[英]Use Azure policy to assign a role to a storage account
I am trying to make an Azure policy that adds a RBAC role assignment to each existing and future storage account.我正在尝试制定一个 Azure 策略,为每个现有和未来的存储帐户添加一个 RBAC 角色分配。 The code shown below works on the hard coded hardcodedstorageaccountname
and performs remediation without a problem.下面显示的代码适用于硬编码的hardcodedstorageaccountname
,并且可以毫无问题地执行修复。 Next step, in order to make it work at any storage account, is that the hardcoded storage account name is replaced by some function or variable, I'd think.下一步,为了使其适用于任何存储帐户,我认为硬编码的存储帐户名称将替换为一些 function 或变量。 Am I on the right path here?我在正确的道路上吗? Should I use another pattern?我应该使用其他模式吗? I'm kind of stuck here.我有点卡在这里。
{
"properties": {
"displayName": "Assign Owner RBAC role for an AD group",
"policyType": "Custom",
"mode": "All",
"description": "Assigns Owner RBAC role for storage account'. Existing strorage accounts can be remediated by triggering a remediation task.",
"metadata": {
"category": "Role Assignments",
},
"parameters": {},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/StorageAccounts"
}
]
},
"then": {
"effect": "deployIfNotExists",
"details": {
"type": "Microsoft.Authorization/roleAssignments",
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635"
],
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Authorization/roleAssignments/roleDefinitionId",
"equals": "/subscriptions/cc34d277-fb3f-475c-ba74-280d3ea9ecae/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
},
{
"field": "Microsoft.Authorization/roleAssignments/principalId",
"equals": "d3e968d0-586a-4058-8f0e-d54ca380a61f"
},
{
"field": "Microsoft.Authorization/roleAssignments/scope",
"equals": "/subscriptions/cc34d277-fb3f-475c-ba74-280d3ea9ecae/resourceGroups/az104/providers/Microsoft.Storage/storageAccounts/hardcodedstorageaccountname"
}
]
},
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"adGroupId": {
"type": "string",
"defaultValue": "d3e968d0-586a-4058-8f0e-d54ca380a61f",
"metadata": {
"description": "ObjectId of an AD group"
}
},
"contributorRbacRole": {
"type": "string",
"defaultValue": "/subscriptions/cc34d277-fb3f-475c-ba74-280d3ea9ecae/resourceGroups/az104/providers/Microsoft.Storage/storageAccounts/hardcodedstorageaccountname/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"metadata": {
"description": "Contributor RBAC role definition ID"
}
}
},
"resources": [
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2018-09-01-preview",
"name": "[guid(resourceGroup().id, deployment().name)]",
"scope": "/subscriptions/cc34d277-fb3f-475c-ba74-280d3ea9ecae/resourceGroups/az104/providers/Microsoft.Storage/storageAccounts/hardcodedstorageaccountname",
"properties": {
"roleDefinitionId": "[parameters('contributorRbacRole')]",
"principalId": "[parameters('adGroupId')]"
}
}
]
}
}
}
}
}
}
}
}
You can use the function您可以使用 function
field(fieldName)字段(字段名称)
to access properties of the currently evaluated resource as described in the official docs .访问当前评估资源的属性,如官方文档中所述。
You can find a sample deployIfNotExists policy here .您可以在此处找到示例 deployIfNotExists 策略。
Helped by the hint given by @andreas-wendl I changed my code to this policy that assignes the role owner to a group (d3e968d0-586a-4058-8f0e-d54ca380a61f) on every storage account在@andreas-wendl 给出的提示的帮助下,我将代码更改为此策略,该策略将角色所有者分配给每个存储帐户上的组 (d3e968d0-586a-4058-8f0e-d54ca380a61f)
{
"properties": {
"displayName": "Assign Contributor RBAC role for an AD group",
"policyType": "Custom",
"mode": "All",
"description": "Assigns Contributor RBAC role for AD group resource groups with Tag 'RbacAssignment = true' and name prefix 'my-rg-prefix'. Existing resource groups can be remediated by triggering a remediation task.",
"metadata": {
"category": "Role Assignments",
},
"parameters": {},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/StorageAccounts"
}
]
},
"then": {
"effect": "deployIfNotExists",
"details": {
"type": "Microsoft.Authorization/roleAssignments",
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635"
],
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Authorization/roleAssignments/roleDefinitionId",
"like": "*/8e3af657-a8ff-443c-a75c-2fe8c4bcb635"
},
{
"field": "Microsoft.Authorization/roleAssignments/principalId",
"equals": "d3e968d0-586a-4058-8f0e-d54ca380a61f"
},
{
"field": "Microsoft.Authorization/roleAssignments/scope",
"equals": "[field('id')]"
}
]
},
"deployment": {
"properties": {
"mode": "incremental",
"parameters": {
"saId": {
"value": "[field('id')]"
}
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"saId": {
"type": "string",
"metadata": {
"description": "Full Id of the storage account"
}
},
"adGroupId": {
"type": "string",
"defaultValue": "d3e968d0-586a-4058-8f0e-d54ca380a61f",
"metadata": {
"description": "ObjectId of an AD group"
}
},
"ownerRbacRole": {
"type": "string",
"defaultValue": "[concat(parameters('saId'),'/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]",
"metadata": {
"description": "Owner RBAC role definition ID"
}
}
},
"resources": [
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2018-09-01-preview",
"name": "[guid(resourceGroup().id, deployment().name)]",
"scope": "[parameters('saId')]",
"properties": {
"roleDefinitionId": "[parameters('ownerRbacRole')]",
"principalId": "[parameters('adGroupId')]"
}
}
]
}
}
}
}
}
}
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.