[英]Odd result, error creating Azure KeyVault Policy based on existing BuiltIn Policy - provider referenced by the 'field' property doesn't exist
所以...我在将其中一个内置函数转换为自定义函数时遇到了一些困难。 (我为什么要那样做?内部事务,我是否同意无关紧要,所以请不要在那个决定上打扰我。:-))
现有的内置策略:
问题出在 json 文件的第 40/43 行。
main.tf 文件包括:
# policy
locals {
json_keyvault_certmaxvalidityperiod = jsondecode(file("${path.module}/resourceprovider/KeyVault/Certificates should have the specified maximum validity period.json"))
}
resource "azurerm_policy_definition" "CertificatesShouldHaveSpecifiedMaximumValidityPeriod" {
name = "CertificatesShouldHaveSpecifiedMaximumValidityPeriod" # must match output.tf and ad ID to main
policy_type = "Custom" #Must always be Custom
mode = "All"
display_name = "CertificatesShouldHaveSpecifiedMaximumValidityPeriod" #add Custom to display name
description = "Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault."
metadata = jsonencode(local.json_keyvault_certmaxvalidityperiod.properties.metadata)
policy_rule = jsonencode(local.json_keyvault_certmaxvalidityperiod.properties.policyRule)
parameters = <<PARAMETERS
{
"effect" : {
"type": "string",
"metadata": {
"description": "Enable or disable the execution of the policy",
"displayName": "Effect"
}
},
"maximumValidityInMonths": {
"type": "integer",
"metadata": {
"description": "The limit to how long a certificate may be valid for. Certificates with lengthy validity periods aren\u0027t best practice.",
"displayName": "The maximum validity in months"
}
}
}
PARAMETERS
}
按原样使用 json 内容,执行terraform apply返回:
│ Error: creating/updating Policy Definition "CertificatesShouldHaveSpecifiedMaximumValidityPeriod": policy.DefinitionsClient#CreateOrUpdate: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="InvalidProviderNameInPolicyAlias" Message="The policy definition 'CertificatesShouldHaveSpecifiedMaximumValidityPeriod' rule is invalid. The provider 'Microsoft.KeyVault.Data' referenced by the 'field' property 'Microsoft.KeyVault.Data/vaults/certificates/properties.validityInMonths' of the policy rule doesn't exist."
因此,我查看了 Microsoft.KeyVault.Data 提供者的定义,从下面看来,不应该有“证书”,而应该是“秘密”:
但是...如果我更新第 40/43 行以反映 Microsoft.KeyVault.Data/vaults/secrets,则terraform apply返回:
│ Error: creating/updating Policy Definition "CertificatesShouldHaveSpecifiedMaximumValidityPeriod": policy.DefinitionsClient#CreateOrUpdate: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="InvalidProviderNameInPolicyAlias" Message="The policy definition 'CertificatesShouldHaveSpecifiedMaximumValidityPeriod' rule is invalid. The provider 'Microsoft.KeyVault.Data' referenced by the 'field' property 'Microsoft.KeyVault.Data/vaults/secrets/properties.validityInMonths' of the policy rule doesn't exist."
以前有没有人处理过这样的事情? 关于如何定义策略规则以适应数据提供者的建议?
无法创建具有自定义策略类型的 keyvault 策略,因为"Microsoft.Keyvault.Data"仅支持内置策略类型,如参考中给出的Microsoft 文档中所述。
如果您在Azure Policy Extension in Visual Studio Code您可以找到 azure 中存在的资源提供程序的所有属性,但对于 keyvault,它不存在,它们是空的。
参考:
Azure 策略错误:CaseSensitiveDeploymentParameterNamesFound
[英]Azure policy error: CaseSensitiveDeploymentParameterNamesFound
Azure 策略 - 拒绝 .net 中没有特定标记的新网络接口
[英]Azure Policy - Deny New Network interfaces in vnets that doesn't have an specific tag
修改现有的 Azure 策略以将所配置资源的新功能列入白名单
[英]Modify existing Azure policy to white list the new features for the resources provisioned
如何在Azure APIM中禁用基于azure订阅的限速策略
[英]How to disable rate limit policy based on the azure subscription in Azure APIM
az keyvault key rotation-policy update - CLI 支持的版本
[英]az keyvault key rotation-policy update - CLI supported version
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.