有没有一种方法可以拒绝创建未定义网络规则的Web应用程序

问题描述 投票:0回答:1

我正在尝试拒绝创建未定义网络规则的Web应用程序。

我正在尝试为此使用Azure策略,但是无法使该策略正常工作。我已经确定了在Azure中保存配置的策略别名:

Microsoft.Web/sites/config/web.ipSecurityRestrictions[*].vnetSubnetResourceId
Microsoft.Web/sites/config/web.ipSecurityRestrictions[*].vnetTrafficTag
Microsoft.Web/sites/config/web.ipSecurityRestrictions[*].subnetTrafficTag
Microsoft.Web/sites/config/web.ipSecurityRestrictions[*].action
Microsoft.Web/sites/config/web.ipSecurityRestrictions[*].tag
Microsoft.Web/sites/config/web.ipSecurityRestrictions[*].priority
Microsoft.Web/sites/config/web.ipSecurityRestrictions[*].name
Microsoft.Web/sites/config/web.ipSecurityRestrictions[*].description
Microsoft.Web/sites/config/web.scmIpSecurityRestrictions[*].ipAddress
Microsoft.Web/sites/config/web.scmIpSecurityRestrictions[*].subnetMask
Microsoft.Web/sites/config/web.scmIpSecurityRestrictions[*].vnetSubnetResourceId
Microsoft.Web/sites/config/web.scmIpSecurityRestrictions[*].vnetTrafficTag
Microsoft.Web/sites/config/web.scmIpSecurityRestrictions[*].subnetTrafficTag
Microsoft.Web/sites/config/web.scmIpSecurityRestrictions[*].action
Microsoft.Web/sites/config/web.scmIpSecurityRestrictions[*].tag
Microsoft.Web/sites/config/web.scmIpSecurityRestrictions[*].priority
Microsoft.Web/sites/config/web.scmIpSecurityRestrictions[*].name
Microsoft.Web/sites/config/web.scmIpSecurityRestrictions[*].description                  
Microsoft.Web/sites/config/web.scmIpSecurityRestrictions[*]

但是我拥有的部落政策无效,这是最新的迭代:

{
  "mode": "All",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Web/sites"
        },
        {
          "not": {
            "field": "Microsoft.Web/sites/config/web.ipSecurityRestrictions[*].action",
            "equals": "deny"
          }
        }
      ]
    },
    "then": {
      "effect": "deny"
    }
  },
  "parameters": {}
}

我正在尝试在数组中查找“拒绝”操作,如果定义了该操作,则无需执行任何操作,否则拒绝。但是该政策无济于事,无论有没有网络规则,我都可以部署Web应用。

azure policy azure-policy
1个回答
0
投票

在Azure顶级资源中,建模为较小的微资源,它们可以协同工作并创建功能性最终资源。在您的情况下,网站将属于Microsft.Web / sites微资源类型,但是配置将处于另一种称为Microsoft.Web / sites / config的微资源类型。

Azure策略仅在您使用单一微资源类型时才有帮助。微型资源类型是异步部署和创建的,因此目前无法拒绝任何一种。

您可以使用auditIfNotExists编写类似的策略,该策略具有根据另一个资源的属性来审计微资源的能力。

PS:我在这里构成微资源术语以清楚地传达问题,在Azure中,每个定义为resource

签出auditIfNotExist文档:https://docs.microsoft.com/en-us/azure/governance/policy/concepts/effects#auditifnotexists

您的解决方案看起来与此类似(未经测试)

{
"if": {
    "field": "type",
    "equals": "Microsoft.Web/sites"
},
"then": {
    "effect": "auditIfNotExists",
    "details": {
        "type": "Microsoft.Web/sites/config",
        "existenceCondition": {
            {
                "field": "Microsoft.Web/sites/config/web.ipSecurityRestrictions[*].action",
                "equals": "deny"
            }
        }
    }
}

}

最新问题
© www.soinside.com 2019 - 2025. All rights reserved.