[英]Azure Policy Invalid Deployment
我第一次使用 Azure 策略进行测试。 我已经通读了有关结构、效果以及所有这些内容的文档。 我还找到了适合我的场景的自定义策略:Adding a nsg rule to all new NSGs
现在,Github 策略实际上不起作用。 修复现有 NSG 时会出现部署无效错误 - 就好像其中的模板不正确一样。 但是,当我自己添加规则并重新部署 NSG 来交叉检查模板时,在我看来代码是一致的。
我当前的政策代码如下所示:
{
"policyType": "Custom",
"description": "This policy deploys a default Deny All rule to a newly deployed NSG, if it doesn't already exist in the NSG.",
"mode": "Indexed",
"displayName": "NSG default Inbound Deny All",
"parameters": {
"access": {
"type": "String",
"metadata": {
"description": "The network traffic should be denied.",
"displayName": "access"
},
"defaultValue": "Deny"
},
"destinationAddressPrefix": {
"type": "String",
"metadata": {
"description": "The destination address prefix. CIDR or destination IP range. Asterisk '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used.",
"displayName": "destinationAddressPrefix"
},
"defaultValue": "*"
},
"destinationPortRange": {
"type": "String",
"metadata": {
"description": "The destination port or range. Integer or range between 0 and 65535. Asterisk '*' can also be used to match all ports.",
"displayName": "destinationPortRange"
},
"defaultValue": "*"
},
"direction": {
"type": "String",
"metadata": {
"description": "The direction of the rule. The direction specifies if rule will be evaluated on incoming or outgoing traffic. - Inbound or Outbound",
"displayName": "direction"
},
"defaultValue": "Inbound"
},
"effect": {
"type": "String",
"metadata": {
"description": "The effect determines what happens when the policy rule is evaluated to match",
"displayName": "Effect"
},
"defaultValue": "deployIfNotExists"
},
"protocol": {
"type": "String",
"metadata": {
"description": "Network protocol this rule applies to. - Tcp, Udp, Icmp, Esp, *",
"displayName": "protocol"
},
"defaultValue": "*"
},
"sourceAddressPrefix": {
"type": "String",
"metadata": {
"description": "The CIDR or source IP range. Asterisk '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used. If this is an ingress rule, specifies where network traffic originates from.",
"displayName": "sourceAddressPrefix"
},
"defaultValue": "*"
},
"sourcePortRange": {
"type": "String",
"metadata": {
"description": "The source port or range. Integer or range between 0 and 65535. Asterisk '*' can also be used to match all ports.",
"displayName": "sourcePortRange"
},
"defaultValue": "*"
}
},
"policyRule": {
"if": {
"equals": "Microsoft.Network/networkSecurityGroups",
"field": "type"
},
"then": {
"details": {
"type": "Microsoft.Network/networkSecurityGroups/securityRules",
"existenceCondition": {
"count": {
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*]",
"where": {
"allOf": [
{
"equals": "[parameters('protocol')]",
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*].protocol"
},
{
"equals": true,
"value": "[equals(field('Microsoft.Network/networkSecurityGroups/securityRules[*].sourcePortRange'), parameters('sourcePortRange'))]"
},
{
"equals": true,
"value": "[equals(field('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange'), parameters('destinationPortRange'))]"
},
{
"equals": true,
"value": "[equals(field('Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefix'), parameters('sourceAddressPrefix'))]"
},
{
"equals": true,
"value": "[equals(field('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationAddressPrefix'), parameters('destinationAddressPrefix'))]"
},
{
"equals": "[parameters('access')]",
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*].access"
},
{
"equals": "[parameters('direction')]",
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*].direction"
}
]
}
},
"notEquals": 0
},
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"rulename": {
"type": "String"
},
"access": {
"type": "String"
},
"description": {
"type": "String"
},
"destinationAddressPrefix": {
"type": "Array"
},
"destinationPortRange": {
"type": "Array"
},
"direction": {
"type": "String"
},
"priority": {
"type": "Integer"
},
"protocol": {
"type": "String"
},
"sourceAddressPrefix": {
"type": "Array"
},
"sourcePortRange": {
"type": "Array"
},
"nsgName": "[field('name')]" },
"resources": [
{
"type": "Microsoft.Network/networkSecurityGroups/securityRules",
"apiVersion": "2022-05-01",
"name": "[concat(parameters('nsgName'), '/Default DenyAnyAnyInbound')]",
"properties": {
"protocol": "*",
"sourcePortRange": "*",
"destinationPortRange": "*",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "*",
"access": "Deny",
"priority": 4089,
"direction": "Inbound",
"sourcePortRanges": [],
"destinationPortRanges": [],
"sourceAddressPrefixes": [],
"destinationAddressPrefixes": [],
"description": "Managed deny rule"
}
}
]
}
}
},
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
]
},
"effect": "[parameters('effect')]"
}
}
}
谁能告诉我代码有什么问题?
