0

在 Azure 中,我有一个 NSG 规则配置如下:

在此处输入图像描述

我正在尝试编写 Azure 策略,以审核源 IP 地址/CIDR 范围是否设置不正确。

该值应始终完全等于:192.168.0.0/24,192.168.1.0/24。

如果不是那个确切的值,它应该审计。

这是我写的定义:

{
    "if": {
        "allOf": [
            {
                "field": "type",
                "equals": "Microsoft.Network/networkSecurityGroups"
            },
            {
                "field": "name",
                "like": "jeffweb2-dr-sm-nsg"
            },
            {
                "count": {
                    "field": "Microsoft.Network/networkSecurityGroups/securityRules[*]",
                    "where": {
                        "allOf": [
                            {
                                "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].name",
                                "equals": "SQL"
                            },
                            {
                                "anyof": [
                                    {
                                        "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefix",
                                        "notEquals": [
                                            "192.168.0.0/24",
                                            "192.168.1.0/24"
                                        ]
                                    }
                                ]
                            }
                        ]
                    }
                },
                "greater": 0
            }
        ]
    },
    "then": {
        "effect": "audit"
    }
}

但是当试图用这个 json 创建定义时,我得到了错误:

New-AzPolicyDefinition : InvalidPolicyRule : Failed to parse policy rule: 'Error reading string. Unexpected token: StartArray. Path 'notEquals'.'.

问题:如何将多个 CIDR 范围传递给 notEquals,我相信这是我的问题。

4

1 回答 1

0

您可以使用notIn条件代替notEquals来检查数组中的值。notIn可以正常工作,因为它需要一个数组,您可以摆脱上述错误。

{
        "if": {
            "allOf": [
                {
                    "field": "type",
                    "equals": "Microsoft.Network/networkSecurityGroups"
                },
                {
                    "field": "name",
                    "like": "jeffweb2-dr-sm-nsg"
                },
                {
                    "count": {
                        "field": "Microsoft.Network/networkSecurityGroups/securityRules[*]",
                        "where": {
                            "allOf": [
                                {
                                    "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].name",
                                    "equals": "SQL"
                                },
                                {
                                    "anyof": [
                                        {
                                            "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefix",
                                            "notIn": [
                                                "192.168.0.0/24",
                                                "192.168.1.0/24"
                                            ]
                                        }
                                    ]
                                }
                            ]
                        }
                    },
                    "greater": 0
                }
            ]
        },
        "then": {
            "effect": "audit"
        }
    }
于 2020-05-08T15:18:13.383 回答