": "string",
"metadata": {
"description": "Name of the subnet to use for storage account."
}
},
"existingContainerSubnetName": {
"type": "string",
"metadata": {
"description": "Name of the subnet to use for cloud shell containers."
}
},
"storageAccountName": {
"type": "string",
"metadata": {
"description": "Name of the storage account in subnet."
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Location for all resources."
}
}
},
"variables": {
"containerSubnetRef": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('existingVNETName'), parameters('existingContainerSubnetName'))]",
"storageSubnetRef": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('existingVNETName'), parameters('existingStorageSubnetName'))]"
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-06-01",
"name": "[parameters('storageAccountName')]",
"location": "[parameters('location')]",
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"kind": "StorageV2",
"properties": {
"networkAcls": {
"defaultAction": "Deny"
},
"supportsHttpsTrafficOnly": true,
"encryption": {
"services": {
"file": {
"keyType": "Account",
"enabled": true
},
"blob": {
"keyType": "Account",
"enabled": true
}
},
"keySource": "Microsoft.Storage"
},
"accessTier": "Cool"
},
"resources": [
{
"type": "blobServices",
"apiVersion": "2019-06-01",
"name": "[concat(parameters('storageAccountName'), '/default')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]"
],
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"properties": {
"deleteRetentionPolicy": {
"enabled": false
}
},
"resources": [
{
"type": "containers",
"apiVersion": "2019-06-01",
"name": "container",
"properties": {
"denyEncryptionScopeOverride": true,
"publicAccess": "Blob",
"metadata": {}
}
}
]
}
]
}
]
}
Code samples without security vulnerabilities¶
Negative test num. 1 - bicep file
resource blob_container_example 'Microsoft.Storage/storageAccounts/blobServices/containers@2021-02-01' = {
name: 'blob/container/example'
properties: {
denyEncryptionScopeOverride: true
publicAccess: 'None'
metadata: {}
}
}
Negative test num. 2 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"name": "blob/container/example",
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
"apiVersion": "2021-02-01",
"properties": {
"denyEncryptionScopeOverride": true,
"publicAccess": "None",
"metadata": {}
},
"resources": []
}
],
"outputs": {}
}
Negative test num. 3 - bicep file
@description('Name of the virtual network to use for cloud shell containers.')
param existingVNETName string
@description('Name of the subnet to use for storage account.')
param existingStorageSubnetName string
@description('Name of the subnet to use for cloud shell containers.')
param existingContainerSubnetName string
@description('Name of the storage account in subnet.')
param storageAccountName string
@description('Location for all resources.')
param location string = resourceGroup().location
var containerSubnetRef = resourceId(
'Microsoft.Network/virtualNetworks/subnets',
existingVNETName,
existingContainerSubnetName
)
var storageSubnetRef = resourceId(
'Microsoft.Network/virtualNetworks/subnets',
existingVNETName,
existingStorageSubnetName
)
resource storageAccount 'Microsoft.Storage/storageAccounts@2019-06-01' = {
name: storageAccountName
location: location
sku: {
name: 'Standard_LRS'
tier: 'Standard'
}
kind: 'StorageV2'
properties: {
networkAcls: {
bypass: 'None'
virtualNetworkRules: [
{
id: containerSubnetRef
action: 'Allow'
}
{
id: storageSubnetRef
action: 'Allow'
}
]
defaultAction: 'Deny'
}
supportsHttpsTrafficOnly: true
encryption: {
services: {
file: {
keyType: 'Account'
enabled: true
}
blob: {
keyType: 'Account'
enabled: true
}
}
keySource: 'Microsoft.Storage'
}
accessTier: 'Cool'
}
}
resource storageAccountName_default 'Microsoft.Storage/storageAccounts/blobServices@2019-06-01' = {
parent: storageAccount
name: 'default'
sku: {
name: 'Standard_LRS'
tier: 'Standard'
}
properties: {
deleteRetentionPolicy: {
enabled: false
}
}
}
resource storageAccountName_default_container 'Microsoft.Storage/storageAccounts/blobServices/containers@2019-06-01' = {
parent: storageAccountName_default
name: 'container'
properties: {
denyEncryptionScopeOverride: true
publicAccess: 'None'
metadata: {}
}
}
Negative test num. 4 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"existingVNETName": {
"type": "string",
"metadata": {
"description": "Name of the virtual network to use for cloud shell containers."
