如何解决Azure Policy Storage Accounts保留策略未标记资源
我正在使用下面的代码来监视存储帐户的保留策略。似乎我的别名正确,但是当我看到“遵从性”报告显示“ 100%符合0的0”时。版本控制和专用链接策略存在相同问题。我有与这些类似的存储帐户策略,但是它们实际上返回了目标存储帐户的数量,唯一的区别是它们没有像这样那样引用Blob服务别名。感谢您的回答。
resource "azurerm_policy_definition" "sa-ensure-versioning-enabled-policy" {
name = "sa-ensure-versioning-enabled-policy-definition"
policy_type = "Custom"
mode = "All"
#management_group_name = var.management_group_name
display_name = "Ensure versioning enabled policy"
metadata = <<METADATA
{
"version": "1.0.0","category": "Storage"
}
METADATA
policy_rule = <<POLICY_RULE
{
"if": {
"allOf": [
{
"field": "type","equals": "Microsoft.Storage/storageAccounts"
},{
"not": {
"field":"Microsoft.Storage/storageAccounts/blobServices/default.isVersioningEnabled","equals": "true"
}
}
]
},"then": {
"effect": "[parameters('effect')]"
}
}
POLICY_RULE
parameters = <<PARAMETERS
{
"effect": {
"type": "String","metadata": {
"displayName": "Effect","description": "'Audit' allows a non-compliant resource to be created,but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy."
},"allowedValues": [
"audit","deny","disabled"
],"defaultValue": "audit"
}
}
PARAMETERS
}
resource "azurerm_policy_assignment" "sa-ensure-versioning-enabled-policy-assignment" {
name = "sa-ensure-versioning-enabled-policy-assignment"
scope = data.azurerm_subscription.current.id
policy_definition_id = azurerm_policy_definition.sa-ensure-versioning-enabled-policy.id
description = "Storage Account ensure delete retention policy."
display_name = "Ensure versioning enabled policy"
parameters = <<PARAMETERS
{
"effect": {
"value": "audit"
}
}
PARAMETERS
}
解决方法
似乎是Azure中的一个错误,在此处记录:https://github.com/Azure/azure-policy/issues/377。显然Microsoft.Storage/storageAccounts/blobServices尚未运行。解决方案的预计到达时间为2020年9月,但该日期和之前的日期已经过去。
,任何涉及 Microsoft.Storage/storageAccounts/blobServices 的策略都应该使用下面的代码也能正常工作。(删除保留、版本控制等) 这现在可以使用以下政策:
"mode": "All","policyRule": {
"if": {
"field": "type","equals": "Microsoft.Storage/storageAccounts"
},"then": {
"effect": "auditIfNotExists","details": {
"type": "Microsoft.Storage/storageAccounts/blobServices","roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],"existenceCondition": {
"field": "Microsoft.Storage/storageAccounts/blobServices/deleteRetentionPolicy.enabled","equals": "true"
}
}
}
},"parameters": {}
}
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。