Azure 策略创建一个deployifnotexists 策略
use*_*981 6 azure azure-policy
DeployIfNotExists我正在尝试根据现有策略创建策略AuditIfNotExists。部署时不会出错,但会错误提示“没有相关资源与策略定义中的效果详细信息匹配”。当评估政策时。AuditIfnotExists当我将其部署到同一管理组时,该策略确实运行良好。我想知道我是否错过了什么。
此策略用于创建删除 NSG 组(如果不存在)的警报。这是DeployIfNotExists政策 - 你们觉得有什么问题吗?任何意见表示赞赏。谢谢。
{
"$schema":"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion":"1.0.0.0",
"parameters":{
"effect":{
"type":"string",
"metadata":{
"displayName":"Effect",
"description":"Enable or disable the execution of the policy"
},
"allowedValues":[
"AuditIfNotExists",
"deployIfNotExists",
"Disabled"
],
"defaultValue":"deployIfNotExists"
}
},
"variables":{
"actionGroupName":"dsactiongroup"
},
"resources":[
{
"name":"CIS5.2.3-EnsureAuditDeleteNSG",
"type":"Microsoft.Authorization/policyDefinitions",
"apiVersion":"2019-09-01",
"properties":{
"policyType":"Custom",
"displayName":"CIS 5.2.3 Ensure that Activity Log Alert exists for Delete Network Security Group (Scored)",
"description":"Monitor Activity Alerts exist for specific activities.",
"mode":"all",
"metadata":{
"category":"Audit"
},
"parameters":{
},
"policyRule":{
"if":{
"allOf":[
{
"field":"type",
"equals":"Microsoft.Resources/subscriptions"
}
]
},
"then":{
"effect":"[parameters('effect')]",
"details":{
"type":"Microsoft.Insights/ActivityLogAlerts",
"existenceCondition":{
"allOf":[
{
"allOf":[
{
"not":{
"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field",
"notEquals":"category"
}
},
{
"not":{
"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals",
"notEquals":"Administrative"
}
}
]
},
{
"allOf":[
{
"not":{
"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field",
"notEquals":"resourceType"
}
},
{
"not":{
"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals",
"notEquals":"microsoft.network/networksecuritygroups"
}
}
]
},
{
"allOf":[
{
"not":{
"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field",
"notEquals":"operationName"
}
},
{
"not":{
"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals",
"notEquals":"Microsoft.Network/networkSecurityGroups/delete"
}
}
]
}
]
},
"roleDefinitionIds":[
"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa"
],
"deployment":{
"properties":{
"mode":"incremental",
"template":{
"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion":"1.0.0.0",
"parameters":{
},
"variables":{
"actionGroupName":"dactiongroup"
},
"resources":[
{
"name":"NSGRuleDeleted",
"type":"Microsoft.Insights/activityLogAlerts",
"location":"global",
"apiVersion":"2017-04-01",
"properties":{
"description":"NSG Rule Deleted",
"enabled":true,
"condition":{
"allOf":[
{
"field":"category",
"equals":"Administrative"
},
{
"field":"operationName",
"equals":"Microsoft.Network/networkSecurityGroups/securityRules/delete"
}
]
},
"actions":{
"actionGroups":[
{
"actionGroupId":"[resourceId('Microsoft.Insights/actionGroups', variables('actionGroupName'))]"
}
]
}
}
}
],
"outputs":{
}
},
"parameters":{
}
}
}
}
}
}
}
}
]
}
要检查策略合规性的原因,应导航到 Azure 策略 > 合规性 > 资源合规性选项卡 > 检查合规性原因详细信息。
就我而言,政策没有正确的
existenceCondition。因此求值表达式一直失败。提供正确的评估条件为我解决了这个问题。注意:检查策略修复任务在 下部署的资源/子资源类型
effect。将根据该资源评估条件。
| 归档时间: |
|
| 查看次数: |
4112 次 |
| 最近记录: |