}
},
"existingStorageSubnetName": {
"type": "string",
"metadata": {
"description": "Name of the subnet to use for storage account."
}
},
"existingContainerSubnetName": {
"type": "string",
"metadata": {
"description": "Name of the subnet to use for cloud shell containers."
}
},
"storageAccountName": {
"type": "string",
"metadata": {
"description": "Name of the storage account in subnet."
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Location for all resources."
}
}
},
"variables": {
"containerSubnetRef": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('existingVNETName'), parameters('existingContainerSubnetName'))]",
"storageSubnetRef": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('existingVNETName'), parameters('existingStorageSubnetName'))]"
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-06-01",
"name": "[parameters('storageAccountName')]",
"location": "[parameters('location')]",
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"kind": "StorageV2",
"properties": {
"networkAcls": {
"bypass": "None",
"virtualNetworkRules": [
{
"id": "[variables('containerSubnetRef')]",
"action": "Allow"
},
{
"id": "[variables('storageSubnetRef')]",
"action": "Allow"
}
],
"defaultAction": "Deny"
},
"supportsHttpsTrafficOnly": true,
"encryption": {
"services": {
"file": {
"keyType": "Account",
"enabled": true
},
"blob": {
"keyType": "Account",
"enabled": true
}
},
"keySource": "Microsoft.Storage"
},
"accessTier": "Cool"
}
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices",
"apiVersion": "2019-06-01",
"name": "[concat(parameters('storageAccountName'), '/default')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]"
],
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"properties": {
"deleteRetentionPolicy": {
"enabled": false
}
},
"resources": [
{
"type": "containers",
"apiVersion": "2019-06-01",
"name": "container",
"properties": {
"denyEncryptionScopeOverride": true,
"publicAccess": "None",
"metadata": {}
}
}
]
}
]
}
Negative test num. 5 - bicep file
@description('Specifies the name of the Azure Storage account.')
param storageAccountName string
@description('Specifies the name of the blob container.')
param containerName string = 'logs'
@description(
'Specifies the location in which the Azure Storage resources should be deployed.'
)
param location string = resourceGroup().location
resource storageAccount 'Microsoft.Storage/storageAccounts@2019-06-01' = {
name: storageAccountName
location: location
sku: {
name: 'Standard_LRS'
tier: 'Standard'
}
kind: 'StorageV2'
properties: {
accessTier: 'Hot'
}
}
resource storageAccountName_default_container 'Microsoft.Storage/storageAccounts/blobServices/containers@2019-06-01' = {
name: '${storageAccountName}/default/${containerName}'
properties: {
denyEncryptionScopeOverride: true
publicAccess: 'None'
metadata: {}
}
dependsOn: [storageAccount]
}
Negative test num. 6 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"storageAccountName": {
"type": "string",
"metadata": {
"description": "Specifies the name of the Azure Storage account."
}
},
"containerName": {
"type": "string",
"defaultValue": "logs",
"metadata": {
"description": "Specifies the name of the blob container."
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Specifies the location in which the Azure Storage resources should be deployed."
}
}
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-06-01",
"name": "[parameters('storageAccountName')]",
"location": "[parameters('location')]",
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"kind": "StorageV2",
"properties": {
"accessTier": "Hot"
},
"resources": [
{
"type": "blobServices/containers",
"apiVersion": "2019-06-01",
"name": "[concat('default/', parameters('containerName'))]",
"dependsOn": [
"[parameters('storageAccountName')]"
],
"properties": {
"denyEncryptionScopeOverride": true,
"publicAccess": "None",
"metadata": {}
}
}
]
}
]
}
Negative test num. 7 - json file
{
"properties": {
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"name": "blob/container/example",
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
"apiVersion": "2021-02-01",
"properties": {
"denyEncryptionScopeOverride": true,
"publicAccess": "None",
"metadata": {}
},
"resources": []
}
],
"outputs": {}
},
"resourceGroup": "storageRG",
"parameters": {
"storageAccountType": {
"value": "[parameters('storageAccountType')]"
}
}
},
"kind": "template",
"id": "/providers/Microsoft.Management/managementGroups/ContosoOnlineGroup/providers/Microsoft.Blueprint/blueprints/simpleBlueprint/artifacts/storageTemplate",
"type": "Microsoft.Blueprint/blueprints/artifacts",
"name": "storageTemplate"
}
Negative test num. 8 - json file
{
"properties": {
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"existingVNETName": {
"type": "string",
"metadata": {
"description": "Name of the virtual network to use for cloud shell containers."
