0

我需要创建策略分配,以阻止未配置 privateEndpoint 的 keyVault 部署。我测试了具有“审核”效果的内置策略“[Preview]:Azure Key Vaults 应该使用私有链接”,它工作正常。

但是当我将效果更改为“拒绝”时,我的部署被阻止,因为我正在分别部署两个资源(keyVault 和 privateEndpoint)。根据我从文档 ( https://docs.microsoft.com/en-us/azure/governance/policy/concepts/effects#deny ) 中了解到的情况,资源在发送到提供的资源之前会进行评估。这意味着该策略不知道私有端点(因为它是单独的资源)。

有没有人遇到过类似的问题并设法处理它?

我在下面粘贴我的模板:

resource keyVaultPrivateLink 'Microsoft.KeyVault/vaults@2019-09-01' = {
  name: kvName
  location: location
  properties: {
    enabledForTemplateDeployment: true
    tenantId: tenant
    enableRbacAuthorization: true
    enablePurgeProtection: true
    enableSoftDelete: true
    networkAcls: {
      bypass: 'AzureServices'
      defaultAction: 'Deny'
      virtualNetworkRules: [
        {
          id: subnetId
        }
      ]
    }
    sku: {
      name: 'standard'
      family: 'A'
    }
  }
}
resource keyVaultPrivateEndpoint 'Microsoft.Network/privateEndpoints@2020-03-01' = {
  name: 'pewetkvwetprivatelink'
  location: location
  properties: {
    subnet: {
      id: subnetId
    }
    privateLinkServiceConnections: [
      {
        name: 'kvwetprivatelink'
        properties: {
          privateLinkServiceId: keyVaultPrivateLink.id
          groupIds: [
            'vault'
          ]
        }
      }
    ]
  }
}

收到的错误代码:

{
    "error": {
        "code": "InvalidTemplateDeployment",
        "message": "The template deployment failed because of policy violation. Please see details for more information.",
        "details": [
            {
                "code": "RequestDisallowedByPolicy",
                "target": "keyVault-name",
                "message": "Resource 'kvwetprivatelink' was disallowed by policy. Policy identifiers: '[{\"policyAssignment\":{\"name\":\"Audit KeyVault Initiative\",\"id\":\"/subscriptions/***/providers/Microsoft.Authorization/policyAssignments/Audit KeyVault Initiative\"},\"policyDefinition\":{\"name\":\"[Preview]: Azure Key Vaults should use private link\",\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a6abeaec-4d90-4a02-805f-6b26c4d3fbe9\"},\"policySetDefinition\":{\"name\":\"Audit KeyVault Initiative\",\"id\":\"/subscriptions/***/providers/Microsoft.Authorization/policySetDefinitions/Audit KeyVault Initiative\"}}]'.",
                "additionalInfo": [
                    {
                        "type": "PolicyViolation",
                        "info": {
                            "policyDefinitionDisplayName": "[Preview]: Azure Key Vaults should use private link",
                            "policySetDefinitionDisplayName": "Audit KeyVault Initiative",
                            "evaluationDetails": {
                                "evaluatedExpressions": [
                                    {
                                        "result": "True",
                                        "expressionKind": "Field",
                                        "expression": "type",
                                        "path": "type",
                                        "expressionValue": "Microsoft.KeyVault/vaults",
                                        "targetValue": "Microsoft.KeyVault/vaults",
                                        "operator": "Equals"
                                    },
                                    {
                                        "result": "True",
                                        "expressionKind": "Count",
                                        "expression": "Microsoft.KeyVault/vaults/privateEndpointConnections[*]",
                                        "path": "properties.privateEndpointConnections[*]",
                                        "expressionValue": 0,
                                        "targetValue": 1,
                                        "operator": "Less"
                                    }
                                ]
                            },
                            "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a6abeaec-4d90-4a02-805f-6b26c4d3fbe9",
                            "policySetDefinitionId": "/subscriptions/***/providers/Microsoft.Authorization/policySetDefinitions/Audit KeyVault Initiative",
                            "policyDefinitionReferenceId": "[[Preview]: Azure Key Vaults should use private link",
                            "policySetDefinitionName": "Audit KeyVault Initiative",
                            "policyDefinitionName": "a6abeaec-4d90-4a02-805f-6b26c4d3fbe9",
                            "policyDefinitionEffect": "Deny",
                            "policyAssignmentId": "/subscriptions/***/providers/Microsoft.Authorization/policyAssignments/Audit KeyVault Initiative",
                            "policyAssignmentName": "Audit KeyVault Initiative",
                            "policyAssignmentDisplayName": "Audit KeyVault Initiative",
                            "policyAssignmentScope": "/subscriptions/***"
                        }
                    }
                ]
            }
        ]
    }
}

和政策定义:

{
  "properties": {
    "displayName": "[Preview]: Azure Key Vaults should use private link",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/akvprivatelink.",
    "metadata": {
      "version": "1.0.0-preview",
      "category": "Key Vault",
      "preview": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.KeyVault/vaults"
          },
          {
            "count": {
              "field": "Microsoft.KeyVault/vaults/privateEndpointConnections[*]",
              "where": {
                "field": "Microsoft.KeyVault/vaults/privateEndpointConnections[*].privateLinkServiceConnectionState.status",
                "equals": "Approved"
              }
            },
            "less": 1
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/a6abeaec-4d90-4a02-805f-6b26c4d3fbe9",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "a6abeaec-4d90-4a02-805f-6b26c4d3fbe9"
}
4

1 回答 1

0

为了消除这里的混乱,根据您共享的Microsoft 文档,它说:

在资源管理器模式下创建或更新匹配的资源时,拒绝在将请求发送到资源提供者之前阻止该请求。请求作为 403(禁止)返回。

这意味着如果效果设置为 ,则无法在同一模板中创建 KeyVault 或 Private Endpoint Deny。效果应该Audit只是为了使政策正确有效。

我使用门户对其进行了测试,它与模板相同:

场景一: Effect: Deny

即使我在部署 Keyvault 时添加了私有端点,验证也会失败。

在此处输入图像描述

方案 2Effect:Audit

即使验证通过,我也尝试创建一个没有私有端点的密钥库,在单击创建后它会根据策略失败。

在此处输入图像描述

如果我使用私有端点创建,那么它会成功部署。

在此处输入图像描述

于 2021-09-29T17:54:09.500 回答