[英]Azure policy fails to deploy a policy assignment with deployIfNotExists
我有一个资源白名单策略定义如下:
{
"properties": {
"displayName": "Deny resource creation if not in whitelist",
"policyType": "Custom",
"mode": "Indexed",
"description": "This policy denies the creation resources which are not allowed in the whitelist.",
"policyRule": {
"if": {
"not": {
"field": "type",
"in": [
"Microsoft.KeyVault/vaults",
"Microsoft.Storage/storageAccounts"
]
}
},
"then": {
"effect": "Deny"
}
}
},
"id": "<POLICYDEFINITIONID>",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "Deny_resource_creation_if_not_in_whitelist",
}
当分配给资源组时,此策略按预期工作。
我还在订阅级别分配了第二个策略,以在名称以“rg-*”开头的资源组上部署第一个策略:
{
"properties": {
"displayName": "Deploy resource whitelist policy",
"policyType": "Custom",
"mode": "All",
"description": "This policy assigns the resource whitelist policy to resource groups starting with rg-*.",
"policyRule": {
"if": {
"allOf": [
{
"equals": "Microsoft.Resources/subscriptions/resourceGroups",
"field": "type"
},
{
"field": "name",
"like": "rg-*"
}
]
},
"then": {
"details": {
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"apiVersion": "2022-06-01",
"name": "[guid('<POLICYDEFINITIONID>', resourceGroup().name)]",
"properties": {
"displayName": "Deny resource creation if not in whitelist",
"enforcementMode": "Default",
"policyDefinitionId": "<POLICYDEFINITIONID>"
},
"type": "Microsoft.Authorization/policyAssignments"
}
]
}
}
},
"evaluationDelay": "AfterProvisioning",
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635"
],
"type": "Microsoft.Authorization/policyAssignments"
},
"effect": "DeployIfNotExists"
}
}
},
"id": "",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "Deploy_resource_whitelist_policy",
}
评估第二个策略,我可以看到一个成功的 deployIfNotExists 事件,但实际上没有创建分配。
一些额外的事实:
任何帮助将非常感激。
您在示例中的策略分配似乎缺少scope属性以将其分配给给定的资源组。 尝试将scope属性添加到策略分配中。
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"apiVersion": "2022-06-01",
"name": "[guid('<POLICYDEFINITIONID>', resourceGroup().name)]",
"properties": {
"displayName": "Deny resource creation if not in whitelist",
"enforcementMode": "Default",
"policyDefinitionId": "<POLICYDEFINITIONID>"
"scope": "[subscriptionResourceId('Microsoft.Resources/resourceGroups', resourceGroup().name)]"
},
"type": "Microsoft.Authorization/policyAssignments"
}```
我终于只使用第一个策略和一个值表达式条件解决了这个问题:
{
"properties": {
"displayName": "Deny resource creation if not in whitelist",
"policyType": "Custom",
"mode": "Indexed",
"description": "This policy denies the creation resources which are not allowed in the whitelist.",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"notIn": [
"Microsoft.KeyVault/vaults",
"Microsoft.Storage/storageAccounts"
]
},
{
"value": "[resourceGroup().name]",
"like": "rg-*"
}
]
},
"then": {
"effect": "Deny"
}
}
},
"id": "<POLICYDEFINITIONID>",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "Deny_resource_creation_if_not_in_whitelist",
}
Azure 策略错误:CaseSensitiveDeploymentParameterNamesFound
[英]Azure policy error: CaseSensitiveDeploymentParameterNamesFound
如何在Azure APIM中禁用基于azure订阅的限速策略
[英]How to disable rate limit policy based on the azure subscription in Azure APIM
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.