PS:请注意,我的目标是使用适当的 nsg 规则更新新部署的 NSG,但此策略并未实现。 不过,我希望,如果补救措施有效; 目的也会达到的……
您会看到不合规的资源,这意味着if和existenceCondition正在运行。 错误消息证实了这一点:
“部署定义无效。有关使用详情,请参阅https://aka.ms/arm-deploy 。”
多处是错误的,可以优化。
您正在使用订阅部署架构而不是:
https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#
在这里查看更多:
https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/syntax#template-format
您的名字中不能有空格:
"name": "[concat(parameters('nsgName'), '/Default DenyAnyAnyInbound')]",
“名称必须以字母或数字开头,以字母、数字或下划线结尾,并且只能包含字母、数字、下划线、句号或连字符。”
使用custom策略后,使用最新 API 的良好做法:
"apiVersion": "2022-07-01"
最后,你有一堆未使用的参数。
"nsgName": "[field('name')]"没有定义为parameter ,当前写入的地方应该是类型( string )。
{
"policyType": "Custom",
"description": "This policy deploys a default Deny All rule to a newly deployed NSG, if it doesn't already exist in the NSG.",
"mode": "Indexed",
"displayName": "NSG default Inbound Deny All",
"parameters": {
"access": {
"type": "String",
"metadata": {
"description": "The network traffic should be denied.",
"displayName": "access"
},
"defaultValue": "Deny"
},
"destinationAddressPrefix": {
"type": "String",
"metadata": {
"description": "The destination address prefix. CIDR or destination IP range. Asterisk '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used.",
"displayName": "destinationAddressPrefix"
},
"defaultValue": "*"
},
"destinationPortRange": {
"type": "String",
"metadata": {
"description": "The destination port or range. Integer or range between 0 and 65535. Asterisk '*' can also be used to match all ports.",
"displayName": "destinationPortRange"
},
"defaultValue": "*"
},
"direction": {
"type": "String",
"metadata": {
"description": "The direction of the rule. The direction specifies if rule will be evaluated on incoming or outgoing traffic. - Inbound or Outbound",
"displayName": "direction"
},
"defaultValue": "Inbound"
},
"effect": {
"type": "String",
"metadata": {
"description": "The effect determines what happens when the policy rule is evaluated to match",
"displayName": "Effect"
},
"defaultValue": "deployIfNotExists"
},
"protocol": {
"type": "String",
"metadata": {
"description": "Network protocol this rule applies to. - Tcp, Udp, Icmp, Esp, *",
"displayName": "protocol"
},
"defaultValue": "*"
},
"sourceAddressPrefix": {
"type": "String",
"metadata": {
"description": "The CIDR or source IP range. Asterisk '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used. If this is an ingress rule, specifies where network traffic originates from.",
"displayName": "sourceAddressPrefix"
},
"defaultValue": "*"
},
"sourcePortRange": {
"type": "String",
"metadata": {
"description": "The source port or range. Integer or range between 0 and 65535. Asterisk '*' can also be used to match all ports.",
"displayName": "sourcePortRange"
},
"defaultValue": "*"
}
},
"policyRule": {
"if": {
"equals": "Microsoft.Network/networkSecurityGroups",
"field": "type"
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.Network/networkSecurityGroups/securityRules",
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
],
"existenceCondition": {
"count": {
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*]",
"where": {
"allOf": [
{
"equals": "[parameters('protocol')]",
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*].protocol"
},
{
"equals": true,
"value": "[equals(field('Microsoft.Network/networkSecurityGroups/securityRules[*].sourcePortRange'), parameters('sourcePortRange'))]"
},
{
"equals": true,
"value": "[equals(field('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange'), parameters('destinationPortRange'))]"
},
{
"equals": true,
"value": "[equals(field('Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefix'), parameters('sourceAddressPrefix'))]"
},
{
"equals": true,
"value": "[equals(field('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationAddressPrefix'), parameters('destinationAddressPrefix'))]"
},
{
"equals": "[parameters('access')]",
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*].access"
},
{
"equals": "[parameters('direction')]",
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*].direction"
}
]
}
},
"notEquals": 0
},
"deployment": {
"properties": {
"mode": "incremental",
"parameters": {
"nsgName": {
"value": "[field('name')]"
}
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"nsgName": {
"type": "string"
}
},
"resources": [
{
"name": "[concat(parameters('nsgName'),'/DenyAnyInbound')]",
"type": "Microsoft.Network/networkSecurityGroups/securityRules",
"apiVersion": "2022-07-01",
"properties": {
"description": "Managed deny rule",
"access": "Deny",
"direction": "Inbound",
"priority": 4000,
"protocol": "*",
"sourcePortRange": "*",
"sourceAddressPrefix": "*",
"destinationPortRange": "*",
"destinationAddressPrefix": "*"
}
}
]
}
}
}
}
}
}
}
Azure 错误“由于违反策略,模板部署失败。请查看详细信息以获取更多信息。”
[英]Azure Error "The template deployment failed because of policy violation. Please see details for more information."
Azure 策略错误:CaseSensitiveDeploymentParameterNamesFound
[英]Azure policy error: CaseSensitiveDeploymentParameterNamesFound
Azure 策略无法使用 deployIfNotExists 部署策略分配
[英]Azure policy fails to deploy a policy assignment with deployIfNotExists
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.