Azure Policy 存储 blobServices/tableServices/queueServices 诊断日志记录
Posted
技术标签:
【中文标题】Azure Policy 存储 blobServices/tableServices/queueServices 诊断日志记录【英文标题】:Azure Policy Storage blobServices/tableServices/queueServices Diagnostic Logging 【发布时间】:2021-12-24 11:06:15 【问题描述】:无法使用可用的策略,因为它只检查存储帐户而不是服务,例如。如果我在存储帐户上启用了诊断,但没有在 blobservices 上启用它,它仍然报告合规
https://github.com/Azure/azure-policy/blob/bbfc60104c2c5b7fa6dd5b784b5d4713ddd55218/built-in-policies/policyDefinitions/Storage/DataConnectorsStorageAccounts%20_PolicyAssignment.json
因此修改了策略,仅将“模式”设置为“全部”并输入:“Microsoft.Storage/StorageAccounts/blobServices”
但在不合规资源的合规性报告中,所有名称都作为默认值返回,因此补救模板失败。我们如何将 storageaccountname 传递给诊断部署
【问题讨论】:
Hello @user14173614,Configure diagnostic settings for storage accounts to Log Analytics workspace 可以为存储帐户以及其他服务设置策略。因此,每当创建新的存储帐户时,如果未启用设置,就会应用该策略,然后它会为每个服务启用它。你可以参考这个Image
没错,但用例不同,我在 Microsoft.Storage/storageAccounts 上启用了诊断的存储帐户,但未在一项或多项服务上启用诊断(blobServices/tableServices/ fileServices/queueServices),该策略显示为合规,因为它仅检查“field”:“type”,“equals”:“Microsoft.Storage/storageAccounts”
需要启用诊断的策略,即使其中任何一个丢失,将模式更改为全部,合规性报告显示 100% 正确丢失(但该名称是存储帐户下所有服务的默认名称,因此不能传递给诊断的增量部署)
policyRule": "if": "anyof": [ Microsoft.Storage/storageAccounts" "Microsoft.Storage/storageAccounts/blobServices/tableservices/file 等等"
您能否将策略中参数的屏幕截图和具有诊断设置的存储帐户也添加到问题中。.??我将尝试测试场景..
【参考方案1】:
您应该为每种服务类型(blob、表等)创建单独的策略。这样可以更轻松地仅监控和修复相关服务。
BuiltIn 策略的主要变化是部署中的参数 resourceName 需要更改为引用全名 (<storageAccountName>/default) 而不是服务名称 (default),如下所示:
"resourceName":
"value": "[field('fullname')]"
以下是 blob 服务类型的示例。你应该可以为其他人修改。
"properties":
"displayName": "Configure diagnostic settings for blob services",
"policyType": "Custom",
"mode": "All",
"description": "Deploys the diagnostic settings for storage account blob services to stream resource logs to a Log Analytics workspace when any storage account blob service which is missing these diagnostic settings is created or updated.",
"metadata":
"category": "Storage"
,
"parameters":
"logAnalytics":
"type": "String",
"metadata":
"displayName": "Log Analytics workspace",
"description": "Specify the Log Analytics workspace the storage account should be connected to.",
"strongType": "omsWorkspace",
"assignPermissions": true
,
"diagnosticsSettingNameToUse":
"type": "String",
"metadata":
"displayName": "Setting name",
"description": "Name of the diagnostic settings."
,
"defaultValue": "storageAccountsDiagnosticsLogsToWorkspace"
,
"effect":
"type": "String",
"metadata":
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
,
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists"
,
"StorageDelete":
"type": "String",
"metadata":
"displayName": "StorageDelete - Enabled",
"description": "Whether to stream StorageDelete logs to the Log Analytics workspace - True or False"
,
"allowedValues": [
"True",
"False"
],
"defaultValue": "True"
,
"StorageWrite":
"type": "String",
"metadata":
"displayName": "StorageWrite - Enabled",
"description": "Whether to stream StorageWrite logs to the Log Analytics workspace - True or False"
,
"allowedValues": [
"True",
"False"
],
"defaultValue": "True"
,
"StorageRead":
"type": "String",
"metadata":
"displayName": "StorageRead - Enabled",
"description": "Whether to stream StorageRead logs to the Log Analytics workspace - True or False"
,
"allowedValues": [
"True",
"False"
],
"defaultValue": "True"
,
"Transaction":
"type": "String",
"metadata":
"displayName": "Transaction - Enabled",
"description": "Whether to stream Transaction logs to the Log Analytics workspace - True or False"
,
"allowedValues": [
"True",
"False"
],
"defaultValue": "True"
,
"policyRule":
"if":
"field": "type",
"equals": "Microsoft.Storage/storageAccounts/blobServices"
,
"then":
"effect": "[parameters('effect')]",
"details":
"type": "Microsoft.Insights/diagnosticSettings",
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
],
"existenceCondition":
"allOf": [
"anyOf": [
"field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
"equals": "True"
,
"field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
"equals": "True"
]
,
"field": "Microsoft.Insights/diagnosticSettings/workspaceId",
"equals": "[parameters('logAnalytics')]"
]
,
"deployment":
"properties":
"mode": "incremental",
"template":
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters":
"diagnosticsSettingNameToUse":
"type": "string"
,
"resourceName":
"type": "string"
,
"logAnalytics":
"type": "string"
,
"location":
"type": "string"
,
"Transaction":
"type": "string"
,
"StorageRead":
"type": "string"
,
"StorageWrite":
"type": "string"
,
"StorageDelete":
"type": "string"
,
"variables": ,
"resources": [
"type": "Microsoft.Storage/storageAccounts/blobServices/providers/diagnosticSettings",
"apiVersion": "2017-05-01-preview",
"name": "[concat(parameters('resourceName'),'/', 'Microsoft.Insights/', parameters('diagnosticsSettingNameToUse'))]",
"location": "[parameters('location')]",
"dependsOn": [],
"properties":
"workspaceId": "[parameters('logAnalytics')]",
"metrics": [
"category": "Transaction",
"enabled": "[parameters('Transaction')]",
"retentionPolicy":
"days": 0,
"enabled": false
,
"timeGrain": null
],
"logs": [
"category": "StorageRead",
"enabled": "[parameters('StorageRead')]"
,
"category": "StorageWrite",
"enabled": "[parameters('StorageWrite')]"
,
"category": "StorageDelete",
"enabled": "[parameters('StorageDelete')]"
]
],
"outputs":
,
"parameters":
"diagnosticsSettingNameToUse":
"value": "[parameters('diagnosticsSettingNameToUse')]"
,
"logAnalytics":
"value": "[parameters('logAnalytics')]"
,
"location":
"value": "[field('location')]"
,
"resourceName":
"value": "[field('fullname')]"
,
"Transaction":
"value": "[parameters('Transaction')]"
,
"StorageDelete":
"value": "[parameters('StorageDelete')]"
,
"StorageWrite":
"value": "[parameters('StorageWrite')]"
,
"StorageRead":
"value": "[parameters('StorageRead')]"
【讨论】:
感谢@sapphiremirage 工作,我已将策略与每种不同的服务类型分开,以使其更易于管理以上是关于Azure Policy 存储 blobServices/tableServices/queueServices 诊断日志记录的主要内容,如果未能解决你的问题,请参考以下文章
如何将 Azure Policy 与 Azure DevOps 集成?
Azure IAM - 是不是可以使用 Azure Policy 审核组成员资格?