0

我正在尝试开发一个 Azure Policy (json),以确保对于启用了审核的给定 SQL Server(无需检查),保留天数已设置为大于 X 的值(假设在我的情况下为 90 天) .

我尝试使用deployIfNotExists效果,existenceCondition在场retentionDays(大于 90)。在该deployment部分中,我将字段设置为 365。

我将策略分配给一个资源组,其中我有一个审计和保留天数等于 20 的 SQL Server。

但是,该策略仍显示为“合规”,并且保留天数保持不变。这是代码:

  "if": {
    "field": "type",
    "equals": "Microsoft.Sql/servers"
  },
  "then": {
    "effect": "deployIfNotExists",
    "details": {
      "type": "Microsoft.Sql/servers/auditingSettings",
      "roleDefinitionIds": [
        "/providers/Microsoft.Authorization/roleDefinitions/XXXXXXXX"
      ],
      "existenceCondition": {
        "field": "Microsoft.Sql/servers/auditingSettings/retentionDays",
        "greater": "90"
      },
      "deployment": {
        "properties": {
          "mode": "incremental",
          "template": {
            "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
            "contentVersion": "1.0.0.0",
            "parameters": {
              "resourceName": {
                "type": "string"
              },
              "location": {
                "type": "string"
              },
              "retentionDays": {
                "type": "string"
              }
            },
            "variables": {},
            "resources": [{
              "type": "Microsoft.Sql/servers/auditingSettings",
              "apiVersion": "2017-03-01-preview",
              "name": "[concat(parameters('resourceName'), '/Default')]",
              "location": "[parameters('location')]",
              "dependsOn": [],
              "properties": {
                "retentionDays": "[parameters('retentionDays')]"
              }
            }],
            "outputs": {}
          },
          "parameters": {
            "location": {
              "value": "[field('location')]"
            },
            "resourceName": {
              "value": "[field('name')]"
            },
            "retentionDays": {
              "value": "365"
            }
          }
        }
      }
    }
}

我想知道我是否在正确的地方使用了正确的别名。有什么线索吗?

谢谢!

4

1 回答 1

1

这是我的有效代码!!!!

{
  "properties": {
    "displayName": "deploy-sql-db-backupshorttermretentionpolicies",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deploy If Not Exists backupshorttermretentionpolicies",
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy."
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "retentionDays": {
        "type": "String",
        "metadata": {
          "displayName": "Retention Days",
          "description": "Set the number of Backup Retention Days."
        },
        "defaultValue": "35"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Sql/servers/databases"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Sql/servers/databases/backupShortTermRetentionPolicies",
          "name": "default",
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/####
          ],
          "existenceCondition": {
            "field": "Microsoft.Sql/servers/databases/backupShortTermRetentionPolicies/retentionDays",
            "equals": "[parameters('retentionDays')]"
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "serverName": {
                    "type": "string"
                  },
                  "shortTermRetention": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "name": "[concat(parameters('serverName'),'/default')]",
                    "type": "Microsoft.Sql/servers/databases/backupShortTermRetentionPolicies",
                    "apiVersion": "2017-10-01-preview",
                    "properties": {
                      "retentionDays": "[parameters('shortTermRetention')]"
                    }
                  }
                ]
              },
              "parameters": {
                "serverName": {
                  "value": "[field('fullname')]"
                },
                "shortTermRetention": {
                  "value": "[parameters('retentionDays')]"
                }
              }
            }
          }
        }
      }
    }
  }
}
于 2019-10-08T17:40:47.507 回答