3

我目前正在尝试了解 Azure 政策。我想我已经了解了别名,但是我无法理解在哪里可以找到 ExistenceCondition 等于字段的正确值

  1. 它与我们应用的 PolicyRule 有何不同?
  2. 我应该保持 ExistanceCondition 与 PolicyRule 几乎相同吗?

我应用的政策规则: 

    "if":{
            "allOf":[
               {
                  "field":"type",
                  "equals":"Microsoft.Insights/metricalerts"
               },
               {
                  "field":"Microsoft.Insights/metricalerts/enabled",
                  "equals":"true"
               },
               {
                  "field":"Microsoft.Insights/metricalerts/actions[*]",
                  "less":"1"
               }
            ]
         }
4

3 回答 3

2

ExistenceConditionpolicyRule在控制方向上是相反的。在策略规则中,仅当条件为真时才继续。只有ExistenceCondition 当条件为假时才继续。在下面的示例中,policyRule您仅过滤 storageAccount 然后继续。仅当条件为 false (deleteRetentionPolicy.enabled ==false) 时才会发生部署,因此它会继续进行部署。所以一旦部署完成,它将是 deleteRetentionPolicy.enabled ==true

    "policyRule": {
        "if": {
            "allOf": [
                {
                    "field": "type",
                    "equals": "Microsoft.Storage/storageAccounts"
                },
                {
                    "field": "kind",
                    "in": [
                        "Storage",
                        "StorageV2",
                        "BlobStorage",
                        "BlockBlobStorage"
                    ]
                }
            ]
        },
        "then": {
            "effect": "DeployIfNotExists",
            "details": {
                "type": "Microsoft.Storage/storageAccounts/blobServices",
                "existenceCondition": {
                    "field": "Microsoft.Storage/storageAccounts/blobServices/default.deleteRetentionPolicy.enabled",
                    "equals": true
                },
于 2021-07-14T20:32:54.807 回答
0

看这个例子:

https://docs.microsoft.com/en-us/azure/governance/policy/samples/pattern-effect-details#sample-2-explanation

"details": {
    "type": "Microsoft.Compute/virtualMachines/extensions",
    "existenceCondition": {
        "allOf": [{
                "field": "Microsoft.Compute/virtualMachines/extensions/publisher",
                "equals": "[parameters('publisher')]"
            },
            {
                "field": "Microsoft.Compute/virtualMachines/extensions/type",
                "equals": "[parameters('type')]"
            }
        ]
    }
}

existsCondition使用策略语言元素(例如逻辑运算符)来确定是否存在匹配的相关资源在此示例中,针对每个别名检查的值在参数中定义。

于 2020-10-26T19:37:07.567 回答
0

ExistenceCondition 仅适用于具有 AuditIfNotExists 和 DeployIfNotExists 效果的策略。

在 AuditIfNotExists 的情况下

“如果任何匹配的相关资源评估为真,则满足效果并且不会触发审核。”

在 DeployIfNotExists 的情况下

“如果任何匹配的相关资源评估为真,则满足效果并且不会触发部署。”

与 ExistenceCondition 不匹配的现有资源将被标记为非投诉。PolicyRule 过滤掉的资源不会被标记为非投诉。

于 2021-07-28T22:32:19.830 回答