gpt4 book ai didi

Azure 策略 : Delete lock on resource group

转载 作者:行者123 更新时间:2023-12-02 07:23:22 24 4
gpt4 key购买 nike

我尝试使用 Azure Policy 检查生产订阅中的所有资源组是否都有“CanNotDelete”锁。

我制定了一项受 this question 启发的政策,结果如下。

在测试时,我发现没有锁的资源组被正确检测为“不合规”。但是,如果资源组包含具有专用锁的资源(范围=资源,例如仅在 KeyVault 上),则整个资源组将被标记为合规 - 即使只有一个资源真正具有锁。有没有办法设计 existenceCondition 以便锁定必须位于整个资源组上?

{
"mode": "All",
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
"then": {
"effect": "deployIfNotExists",
"details": {
"type": "Microsoft.Authorization/locks",
"existenceCondition": {
"field": "Microsoft.Authorization/locks/level",
"equals": "CanNotDelete"
},
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9",
"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Authorization/locks",
"apiVersion": "2017-04-01",
"name": "ResourceLock",
"properties": {
"level": "CanNotDelete",
"notes": "Prevent accidental deletion of resources"
}
}
]
}
}
}
}
}
},
"parameters": {}
}

最佳答案

我不这么认为,因为 locks 属性中没有任何内容详细说明被阻止的范围级别。

关于Azure 策略 : Delete lock on resource group,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/60602082/

24 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com