1

尝试创建一个 DeployIfNotExists 策略,该策略将自动在所有密钥保管库上设置“networkACLs”属性,但在与该策略斗争了几周后,我决定尝试操作一个更简单的布尔属性而不是复杂的对象属性。我选择的属性是“enabledForDeployment”。该策略确实可以正确找到不合规的密钥保管库,但部署不起作用。

一旦我让这个“简单”策略生效,我将返回并尝试将“networkACLs”属性设置为以下内容:

"networkAcls": {
    "defaultAction": "Deny",
    "bypass": "None",
    "ipRules": [
        {"value": "1.1.1.0/24"},
        {"value":"2.2.2.0/24"}
    ],
    "virtualNetworkRules": []
}

政策代码如下...

{
  "mode": "All",
  "policyRule": {
    "if": {
      "allof": [
        {
          "field": "type",
          "equals": "Microsoft.KeyVault/vaults"
        },
        {
          "not": {
            "field": "Microsoft.KeyVault/vaults/enabledForDeployment",
            "equals": true
          }
        }
      ]
    },
    "then": {
      "effect": "deployIfNotExists",
      "details": {
        "type": "Microsoft.KeyVault/vaults",
        "name": "[field('name')]",
        "existenceCondition": {
          "field": "Microsoft.KeyVault/vaults/enabledForDeployment",
          "equals": "true"
        },
        "roleDefinitionIds": [
          "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
        ],
        "deployment": {
          "location": "[field('location')]",
          "properties": {
            "mode": "incremental",
            "template": {
              "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
              "contentVersion": "1.0.0.0",
              "parameters": {
                "Name": {
                  "type": "string"
                },
                "location": {
                  "type": "string"
                }
              },
              "resources": [
                {
                  "type": "Microsoft.KeyVault/vaults",
                  "apiVersion": "2018-02-14",
                  "name": "[parameters('Name')]",
                  "location": "[parameters('location')]",
                  "properties": {
                    "enabledForDeployment": true
                  }
                }
              ],
              "outputs": {
                "policy": {
                  "type": "string",
                  "value": "done"
                }
              }
            },
            "parameters": {
              "location": {
                "value": "[field('location')]"
              },
              "Name": {
                "value": "[field('name')]"
              }
            }
          }
        }
      }
    }
  },
  "parameters": {}
}

我目前收到“internalServerError”消息。有任何想法吗?

4

2 回答 2

1

@Kemley 你是对的。我的 ARM 模板不正确。它缺少一些必填字段(Sku、访问策略等)。如果设置了默认网络允许所有,则以下是更新 NetworkACL 的最终策略。

{
  "properties": {
    "displayName": "Vzn Deploy Key Vault NetworkAcls defaultAction",
    "policyType": "Custom",
    "mode": "All",
    "description": "Removes the default allow all networks.  Manually sets 2 firewall rules",
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "deployIfNotExists",
          "disabled"
        ],
        "defaultValue": "deployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.KeyVault/vaults"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.KeyVault/vaults",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395"
          ],
          "existenceCondition": {
            "field": "Microsoft.KeyVault/vaults/networkAcls.defaultAction",
            "equals": "Deny"
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "keyvaultname": {
                    "type": "string"
                  },
                  "locationname": {
                    "type": "string"
                  },
                  "skuname": {
                    "type": "string"
                  },
                  "accessPoliciesname": {
                    "type": "array"
                  }
                },
                "resources": [
                  {
                    "name": "[parameters('keyvaultname')]",
                    "location": "[parameters('locationname')]",
                    "type": "Microsoft.KeyVault/vaults",
                    "apiVersion": "2018-02-14",
                    "properties": {
                      "tenantId": "be42d65b-eb64-4a64-8aa3-ae47eef3af3e",
                      "accessPolicies": "[parameters('accessPoliciesname')]",
                      "sku": {
                        "name": "[parameters('skuname')]",
                        "family": "A"
                      },
                      "networkAcls": {
                        "defaultAction": "Deny",
                        "bypass": "None",
                        "ipRules": [
                          {
                            "value": "1.2.3.0/27"
                          },
                          {
                            "value": "1.5.6.0/24"
                          }
                        ]
                      }
                    }
                  }
                ]
              },
              "parameters": {
                "keyvaultname": {
                  "value": "[field('name')]"
                },
                "locationname": {
                  "value": "[field('location')]"
                },
                "skuname": {
                  "value": "[field('Microsoft.KeyVault/vaults/sku.name')]"
                },
                "accessPoliciesname": {
                  "value": "[field('Microsoft.KeyVault/vaults/accessPolicies')]"
                }
              }
            }
          },
          "name": "[field('name')]"
        }
      }
    }
  }
}
于 2019-12-13T00:14:40.733 回答
0

我建议检查您的 ARM 模板以确保它是正确的。有时,当您使用导出模板功能时,ARM 模板可能在未经测试的情况下无法工作。如果您对 ARM 模板有疑问,我会将您的问题转给他们

于 2019-12-11T22:46:59.367 回答