所以。。。我在将其中一个内置程序转换为自定义程序时遇到了一些困难。(我为什么这么做?内部问题,无论我是否同意,都无关紧要,所以请不要对我的决定表示不满。:-)
现有内置策略:
https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Certificates_ValidityPeriod.json
问题出现在json文件的第40/43行。
main.tf文件包括:
# policy
locals {
json_keyvault_certmaxvalidityperiod = jsondecode(file("${path.module}/resourceprovider/KeyVault/Certificates should have the specified maximum validity period.json"))
}
resource "azurerm_policy_definition" "CertificatesShouldHaveSpecifiedMaximumValidityPeriod" {
name = "CertificatesShouldHaveSpecifiedMaximumValidityPeriod" # must match output.tf and ad ID to main
policy_type = "Custom" #Must always be Custom
mode = "All"
display_name = "CertificatesShouldHaveSpecifiedMaximumValidityPeriod" #add Custom to display name
description = "Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault."
metadata = jsonencode(local.json_keyvault_certmaxvalidityperiod.properties.metadata)
policy_rule = jsonencode(local.json_keyvault_certmaxvalidityperiod.properties.policyRule)
parameters = <<PARAMETERS
{
"effect" : {
"type": "string",
"metadata": {
"description": "Enable or disable the execution of the policy",
"displayName": "Effect"
}
},
"maximumValidityInMonths": {
"type": "integer",
"metadata": {
"description": "The limit to how long a certificate may be valid for. Certificates with lengthy validity periods arenu0027t best practice.",
"displayName": "The maximum validity in months"
}
}
}
PARAMETERS
}
按原样使用json内容,执行terraform apply返回:
│ Error: creating/updating Policy Definition "CertificatesShouldHaveSpecifiedMaximumValidityPeriod": policy.DefinitionsClient#CreateOrUpdate: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="InvalidProviderNameInPolicyAlias" Message="The policy definition 'CertificatesShouldHaveSpecifiedMaximumValidityPeriod' rule is invalid. The provider 'Microsoft.KeyVault.Data' referenced by the 'field' property 'Microsoft.KeyVault.Data/vaults/certificates/properties.validityInMonths' of the policy rule doesn't exist."
因此,我查看了Microsoft.KeyVault.Data提供程序的定义,从以下内容来看,似乎不应该有";证书";,相反,它应该是";秘密":
https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Certificates_ValidityPeriod.json
但是。。。如果我更新第40/43行以反映Microsoft.KeyVault.Data/vults/secrets,则terraform apply返回:
│ Error: creating/updating Policy Definition "CertificatesShouldHaveSpecifiedMaximumValidityPeriod": policy.DefinitionsClient#CreateOrUpdate: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="InvalidProviderNameInPolicyAlias" Message="The policy definition 'CertificatesShouldHaveSpecifiedMaximumValidityPeriod' rule is invalid. The provider 'Microsoft.KeyVault.Data' referenced by the 'field' property 'Microsoft.KeyVault.Data/vaults/secrets/properties.validityInMonths' of the policy rule doesn't exist."
以前有人处理过这样的事情吗?关于如何定义策略规则以适合数据提供商的建议?
无法创建具有自定义策略类型的密钥保管库策略,因为"Microsoft.Keyvault.Data"仅支持参考中Microsoft文档中所述的内置策略类型。
如果您在Azure Policy Extension in Visual Studio Code中看到,您可以在azure中找到资源提供程序的所有属性,但对于不存在的keyvault,它们是空的。
参考:
策略定义结构的详细信息-Azure策略| Microsoft Docs