使用 Terraform 在 Azure 中拒绝创建储蓄计划并设置政策违规警报

问题描述 投票:0回答:1

使用 Terraform,我想拒绝在单一 Prod 订阅之外创建储蓄计划,并在每次尝试时收到一封电子邮件。我们在不同管理组的租户中拥有超过 10 个订阅。

这就是我的想法:

  1. 创建一个自定义 Azure 策略,拒绝在 Prod 订阅之外创建 Savings Plan。
  2. 为每个订阅创建诊断设置,以跟踪何时发生策略拒绝,并将其发送到产品订阅中的 Log Analytics 工作区。对于这个在 non_prod 订阅中进行测试的示例。
  3. 创建计划查询警报以在 Log Analytics 中运行查询以拉取拒绝事件(例如,当触发策略时)
  4. 设置操作组以发送包含通过查询警报提取的日志的电子邮件通知。

这是我到目前为止所拥有的:

仅供参考,我从 Azure 文档 获得了储蓄计划类型。不保证100%正确,欢迎指出正确的。

限制储蓄计划创建的自定义策略:

resource "azurerm_policy_definition" "restrict_savings_plan" {
  name         = "restrict-savings-plan-creation"
  policy_type  = "Custom"
  mode         = "All"
  display_name = "Restrict Savings Plan Creation to Prod Subscription"

  policy_rule = <<POLICY
  {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Billing billingAccounts/savingsPlanOrders/savingsPlans"//Not sure if this is correct
        },
        {
          "value": "[subscription().Id]", //Kinda iffy about this
          "notEquals": "Prod-subscription-id"
        }
      ]
    },
    "then": {
      "effect": "deny"
    }
  }
  POLICY
}

用于捕获非产品中的活动日志以进行测试的诊断设置:

resource "azurerm_monitor_diagnostic_setting" "Non_Prod_subscription" {
  name               = "Non_Prod-log-analytics"
  target_resource_id = "/subscriptions/Prod_subscription_id"
  log_analytics_workspace_id = azurerm_log_analytics_workspace.example.id

  logs {
    category = "Administrative"
    enabled  = true
  }
}

电子邮件通知操作组:

resource "azurerm_monitor_action_group" "Non_Prod_email_action_group" {
  name                = "email-action-group"
  resource_group_name = "Non_Prod-resource-group"
  short_name          = "emailgroup"

  email_receiver {
    name          = "AdminEmail"
    email_address = "[email protected]"
    use_common_alert_schema = true
  }
}

计划查询警报以拉动策略拒绝:

resource "azurerm_monitor_scheduled_query_rules_alert" "SavingsPlan_policy_violation_alert" {
  name                = "SavingsPlanPolicyViolationAlert"
  resource_group_name = "Non_prodRG"
  location            = "eastus"
  data_source_id      = azurerm_monitor_diagnostic_setting.Non_Prod_subscription.log_analytics_workspace_id

  description = "Alert for policy violations across all subscriptions"
  enabled     = true

  query = <<-QUERY
    AzureActivity
    | where Category == "Policy"
    | where OperationNameValue == "Microsoft.Authorization/policies/audit/action"
    | where ActivityStatusValue == "Failed"
    | where Properties contains "Request disallowed by policy"
    | summarize Count = count() by SubscriptionId
  QUERY

  severity    = 2
  frequency   = "60"
  time_window = "60"

  trigger {
    operator  = "GreaterThan"
    threshold = 1
  }

  action {
    action_group  = [azurerm_monitor_action_group.Non_Prod_email_action_group.id]
    email_subject = "Alert: Savings Plan Policy Violation Detected"
  }
}

目前,储蓄计划的创建并没有被拒绝,我也没有收到电子邮件。如果有人可以提供有关此代码的反馈,我将不胜感激。

azure logging terraform alert azure-policy
1个回答
0
投票

根据要求,给定的 terraform 代码和结构看起来都不错。对您的代码进行了很少的调整,例如计费提供商的资源类型以及与监控规则相关的调整,如下所示。

provider "azurerm"{
features{}
subscription_id = "b4xxxx14"
}
resource "azurerm_policy_definition" "restrict_savings_plan" {
  name         = "restrict-savings-plan-creation"
  policy_type  = "Custom"
  mode         = "All"
  display_name = "Restrict Savings Plan Creation to Prod Subscription"

  policy_rule = <<POLICY
  {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Billing/billingAccounts/savingsPlanOrders" 
        },
        {
          "value": "f7bxxxx32b014",
          "notEquals": "Prod-subscription-id"
        }
      ]
    },
    "then": {
      "effect": "deny"
    }
  }
  POLICY
}

data "azurerm_log_analytics_workspace" "example"{
name = "Customlogsws"
resource_group_name = "Jahnavi"
}
resource "azurerm_monitor_diagnostic_setting" "Non_Prod_subscription" {
  name               = "Non_Prod-log-analytics"
  target_resource_id = "/subscriptions/xxxxx" #Provide Nonproduction subscriptionID here
  log_analytics_workspace_id = data.azurerm_log_analytics_workspace.example.id

  enabled_log {
    category = "Administrative"
  }
}

resource "azurerm_monitor_action_group" "Non_Prod_email_action_group" {
  name                = "email-action-group"
  resource_group_name = "Jahnavi"
  short_name          = "emailgroup"

  email_receiver {
    name          = "AdminEmail"
    email_address = "[email protected]"
    use_common_alert_schema = true
  }
}
resource "azurerm_monitor_scheduled_query_rules_alert" "SavingsPlan_policy_violation_alert" {
  name                = "SavingsPlanPolicyViolationAlert"
  resource_group_name = "Jahnavi"
  location            = "WestUS"
  data_source_id      = azurerm_monitor_diagnostic_setting.Non_Prod_subscription.log_analytics_workspace_id

  description = "Alert for policy violations across all subscriptions"
  enabled     = true

  query = <<-QUERY
    AzureActivity
    | where Category == "Policy"
    | where OperationNameValue == "Microsoft.Authorization/policies/audit/action"
    | where ActivityStatusValue == "Failed"
    | where Properties contains "Request disallowed by policy"
    | summarize Count = count() by SubscriptionId
  QUERY

  severity    = 2
  frequency   = "60"
  time_window = "60"

  trigger {
    operator  = "GreaterThan"
    threshold = 1
  }

  action {
    action_group  = [azurerm_monitor_action_group.Non_Prod_email_action_group.id]
    email_subject = "Alert: Savings Plan Policy Violation Detected"
  }
}

输出

enter image description here

enter image description here

enter image description here

enter image description here

最新问题
© www.soinside.com 2019 - 2025. All rights reserved.