gpt4 book ai didi

Azure 策略创建一个deployifnotexists 策略

转载 作者:行者123 更新时间:2023-12-02 22:55:52 30 4
gpt4 key购买 nike

我正在尝试从现有 AuditIfNotExists 策略创建 DeployIfNotExists 策略。部署时不会出错,但会错误提示“没有相关资源与策略定义中的效果详细信息匹配”。当评估政策时。当我将 AuditIfnotExists 策略部署到同一管理组时,它运行良好。我想知道我是否错过了什么。

此策略旨在创建删除 NSG 组(如果不存在)的警报。这是 DeployIfNotExists 策略 - 你们发现它有什么问题吗?任何意见表示赞赏。谢谢。

{
"$schema":"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion":"1.0.0.0",
"parameters":{
"effect":{
"type":"string",
"metadata":{
"displayName":"Effect",
"description":"Enable or disable the execution of the policy"
},
"allowedValues":[
"AuditIfNotExists",
"deployIfNotExists",
"Disabled"
],
"defaultValue":"deployIfNotExists"
}
},
"variables":{
"actionGroupName":"dsactiongroup"
},
"resources":[
{
"name":"CIS5.2.3-EnsureAuditDeleteNSG",
"type":"Microsoft.Authorization/policyDefinitions",
"apiVersion":"2019-09-01",
"properties":{
"policyType":"Custom",
"displayName":"CIS 5.2.3 Ensure that Activity Log Alert exists for Delete Network Security Group (Scored)",
"description":"Monitor Activity Alerts exist for specific activities.",
"mode":"all",
"metadata":{
"category":"Audit"
},
"parameters":{

},
"policyRule":{
"if":{
"allOf":[
{
"field":"type",
"equals":"Microsoft.Resources/subscriptions"
}
]
},
"then":{
"effect":"[parameters('effect')]",
"details":{
"type":"Microsoft.Insights/ActivityLogAlerts",
"existenceCondition":{
"allOf":[
{
"allOf":[
{
"not":{
"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field",
"notEquals":"category"
}
},
{
"not":{
"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals",
"notEquals":"Administrative"
}
}
]
},
{
"allOf":[
{
"not":{
"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field",
"notEquals":"resourceType"
}
},
{
"not":{
"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals",
"notEquals":"microsoft.network/networksecuritygroups"
}
}
]
},
{
"allOf":[
{
"not":{
"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field",
"notEquals":"operationName"
}
},
{
"not":{
"field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals",
"notEquals":"Microsoft.Network/networkSecurityGroups/delete"
}
}
]
}
]
},
"roleDefinitionIds":[
"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa"
],
"deployment":{
"properties":{
"mode":"incremental",
"template":{
"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion":"1.0.0.0",
"parameters":{

},
"variables":{
"actionGroupName":"dactiongroup"
},
"resources":[
{
"name":"NSGRuleDeleted",
"type":"Microsoft.Insights/activityLogAlerts",
"location":"global",
"apiVersion":"2017-04-01",
"properties":{
"description":"NSG Rule Deleted",
"enabled":true,
"condition":{
"allOf":[
{
"field":"category",
"equals":"Administrative"
},
{
"field":"operationName",
"equals":"Microsoft.Network/networkSecurityGroups/securityRules/delete"
}
]
},
"actions":{
"actionGroups":[
{
"actionGroupId":"[resourceId('Microsoft.Insights/actionGroups', variables('actionGroupName'))]"
}
]
}
}
}
],
"outputs":{

}
},
"parameters":{

}
}
}
}
}
}
}
}
]
}

最佳答案

  • 要检查策略合规性的原因,应导航到 Azure 策略 > 合规性 > 资源合规性选项卡 > 检查合规性原因详细信息。

  • 就我而言,策略没有正确的existenceCondition。因此求值表达式一直失败。提供正确的评估条件为我解决了这个问题。

  • 注意:检查策略修复任务在 effect 下部署的资源/子资源类型。将根据该资源评估条件。

enter image description here

关于Azure 策略创建一个deployifnotexists 策略,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/64514125/

30 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com