小贝子编程

Azure 策略允许具有喜欢/匹配模式的资源类型



在 Azure 策略的"允许的资源类型"中,可以提供资源类型的数组。当我想允许 SQL 弹性池时,我还需要包含 SQL 弹性池的所有子类型。

我想使用:

'Microsoft.Sql/servers/elasticpools/*'
'Microsoft.Sql/servers/elasticPools/advisors/*'
'Microsoft.Sql/servers/elasticpools/elasticpool/advisors/*'
'microsoft.web/serverfarms/*
'microsoft.web/sites/*

但这行不通。

我们现在使用:

'Microsoft.Sql/servers/elasticpools'
'Microsoft.Sql/servers/elasticPools/advisors'
'Microsoft.Sql/servers/elasticpools/advisors/createindex'
'Microsoft.Sql/servers/elasticpools/advisors/dbparameterization'
'Microsoft.Sql/servers/elasticpools/advisors/defragmentindex'
'Microsoft.Sql/servers/elasticpools/advisors/dropindex'
'Microsoft.Sql/servers/elasticpools/advisors/forcelastgoodplan'
'Microsoft.Sql/servers/elasticpools/elasticpool/advisors/createindex'
'Microsoft.Sql/servers/elasticpools/elasticpool/advisors/dbparameterization'
'Microsoft.Sql/servers/elasticpools/elasticpool/advisors/defragmentindex'
'Microsoft.Sql/servers/elasticpools/elasticpool/advisors/dropindex'
'Microsoft.Sql/servers/elasticpools/elasticpool/advisors/forcelastgoodplan'
'Microsoft.Web/sites/config'
'Microsoft.Web/sites/...'

我们使用的政策是:

{
  "if": {
    "not": {
      "field": "type",
      "in": "[parameters('listOfResourceTypesAllowed')]"
    }
  },
  "then": {
    "effect": "[parameters('Effect')]"
  }
}

策略参数:

{
  "listOfResourceTypesAllowed": {
    "type": "array",
    "metadata": {
      "displayName": "Allowed resource types",
      "description": "The list of resource types that can be deployed.",
      "strongType": "resourceTypes"
    }
  },
  "Effect": {
    "type": "string",
    "metadata": {
      "description": "The effect of the policy."
    }
  }
}

问题是否可以使用通配符或类似的东西?

因此,您只能使用具有likenotLike条件的通配符。

使用 like 和 notLike 条件时,请在值中提供通配符 *。该值不应包含多个通配符 *。源

这对我有用,我相信你可以很容易地创建反向。

{
  "policyRule": {
    "if": {
      "allOf": [
        {
          "not": {
            "field": "type",
            "like": "Microsoft.Storage/storageAccounts*"
          }
        },
        {
          "not": {
            "field": "type",
            "like": "Microsoft.Resources/storageAccounts*"
          }
        }
      ]
    },
    "then": {
      "effect": "deny"
    }
  }
}

这将不允许创建存储帐户。

找出字段类型是一回事...

我已经想出了一个小的单行代码,它将为您创建JSON。它将创建大约 1500 行 JSON,您可以删除不需要的内容。

az provider list | jq '[ .[].namespace + "/*" ] | unique | sort | [.[] | { "not" : { "field" : "type", "like": . } }]'

在我的示例中有趣的是,Microsoft.Resources不足以停止存储帐户,我还需要Microsoft.Storage

相关内容

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium