我正在尝试开发一个 Azure Policy (json),以确保对于启用了审核的给定 SQL Server(无需检查),保留天数已设置为大于 X 的值(假设在我的情况下为 90 天) .
我尝试使用deployIfNotExists
效果,existenceCondition
在场retentionDays
(大于 90)。在该deployment
部分中,我将字段设置为 365。
我将策略分配给一个资源组,其中我有一个审计和保留天数等于 20 的 SQL Server。
但是,该策略仍显示为“合规”,并且保留天数保持不变。这是代码:
"if": {
"field": "type",
"equals": "Microsoft.Sql/servers"
},
"then": {
"effect": "deployIfNotExists",
"details": {
"type": "Microsoft.Sql/servers/auditingSettings",
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/XXXXXXXX"
],
"existenceCondition": {
"field": "Microsoft.Sql/servers/auditingSettings/retentionDays",
"greater": "90"
},
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"resourceName": {
"type": "string"
},
"location": {
"type": "string"
},
"retentionDays": {
"type": "string"
}
},
"variables": {},
"resources": [{
"type": "Microsoft.Sql/servers/auditingSettings",
"apiVersion": "2017-03-01-preview",
"name": "[concat(parameters('resourceName'), '/Default')]",
"location": "[parameters('location')]",
"dependsOn": [],
"properties": {
"retentionDays": "[parameters('retentionDays')]"
}
}],
"outputs": {}
},
"parameters": {
"location": {
"value": "[field('location')]"
},
"resourceName": {
"value": "[field('name')]"
},
"retentionDays": {
"value": "365"
}
}
}
}
}
}
我想知道我是否在正确的地方使用了正确的别名。有什么线索吗?
谢谢!