Azure DeployIfNotExist Policy 评估但不部署模板/显示兼容
Posted
技术标签:
【中文标题】Azure DeployIfNotExist Policy 评估但不部署模板/显示兼容【英文标题】:Azure DeployIfNotExist Policy evalutes but do not deploy template/show compliant 【发布时间】:2019-06-10 08:54:46 【问题描述】:我正在研究 DeployIfNotExist Azure Policy,它检查所有 vnet,检查是否存在特定的对等互连,如果存在,则检查 UDR 设置是否到位。如果与指定不同,它旨在部署所需的 UDR。
我无法让它工作,目前的状态是初始检查工作正常(报告了不合规的 vnet),但没有对新的/更新的 vnet 进行自动修复。此外,如果我进行手动修复,vnet 仍会被标记为不合规。
Azure Policy Policy 规则如下。
"if":
"anyOf": [
"allOf": [
"field": "type",
"equals": "Microsoft.Network/virtualNetworks"
,
"field": "Microsoft.Network/virtualNetworks/VirtualNetworkPeerings[*].peeringState",
"equals": "Connected"
,
"field": "Microsoft.Network/virtualNetworks/VirtualNetworkPeerings[*].name",
"equals": "peerSpokeToHub"
]
,
"allOf": [
"field": "type",
"equals": "Microsoft.Network/virtualNetworks/VirtualNetworkPeerings"
,
"field": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id",
"exists": "true"
]
]
,
"then":
"effect": "deployIfNotExists",
"details":
"type": "Microsoft.Network/virtualNetworks/subnets",
"existenceCondition":
"allOf": [
"field": "Microsoft.Network/virtualNetworks/subnets/routeTable.id",
"exists": "true"
,
"field": "Microsoft.Network/virtualNetworks/subnets/routeTable.routes[*].name",
"equals": "toNVA"
,
"field": "Microsoft.Network/virtualNetworks/subnets/routeTable.routes[*].addressPrefix",
"equals": "0.0.0.0/0"
,
"field": "Microsoft.Network/virtualNetworks/subnets/routeTable.routes[*].nextHopType",
"equals": "VirtualAppliance"
,
"field": "Microsoft.Network/virtualNetworks/subnets/routeTable.routes[*].nextHopIpAddress",
"in": ["10.0.0.1", "10.0.0.2"]
,
"field": "Microsoft.Network/virtualNetworks/subnets/routeTable.routes[*].provisioningState",
"equals": "Succeeded"
]
,
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"deployment":
"properties":
"mode": "incremental",
"template":
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters":
"vNetName":
"type": "string",
"metadata":
"description": "subnet to attach udr"
,
"RouteTableName":
"type": "string",
"metadata":
"description": "Name of a route table upon remediation"
,
"location":
"type": "string",
"metadata":
"description": "location of resource"
,
"NVAip":
"type": "string",
"metadata":
"description": "NVA IP"
,
"resources": [
"name": "[parameters('RouteTableName')]",
"type": "Microsoft.Network/routeTables",
"apiVersion": "2018-11-01",
"location": "[parameters('location')]",
"properties":
"routes": [
"properties":
"addressPrefix": "0.0.0.0/0",
"nextHopType": "VirtualAppliance",
"nextHopIpAddress": "[parameters('NVAip')]"
,
"name": "toNVA"
]
,
"apiVersion": "2017-08-01",
"name": "apply-routetable-to-subnet",
"type": "Microsoft.Resources/deployments",
"resourceGroup": "[resourceGroup().name]",
"dependsOn": [
"[concat('Microsoft.Network/routeTables/', 'RouteTable')]"
],
"properties":
"mode": "Incremental",
"template":
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
"apiVersion": "2018-08-01",
"type": "Microsoft.Network/virtualNetworks/subnets",
"name": "[concat(parameters('vNetName'),'/default')]",
"location": "[resourceGroup().location]",
"properties":
"addressPrefix": "[reference(resourceId(resourceGroup().name, 'Microsoft.Network/virtualNetworks/subnets', parameters('vNetName'), 'default'), '2018-03-01').addressPrefix]",
"routeTable":
"id": "[resourceId('Microsoft.Network/routeTables', parameters('RouteTableName'))]"
,
"networkSecurityGroup":
"id": "[reference(resourceId(resourceGroup().name, 'Microsoft.Network/virtualNetworks/subnets', parameters('vNetName'), 'default'), '2018-03-01').networkSecurityGroup.id]"
]
]
,
"parameters":
"vNetName":
"value": "[field('fullName')]"
,
"RouteTableName":
"value": "[parameters('RouteTableName')]"
,
"NVAip":
"value": "[parameters('fortigateIp')]"
,
"location":
"value": "[field('location')]"
【问题讨论】:
当您访问 Azure 门户时,修复选项卡会显示什么?通常会有一个状态指示成功/失败以及有关部署的信息。 【参考方案1】:这似乎是您的 ARM 模板的问题。我一定会测试它并检查它。 ARM VSCode 扩展现在具有假设测试功能,可让您了解部署该模板时会发生什么。
【讨论】:
以上是关于Azure DeployIfNotExist Policy 评估但不部署模板/显示兼容的主要内容,如果未能解决你的问题,请参考以下文章
使用 Postgresql 数据库创建 Azure Web 应用程序(这可能吗?)
Azure 数据工厂 v2 - Web 活动 - 向 HTTPS 自签名证书发布请求
通过 Azure API 管理生成访问令牌并针对 IdentityServer4 进行验证
Silverlight 3 中的新客户端网络堆栈可以直接连接到 Azure 存储或网格吗?