}
},
"existingStorageSubnetName": {
"type": "string",
"metadata": {
"description": "Name of the subnet to use for storage account."
}
},
"existingContainerSubnetName": {
"type": "string",
"metadata": {
"description": "Name of the subnet to use for cloud shell containers."
}
},
"storageAccountName": {
"type": "string",
"metadata": {
"description": "Name of the storage account in subnet."
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Location for all resources."
}
}
},
"variables": {
"containerSubnetRef": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('existingVNETName'), parameters('existingContainerSubnetName'))]",
"storageSubnetRef": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('existingVNETName'), parameters('existingStorageSubnetName'))]"
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-06-01",
"name": "[parameters('storageAccountName')]",
"location": "[parameters('location')]",
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"kind": "StorageV2",
"properties": {
"networkAcls": {
"bypass": "None",
"virtualNetworkRules": [
{
"id": "[variables('containerSubnetRef')]",
"action": "Allow"
},
{
"id": "[variables('storageSubnetRef')]",
"action": "Allow"
}
],
"defaultAction": "Deny"
},
"supportsHttpsTrafficOnly": true,
"encryption": {
"services": {
"file": {
"keyType": "Account",
"enabled": true
},
"blob": {
"keyType": "Account",
"enabled": true
}
},
"keySource": "Microsoft.Storage"
},
"accessTier": "Cool"
}
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices",
"apiVersion": "2019-06-01",
"name": "[concat(parameters('storageAccountName'), '/default')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]"
],
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"properties": {
"deleteRetentionPolicy": {
"enabled": false
}
},
"resources": [
{
"type": "containers",
"apiVersion": "2019-06-01",
"name": "container",
"properties": {
"denyEncryptionScopeOverride": true,
"publicAccess": "None",
"metadata": {}
}
}
]
}
]
},
"resourceGroup": "storageRG",
"parameters": {
"storageAccountType": {
"value": "[parameters('storageAccountType')]"
}
}
},
"kind": "template",
"id": "/providers/Microsoft.Management/managementGroups/ContosoOnlineGroup/providers/Microsoft.Blueprint/blueprints/simpleBlueprint/artifacts/storageTemplate",
"type": "Microsoft.Blueprint/blueprints/artifacts",
"name": "storageTemplate"
}
Negative test num. 9 - json file
{
"properties": {
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"storageAccountName": {
"type": "string",
"metadata": {
"description": "Specifies the name of the Azure Storage account."
}
},
"containerName": {
"type": "string",
"defaultValue": "logs",
"metadata": {
"description": "Specifies the name of the blob container."
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Specifies the location in which the Azure Storage resources should be deployed."
}
}
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-06-01",
"name": "[parameters('storageAccountName')]",
"location": "[parameters('location')]",
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"kind": "StorageV2",
"properties": {
"accessTier": "Hot"
},
"resources": [
{
"type": "blobServices/containers",
"apiVersion": "2019-06-01",
"name": "[concat('default/', parameters('containerName'))]",
"dependsOn": [
"[parameters('storageAccountName')]"
],
"properties": {
"denyEncryptionScopeOverride": true,
"publicAccess": "None",
"metadata": {}
}
}
]
}
]
},
"resourceGroup": "storageRG",
"parameters": {
"storageAccountType": {
"value": "[parameters('storageAccountType')]"
}
}
},
"kind": "template",
"id": "/providers/Microsoft.Management/managementGroups/ContosoOnlineGroup/providers/Microsoft.Blueprint/blueprints/simpleBlueprint/artifacts/storageTemplate",
"type": "Microsoft.Blueprint/blueprints/artifacts",
"name": "storageTemplate"
}