From 730bac08737fadff8007803605ccafd2febfc8c6 Mon Sep 17 00:00:00 2001 From: George Trossell Date: Wed, 3 Jun 2026 14:41:04 -0600 Subject: [PATCH 1/2] GPv1 to GPv2 policy --- .../azurepolicy.json | 98 +++++++++++++++++++ .../azurepolicy.parameters.json | 15 +++ .../azurepolicy.rules.json | 73 ++++++++++++++ 3 files changed, 186 insertions(+) create mode 100644 policyDefinitions/Storage/storage-account-upgrade-gpv1-storage-account-to-gpv2/azurepolicy.json create mode 100644 policyDefinitions/Storage/storage-account-upgrade-gpv1-storage-account-to-gpv2/azurepolicy.parameters.json create mode 100644 policyDefinitions/Storage/storage-account-upgrade-gpv1-storage-account-to-gpv2/azurepolicy.rules.json diff --git a/policyDefinitions/Storage/storage-account-upgrade-gpv1-storage-account-to-gpv2/azurepolicy.json b/policyDefinitions/Storage/storage-account-upgrade-gpv1-storage-account-to-gpv2/azurepolicy.json new file mode 100644 index 00000000..3b77ffcd --- /dev/null +++ b/policyDefinitions/Storage/storage-account-upgrade-gpv1-storage-account-to-gpv2/azurepolicy.json @@ -0,0 +1,98 @@ +{ + "name": "45b0c7e7-c546-4aa4-94ec-188951feecc6", + "mode": "Indexed", + "displayName": "Upgrade GPv1 storage accounts to GPv2", + "description": "Audits or upgrades legacy General Purpose v1 (GPv1) storage accounts to General Purpose v2 (GPv2) while preserving the existing storage account redundancy SKU.", + "metadata": { + "category": "Storage", + "version": "1.0.0" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Audit or automatically upgrade GPv1 storage accounts to GPv2." + }, + "allowedValues": [ + "AuditIfNotExists", + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "AuditIfNotExists" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts" + }, + { + "field": "kind", + "equals": "Storage" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Storage/storageAccounts", + "name": "[field('name')]", + "existenceCondition": { + "field": "kind", + "equals": "StorageV2" + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab" + ], + "deploymentScope": "resourceGroup", + "deployment": { + "properties": { + "mode": "Incremental", + "parameters": { + "storageAccountName": { + "value": "[field('name')]" + }, + "location": { + "value": "[field('location')]" + }, + "skuName": { + "value": "[field('Microsoft.Storage/storageAccounts/sku.name')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "storageAccountName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "skuName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2023-01-01", + "name": "[parameters('storageAccountName')]", + "location": "[parameters('location')]", + "sku": { + "name": "[parameters('skuName')]" + }, + "kind": "StorageV2", + "properties": {} + } + ] + } + } + } + } + } + } +} \ No newline at end of file diff --git a/policyDefinitions/Storage/storage-account-upgrade-gpv1-storage-account-to-gpv2/azurepolicy.parameters.json b/policyDefinitions/Storage/storage-account-upgrade-gpv1-storage-account-to-gpv2/azurepolicy.parameters.json new file mode 100644 index 00000000..afbf3af7 --- /dev/null +++ b/policyDefinitions/Storage/storage-account-upgrade-gpv1-storage-account-to-gpv2/azurepolicy.parameters.json @@ -0,0 +1,15 @@ +{ + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Audit or automatically upgrade GPv1 storage accounts to GPv2." + }, + "allowedValues": [ + "AuditIfNotExists", + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "AuditIfNotExists" + } +} \ No newline at end of file diff --git a/policyDefinitions/Storage/storage-account-upgrade-gpv1-storage-account-to-gpv2/azurepolicy.rules.json b/policyDefinitions/Storage/storage-account-upgrade-gpv1-storage-account-to-gpv2/azurepolicy.rules.json new file mode 100644 index 00000000..d75199cd --- /dev/null +++ b/policyDefinitions/Storage/storage-account-upgrade-gpv1-storage-account-to-gpv2/azurepolicy.rules.json @@ -0,0 +1,73 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts" + }, + { + "field": "kind", + "equals": "Storage" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Storage/storageAccounts", + "name": "[field('name')]", + "existenceCondition": { + "field": "kind", + "equals": "StorageV2" + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab" + ], + "deploymentScope": "resourceGroup", + "deployment": { + "properties": { + "mode": "Incremental", + "parameters": { + "storageAccountName": { + "value": "[field('name')]" + }, + "location": { + "value": "[field('location')]" + }, + "skuName": { + "value": "[field('Microsoft.Storage/storageAccounts/sku.name')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "storageAccountName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "skuName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2023-01-01", + "name": "[parameters('storageAccountName')]", + "location": "[parameters('location')]", + "sku": { + "name": "[parameters('skuName')]" + }, + "kind": "StorageV2", + "properties": {} + } + ] + } + } + } + } + } +} \ No newline at end of file From 0a27a37b2719bbd387a0d3bdf60fdb30c0c3ae37 Mon Sep 17 00:00:00 2001 From: George Trossell Date: Wed, 3 Jun 2026 14:49:37 -0600 Subject: [PATCH 2/2] Add policy to audit or upgrade BlobStorage accounts to StorageV2 Add policy to