我试图拒绝在 Azure 中创建未定义网络规则的 Web 应用程序。
我正在尝试为此使用 Azure 策略,但无法使策略正常工作。我已经确定了在 Azure 中保存配置的策略别名:
Microsoft.Web/sites/config/web.ipSecurityRestrictions[*].vnetSubnetResourceId
Microsoft.Web/sites/config/web.ipSecurityRestrictions[*].vnetTrafficTag
Microsoft.Web/sites/config/web.ipSecurityRestrictions[*].subnetTrafficTag
Microsoft.Web/sites/config/web.ipSecurityRestrictions[*].action
Microsoft.Web/sites/config/web.ipSecurityRestrictions[*].tag
Microsoft.Web/sites/config/web.ipSecurityRestrictions[*].priority
Microsoft.Web/sites/config/web.ipSecurityRestrictions[*].name
Microsoft.Web/sites/config/web.ipSecurityRestrictions[*].description
Microsoft.Web/sites/config/web.scmIpSecurityRestrictions[*].ipAddress
Microsoft.Web/sites/config/web.scmIpSecurityRestrictions[*].subnetMask
Microsoft.Web/sites/config/web.scmIpSecurityRestrictions[*].vnetSubnetResourceId
Microsoft.Web/sites/config/web.scmIpSecurityRestrictions[*].vnetTrafficTag
Microsoft.Web/sites/config/web.scmIpSecurityRestrictions[*].subnetTrafficTag
Microsoft.Web/sites/config/web.scmIpSecurityRestrictions[*].action
Microsoft.Web/sites/config/web.scmIpSecurityRestrictions[*].tag
Microsoft.Web/sites/config/web.scmIpSecurityRestrictions[*].priority
Microsoft.Web/sites/config/web.scmIpSecurityRestrictions[*].name
Microsoft.Web/sites/config/web.scmIpSecurityRestrictions[*].description
Microsoft.Web/sites/config/web.scmIpSecurityRestrictions[*]
但是我制定的策略不起作用,这是最新的迭代:
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Web/sites"
},
{
"not": {
"field": "Microsoft.Web/sites/config/web.ipSecurityRestrictions[*].action",
"equals": "deny"
}
}
]
},
"then": {
"effect": "deny"
}
},
"parameters": {}
}
我正在尝试在数组中查找"拒绝"操作,如果定义了此操作,则不需要任何操作,否则拒绝。但是该策略不执行任何操作,我可以在有和没有网络规则的情况下部署 Web 应用。
在 Azure 中,顶级资源建模为较小的微资源,这些微资源协同工作并创建功能性最终资源。在您的情况下,网站将属于Microsft.Web/sites微资源类型,但配置将属于另一种名为Microsoft.Web/sites/config的微资源类型。
仅当你处理单个微资源类型时,Azure 策略才会帮助你。微资源类型是异步部署和创建的,因此目前无法基于另一个拒绝一个。
您可以使用 auditIfNotExists 编写类似的策略,该策略能够根据微资源的属性审核另一个微资源。
PS:我在这里编造微资源术语以清楚地传达问题,在 Azure 中,每个术语都被定义为资源。
查看审核如果不存在文档:https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effects#auditifnotexists
您的解决方案将与此类似(未测试(
{
"if": {
"field": "type",
"equals": "Microsoft.Web/sites"
},
"then": {
"effect": "auditIfNotExists",
"details": {
"type": "Microsoft.Web/sites/config",
"existenceCondition": {
{
"field": "Microsoft.Web/sites/config/web.ipSecurityRestrictions[*].action",
"equals": "deny"
}
}
}
}
}