[Modules] StorageAccounts - new feature - sasPolicy (#3028)

* initial commit

* removed expirationAction Parameter because not needed

* updated readme

---------

Co-authored-by: Shawn Meyer <shawn.meyer@microsoft.com>

Author: shawntmeyer

modules/Microsoft.Storage/storageAccounts/.test/common/deploy.test.bicep

@@ -213,6 +213,7 @@ module testDeployment '../../deploy.bicep' = {
         }
       ]
     }
+    sasExpirationPeriod: '180.00:00:00'
     systemAssignedIdentity: true
     userAssignedIdentities: {
       '${nestedDependencies.outputs.managedIdentityResourceId}': {}

modules/Microsoft.Storage/storageAccounts/deploy.bicep

@@ -201,6 +201,9 @@ param cMKKeyVersion string = ''
 @description('Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to "<resourceName>-diagnosticSettings".')
 param diagnosticSettingsName string = ''
 
+@description('Optional. The SAS expiration period. DD.HH:MM:SS.')
+param sasExpirationPeriod string = ''
+
 var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: {
   category: metric
   timeGrain: null
@@ -286,6 +289,10 @@ resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' = {
       } : null
     }
     accessTier: storageAccountKind != 'Storage' ? storageAccountAccessTier : null
+    sasPolicy: !empty(sasExpirationPeriod) ? {
+      expirationAction: 'Log'
+      sasExpirationPeriod: sasExpirationPeriod
+    } : null
     supportsHttpsTrafficOnly: supportsHttpsTrafficOnly
     isHnsEnabled: enableHierarchicalNamespace ? enableHierarchicalNamespace : null
     isSftpEnabled: enableSftp

modules/Microsoft.Storage/storageAccounts/readme.md

@@ -90,6 +90,7 @@ This module is used to deploy a storage account, with the ability to deploy 1 or
 | `queueServices` | _[queueServices](queueServices/readme.md)_ object | `{object}` |  | Queue service and queues to create. |
 | `requireInfrastructureEncryption` | bool | `True` |  | A Boolean indicating whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest. For security reasons, it is recommended to set it to true. |
 | `roleAssignments` | array | `[]` |  | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. |
+| `sasExpirationPeriod` | string | `''` |  | The SAS expiration period. DD.HH:MM:SS. |
 | `storageAccountKind` | string | `'StorageV2'` | `[BlobStorage, BlockBlobStorage, FileStorage, Storage, StorageV2]` | Type of Storage Account to create. |
 | `storageAccountSku` | string | `'Standard_GRS'` | `[Premium_LRS, Premium_ZRS, Standard_GRS, Standard_GZRS, Standard_LRS, Standard_RAGRS, Standard_RAGZRS, Standard_ZRS]` | Storage Account Sku Name. |
 | `supportsHttpsTrafficOnly` | bool | `True` |  | Allows HTTPS traffic only to storage service if sets to true. |
@@ -585,6 +586,7 @@ module storageAccounts './Microsoft.Storage/storageAccounts/deploy.bicep' = {
         roleDefinitionIdOrName: 'Reader'
       }
     ]
+    sasExpirationPeriod: '180.00:00:00'
     storageAccountSku: 'Standard_LRS'
     systemAssignedIdentity: true
     tableServices: {
@@ -820,6 +822,9 @@ module storageAccounts './Microsoft.Storage/storageAccounts/deploy.bicep' = {
         }
       ]
     },
+    "sasExpirationPeriod": {
+      "value": "180.00:00:00"
+    },
     "storageAccountSku": {
       "value": "Standard_LRS"
     },