In this demo we use Event Grid to publish Azure Subscriptions events to an Azure Function.
The Event Grid events will be filtered to be of the "Microsoft.Resources.ResourceWriteSuccess" kind.
Whenever a Storage Account will be created the function will output if the storage account is using encryption or not.
-
Login in the Azure Portal and start the Azure Cloud Shell
-
Set the following variables, replace
<storage_name>
and<app_name>
with a unique name:rgName="EventGridTest" storageaccountName=<storage_name> appName=<app_name>
-
Create a new Resource Group:
az group create --name $rgName --location westeurope
-
Create a new Storage Account:
az storage account create --location westeurope --resource-group $rgName --sku Standard_LRS --name $storageaccountName
-
Create a new Function App:
az functionapp create --resource-group $rgName --consumption-plan-location westeurope --name $appName --storage-account $storageaccountName
-
Create an automatic deployment to the function app:
az functionapp deployment source config --repo-url https://github.com/olandese/EventGrid --branch master --manual-integration --resource-group $rgName --name $appName
-
Create a new Service Principal and make it Contributor on the subscription:
spId="$(az ad sp create-for-rbac -n "EventGridTestSP" --role contributor --password Q1w2e3r4t5y6 --query "[appId] | [0]" --output tsv)"
-
Save the Service Principal values as settings for the function:
az webapp config appsettings set -g $rgName --name $appName --settings ClientSecret=Q1w2e3r4t5y6 ClientId=$spId
-
Create an Event Grid subscription for all successful deployments and the handler will be the function:
az eventgrid event-subscription create --name CheckStorageAccountEncryption --included-event-types Microsoft.Resources.ResourceWriteSuccess --endpoint "https://$appName.azurewebsites.net/api/HttpTriggerCheckStorageEncryption"
-
Now create in your subscription some Storage Accounts, in the function monitor output you will see if they are created with Encryption or not:
az storage account create --resource-group $rgName --encryption blob --sku Standard_LRS --name encrypttest az storage account create --resource-group $rgName --sku Standard_LRS --name notencrypttest
If you want to cleanup all the resources created during the previous steps:
-
Delete the Resource Group
az group delete --name $rgName --yes
-
Delete the Event Grid Subscription
az eventgrid event-subscription delete --name CheckStorageAccountEncryption
-
Delete the Service Principal
az ad sp delete --id "http://EventGridTestSP"