2

我想创建一个自定义 Azure Policy JSON,它可以读取 Azure 资源并确保它遵循我们的标准化命名约定。例如,我正在尝试为虚拟机、云服务和 Redis 缓存设置它。

{
"if": {
    "allof": [
        {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
        },
        {
            "not": {
                "anyOf": [
                    {
                        "field": "name",
                        "match": "gz?????????#?##"
                    }
                ]
            }
        }
    ]
},
"then": {
    "effect": "[parameters('effect')]"
}

"if": {
    "allof": [
        {
            "field": "type",
            "equals": "Microsoft.ClassicCompute/domainNames"
        },
        {
            "not": {
                "anyOf": [
                    {
                        "field": "name",
                        "match": "GZ?-??????-??#-???-??????-###"
                    }
                ]
            }
        }
    ]
},
"then": {
    "effect": "[parameters('effect')]"
}

"if": {
    "allof": [
        {
            "field": "type",
            "equals": "Microsoft.Cache/Redis"
        },
        {
            "not": {
                "anyOf": [
                    {
                        "field": "name",
                        "match": "gz?????????#???###"
                    }
                ]
            }
        }
    ]
},
"then": {
    "effect": "[parameters('effect')]"
}

}

我不认为 Azure 允许有多个 IF,就像我尝试设置它的方式一样。我想要它做的是:

如果资源是 VM 并且不符合该约定,则进行审核。如果资源是云服务并且不符合该约定,则进行审核。如果资源是 Redis 缓存并且不符合该约定,则进行审计。

更新的 JSON

4

1 回答 1

3

您应该使用一个倡议(策略集定义)来组织多个这样的相关策略。这将比具有每种资源类型条件的单个策略定义更容易维护,并且允许您查看整个命名约定策略集和每个单独策略的合规性结果。

例如:

  "properties": {
    "displayName": "Naming conventions",
    "policyType": "Custom",
    "parameters": {
      "effect": {
        "type": "String",
        "defaultValue": "Audit"
      }
    },
    "policyDefinitions": [
      {
        "policyDefinitionId": "/subscriptions/<SUBSCRIPTION ID>/providers/Microsoft.Authorization/policyDefinitions/<YOUR VIRTUAL MACHINE NAMING CONVENTION POLICY ID>",
        "parameters": {
          "effect": {
            "value": "[parameters('effect')]"
          }
        }
      },
      {
        "policyDefinitionId": "/subscriptions/<SUBSCRIPTION ID>/providers/Microsoft.Authorization/policyDefinitions/<YOUR DOMAIN NAME NAMING CONVENTION POLICY ID>",
        "parameters": {
          "effect": {
            "value": "[parameters('effect')]"
          }
        }
      }
    ]
  }
}

我不推荐它,但如果您必须在一个定义中组合多种类型,那么您可以使用anyOf,例如:

{
  "if": {
    "anyOf": [
      {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "not": {
                "field": "name",
                "match": "gz?????????#?##"
            }
          }
        ]
      },
      {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.ClassicCompute/domainNames"
          },
          {
            "not": {
              "field": "name",
              "match": "GZ?-??????-??#-???-??????-###"
            }
          }
        ]
      }
    ]
  },
  "then" : {
    "effect" : "audit"
  }
}
于 2020-04-16T23:46:37.240 回答