我试图拒绝在 azure 中创建未定义网络规则的 Web 应用程序。
我正在尝试为此使用 Azure Policy,但无法使该策略生效。我已经确定了在 Azure 中保存配置的策略别名:
Microsoft.Web/sites/config/web.ipSecurityRestrictions[*].vnetSubnetResourceId
Microsoft.Web/sites/config/web.ipSecurityRestrictions[*].vnetTrafficTag
Microsoft.Web/sites/config/web.ipSecurityRestrictions[*].subnetTrafficTag
Microsoft.Web/sites/config/web.ipSecurityRestrictions[*].action
Microsoft.Web/sites/config/web.ipSecurityRestrictions[*].tag
Microsoft.Web/sites/config/web.ipSecurityRestrictions[*].priority
Microsoft.Web/sites/config/web.ipSecurityRestrictions[*].name
Microsoft.Web/sites/config/web.ipSecurityRestrictions[*].description
Microsoft.Web/sites/config/web.scmIpSecurityRestrictions[*].ipAddress
Microsoft.Web/sites/config/web.scmIpSecurityRestrictions[*].subnetMask
Microsoft.Web/sites/config/web.scmIpSecurityRestrictions[*].vnetSubnetResourceId
Microsoft.Web/sites/config/web.scmIpSecurityRestrictions[*].vnetTrafficTag
Microsoft.Web/sites/config/web.scmIpSecurityRestrictions[*].subnetTrafficTag
Microsoft.Web/sites/config/web.scmIpSecurityRestrictions[*].action
Microsoft.Web/sites/config/web.scmIpSecurityRestrictions[*].tag
Microsoft.Web/sites/config/web.scmIpSecurityRestrictions[*].priority
Microsoft.Web/sites/config/web.scmIpSecurityRestrictions[*].name
Microsoft.Web/sites/config/web.scmIpSecurityRestrictions[*].description
Microsoft.Web/sites/config/web.scmIpSecurityRestrictions[*]
但是我的策略不起作用,这是最新的迭代:
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Web/sites"
},
{
"not": {
"field": "Microsoft.Web/sites/config/web.ipSecurityRestrictions[*].action",
"equals": "deny"
}
}
]
},
"then": {
"effect": "deny"
}
},
"parameters": {}
}
我正在尝试在数组中查找“拒绝”操作,如果已定义,则不需要任何操作,否则拒绝。但是该策略什么也没做,我可以在有或没有网络规则的情况下部署 Web 应用程序。