Azure 策略存储帐户保留策略未标记资源

Question

I'm using the code below to monitor for retention policy on storage accounts.我正在使用下面的代码来监视存储帐户的保留策略。 Seems I have the right alias but when I see the Compliance report is shows "100% Compliant 0 out of 0".似乎我有正确的别名，但是当我看到合规报告显示“100% 合规 0 出 0”时。 Same issue with versioning and private link policies.版本控制和私有链接策略的相同问题。 I have policies for storage accounts similar to these one but they actually return the number of storage accounts targeted, only difference is that they are not referencing the blob services alias as these are.我有与这些类似的存储帐户策略，但它们实际上返回目标存储帐户的数量，唯一的区别是它们没有像这些一样引用 blob 服务别名。 Thanks for any answers.感谢您提供任何答案。


resource "azurerm_policy_definition" "sa-ensure-versioning-enabled-policy" {

  name         = "sa-ensure-versioning-enabled-policy-definition"

  policy_type  = "Custom"

  mode         = "All"

  #management_group_name = var.management_group_name

  display_name = "Ensure versioning enabled policy"



  metadata = <<METADATA

      {

      "version": "1.0.0",

      "category": "Storage"

    }

  METADATA



  policy_rule = <<POLICY_RULE

          {

        "if": {

            "allOf": [

                {

                    "field": "type",

                    "equals": "Microsoft.Storage/storageAccounts"

                },

                {

                "not": {

                  "field":"Microsoft.Storage/storageAccounts/blobServices/default.isVersioningEnabled",

                  "equals": "true"

                 }

                }

            ]

        },

        "then": {

            "effect": "[parameters('effect')]"    

        }

    }

  POLICY_RULE



  parameters = <<PARAMETERS

      {

        "effect": {

          "type": "String",

          "metadata": {

            "displayName": "Effect",

            "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy."

          },

          "allowedValues": [

            "audit",

            "deny",

            "disabled"

          ],

          "defaultValue": "audit"

        }

    }

  PARAMETERS



}



resource "azurerm_policy_assignment" "sa-ensure-versioning-enabled-policy-assignment" {

  name                 = "sa-ensure-versioning-enabled-policy-assignment"

  scope                = data.azurerm_subscription.current.id

  policy_definition_id = azurerm_policy_definition.sa-ensure-versioning-enabled-policy.id

  description          = "Storage Account ensure delete retention policy."

  display_name         = "Ensure versioning enabled policy"



  parameters = <<PARAMETERS

      {

        "effect": {

          "value": "audit"

          }

      }

  PARAMETERS

}

Added this code to get the policy to work properly.添加此代码以使策略正常工作。

{
    "mode": "All",
    "policyRule": {
        "if": {
            "field": "type",
            "equals": "Microsoft.Storage/storageAccounts"
        },
        "then": {
            "effect": "auditIfNotExists",
            "details": {
                "type": "Microsoft.Storage/storageAccounts/blobServices",
                "roleDefinitionIds": [
                    "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
                ],
                "existenceCondition": {
                    "field": "Microsoft.Storage/storageAccounts/blobServices/deleteRetentionPolicy.enabled",
                    "equals": "true"
                }
            }
        }
    },
    "parameters": {}
}

Answer 1

Seems this ia bug in Azure, documented here : https://github.com/Azure/azure-policy/issues/377 .似乎是 Azure 中的这个 ia 错误，记录在此处： https : //github.com/Azure/azure-policy/issues/377 。 Apparently the Microsoft.Storage/storageAccounts/blobServices is not yet operational.显然 Microsoft.Storage/storageAccounts/blobServices 尚未运行。 ETA for solution says Sept 2020 but that date and some previous ones have already passed.解决方案的预计到达时间为 2020 年 9 月，但该日期和之前的一些日期已经过去。

Answer 2

Any policies that refer to the Microsoft.Storage/storageAccounts/blobServices should work as well using the code below.(delete retention, versioning,etc) This works now using the policy below:任何引用 Microsoft.Storage/storageAccounts/blobServices 的策略都应该使用下面的代码工作。（删除保留、版本控制等）现在使用以下策略可以工作：

    "mode": "All",
    "policyRule": {
        "if": {
            "field": "type",
            "equals": "Microsoft.Storage/storageAccounts"
        },
        "then": {
            "effect": "auditIfNotExists",
            "details": {
                "type": "Microsoft.Storage/storageAccounts/blobServices",
                "roleDefinitionIds": [
                    "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
                ],
                "existenceCondition": {
                    "field": "Microsoft.Storage/storageAccounts/blobServices/deleteRetentionPolicy.enabled",
                    "equals": "true"
                }
            }
        }
    },
    "parameters": {}
}

Azure 策略存储帐户保留策略未标记资源

问题描述

2 个解决方案

解决方案1
0 2020-09-28 23:00:23

解决方案2
0 2020-12-21 17:57:02

Azure 策略存储帐户保留策略未标记资源

问题描述

2 个解决方案

解决方案1 0 2020-09-28 23:00:23

解决方案2 0 2020-12-21 17:57:02

解决方案1
0 2020-09-28 23:00:23

解决方案2
0 2020-12-21 17:57:02