audit or upgrade BlobStorage accounts to StorageV2 --- .../azurepolicy.json | 106 ++++++++++++++++++ .../azurepolicy.parameters.json | 15 +++ .../azurepolicy.rules.json | 81 +++++++++++++ 3 files changed, 202 insertions(+) create mode 100644 policyDefinitions/Storage/storage-account-upgrade-blobstorage-account-to-gpv2/azurepolicy.json create mode 100644 policyDefinitions/Storage/storage-account-upgrade-blobstorage-account-to-gpv2/azurepolicy.parameters.json create mode 100644 policyDefinitions/Storage/storage-account-upgrade-blobstorage-account-to-gpv2/azurepolicy.rules.json diff --git a/policyDefinitions/Storage/storage-account-upgrade-blobstorage-account-to-gpv2/azurepolicy.json b/policyDefinitions/Storage/storage-account-upgrade-blobstorage-account-to-gpv2/azurepolicy.json new file mode 100644 index 00000000..71311c49 --- /dev/null +++ b/policyDefinitions/Storage/storage-account-upgrade-blobstorage-account-to-gpv2/azurepolicy.json @@ -0,0 +1,106 @@ +{ + "name": "c0f34c64-8a8f-4e9c-b6b3-3f5cf0d3e001", + "mode": "Indexed", + "displayName": "Upgrade BlobStorage accounts to StorageV2", + "description": "Audits or upgrades legacy BlobStorage accounts to StorageV2 while preserving the existing storage account redundancy SKU and access tier.", + "metadata": { + "category": "Storage", + "version": "1.0.0" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Audit or automatically upgrade BlobStorage accounts to StorageV2." + }, + "allowedValues": [ + "AuditIfNotExists", + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "AuditIfNotExists" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts" + }, + { + "field": "kind", + "equals": "BlobStorage" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Storage/storageAccounts", + "name": "[field('name')]", + "existenceCondition": { + "field": "kind", + "equals": "StorageV2" + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab" + ], + "deploymentScope": "resourceGroup", + "deployment": { + "properties": { + "mode": "Incremental", + "parameters": { + "storageAccountName": { + "value": "[field('name')]" + }, + "location": { + "value": "[field('location')]" + }, + "skuName": { + "value": "[field('Microsoft.Storage/storageAccounts/sku.name')]" + }, + "accessTier": { + "value": "[field('Microsoft.Storage/storageAccounts/accessTier')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "storageAccountName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "skuName": { + "type": "string" + }, + "accessTier": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2023-01-01", + "name": "[parameters('storageAccountName')]", + "location": "[parameters('location')]", + "sku": { + "name": "[parameters('skuName')]" + }, + "kind": "StorageV2", + "properties": { + "accessTier": "[parameters('accessTier')]" + } + } + ] + } + } + } + } + } + } +} \ No newline at end of file diff --git a/policyDefinitions/Storage/storage-account-upgrade-blobstorage-account-to-gpv2/azurepolicy.parameters.json b/policyDefinitions/Storage/storage-account-upgrade-blobstorage-account-to-gpv2/azurepolicy.parameters.json new file mode 100644 index 00000000..449c482b --- /dev/null +++ b/policyDefinitions/Storage/storage-account-upgrade-blobstorage-account-to-gpv2/azurepolicy.parameters.json @@ -0,0 +1,15 @@ +{ + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Audit or automatically upgrade BlobStorage accounts to StorageV2." + }, + "allowedValues": [ + "AuditIfNotExists", + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "AuditIfNotExists" + } +} \ No newline at end of file diff --git a/policyDefinitions/Storage/storage-account-upgrade-blobstorage-account-to-gpv2/azurepolicy.rules.json b/policyDefinitions/Storage/storage-account-upgrade-blobstorage-account-to-gpv2/azurepolicy.rules.json new file mode 100644 index 00000000..75b05924 --- /dev/null +++ b/policyDefinitions/Storage/storage-account-upgrade-blobstorage-account-to-gpv2/azurepolicy.rules.json @@ -0,0 +1,81 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts" + }, + { + "field": "kind", + "equals": "BlobStorage" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Storage/storageAccounts", + "name": "[field('name')]", + "existenceCondition": { + "field": "kind", + "equals": "StorageV2" + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab" + ], + "deploymentScope": "resourceGroup", + "deployment": { + "properties": { + "mode": "Incremental", + "parameters": { + "storageAccountName": { + "value": "[field('name')]" + }, + "location": { + "value": "[field('location')]" + }, + "skuName": { + "value": "[field('Microsoft.Storage/storageAccounts/sku.name')]" + }, + "accessTier": { + "value": "[field('Microsoft.Storage/storageAccounts/accessTier')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "storageAccountName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "skuName": { + "type": "string" + }, + "accessTier": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2023-01-01", + "name": "[parameters('storageAccountName')]", + "location": "[parameters('location')]", + "sku": { + "name": "[parameters('skuName')]" + }, + "kind": "StorageV2", + "properties": { + "accessTier": "[parameters('accessTier')]" + } + } + ] + } + } + } + } + } +} \ No newline at end of file