使用策略阻止的专用端点部署 keyVault
Posted
技术标签:
【中文标题】使用策略阻止的专用端点部署 keyVault【英文标题】:Deploy keyVault with private endpoint blocked by policy 【发布时间】:2021-09-29 10:58:45 【问题描述】:我需要创建策略分配,以阻止未配置 privateEndpoint 的 keyVault 部署。我测试了具有“审核”效果的内置策略“[Preview]:Azure Key Vaults should use private link”,效果很好。
但是当我将效果更改为“拒绝”时,我的部署被阻止,因为我正在分别部署两个资源(keyVault 和 privateEndpoint)。根据我从文档 (https://docs.microsoft.com/en-us/azure/governance/policy/concepts/effects#deny) 中了解到的情况,资源在发送到提供的资源之前会进行评估。这意味着策略不知道私有端点(因为它是单独的资源)。
有没有人遇到过类似的问题并设法解决了?
我在下面粘贴我的模板:
resource keyVaultPrivateLink 'Microsoft.KeyVault/vaults@2019-09-01' =
name: kvName
location: location
properties:
enabledForTemplateDeployment: true
tenantId: tenant
enableRbacAuthorization: true
enablePurgeProtection: true
enableSoftDelete: true
networkAcls:
bypass: 'AzureServices'
defaultAction: 'Deny'
virtualNetworkRules: [
id: subnetId
]
sku:
name: 'standard'
family: 'A'
resource keyVaultPrivateEndpoint 'Microsoft.Network/privateEndpoints@2020-03-01' =
name: 'pewetkvwetprivatelink'
location: location
properties:
subnet:
id: subnetId
privateLinkServiceConnections: [
name: 'kvwetprivatelink'
properties:
privateLinkServiceId: keyVaultPrivateLink.id
groupIds: [
'vault'
]
]
收到的错误代码:
"error":
"code": "InvalidTemplateDeployment",
"message": "The template deployment failed because of policy violation. Please see details for more information.",
"details": [
"code": "RequestDisallowedByPolicy",
"target": "keyVault-name",
"message": "Resource 'kvwetprivatelink' was disallowed by policy. Policy identifiers: '[\"policyAssignment\":\"name\":\"Audit KeyVault Initiative\",\"id\":\"/subscriptions/***/providers/Microsoft.Authorization/policyAssignments/Audit KeyVault Initiative\",\"policyDefinition\":\"name\":\"[Preview]: Azure Key Vaults should use private link\",\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a6abeaec-4d90-4a02-805f-6b26c4d3fbe9\",\"policySetDefinition\":\"name\":\"Audit KeyVault Initiative\",\"id\":\"/subscriptions/***/providers/Microsoft.Authorization/policySetDefinitions/Audit KeyVault Initiative\"]'.",
"additionalInfo": [
"type": "PolicyViolation",
"info":
"policyDefinitionDisplayName": "[Preview]: Azure Key Vaults should use private link",
"policySetDefinitionDisplayName": "Audit KeyVault Initiative",
"evaluationDetails":
"evaluatedExpressions": [
"result": "True",
"expressionKind": "Field",
"expression": "type",
"path": "type",
"expressionValue": "Microsoft.KeyVault/vaults",
"targetValue": "Microsoft.KeyVault/vaults",
"operator": "Equals"
,
"result": "True",
"expressionKind": "Count",
"expression": "Microsoft.KeyVault/vaults/privateEndpointConnections[*]",
"path": "properties.privateEndpointConnections[*]",
"expressionValue": 0,
"targetValue": 1,
"operator": "Less"
]
,
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a6abeaec-4d90-4a02-805f-6b26c4d3fbe9",
"policySetDefinitionId": "/subscriptions/***/providers/Microsoft.Authorization/policySetDefinitions/Audit KeyVault Initiative",
"policyDefinitionReferenceId": "[[Preview]: Azure Key Vaults should use private link",
"policySetDefinitionName": "Audit KeyVault Initiative",
"policyDefinitionName": "a6abeaec-4d90-4a02-805f-6b26c4d3fbe9",
"policyDefinitionEffect": "Deny",
"policyAssignmentId": "/subscriptions/***/providers/Microsoft.Authorization/policyAssignments/Audit KeyVault Initiative",
"policyAssignmentName": "Audit KeyVault Initiative",
"policyAssignmentDisplayName": "Audit KeyVault Initiative",
"policyAssignmentScope": "/subscriptions/***"
]
]
及政策定义:
"properties":
"displayName": "[Preview]: Azure Key Vaults should use private link",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/akvprivatelink.",
"metadata":
"version": "1.0.0-preview",
"category": "Key Vault",
"preview": true
,
"parameters":
"effect":
"type": "String",
"metadata":
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
,
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Audit"
,
"policyRule":
"if":
"allOf": [
"field": "type",
"equals": "Microsoft.KeyVault/vaults"
,
"count":
"field": "Microsoft.KeyVault/vaults/privateEndpointConnections[*]",
"where":
"field": "Microsoft.KeyVault/vaults/privateEndpointConnections[*].privateLinkServiceConnectionState.status",
"equals": "Approved"
,
"less": 1
]
,
"then":
"effect": "[parameters('effect')]"
,
"id": "/providers/Microsoft.Authorization/policyDefinitions/a6abeaec-4d90-4a02-805f-6b26c4d3fbe9",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "a6abeaec-4d90-4a02-805f-6b26c4d3fbe9"
【问题讨论】:
【参考方案1】:为了消除这里的混乱,根据您分享的Microsoft Documentation,它说:
在资源管理器中创建或更新匹配资源时 模式,拒绝在发送到资源之前阻止请求 提供者。请求作为 403(禁止)返回。
这意味着如果效果设置为Deny,则无法在同一模板中创建 KeyVault 或私有端点。效果应该是Audit,只有政策才能正常生效。
我使用门户进行了测试,它与模板相同:
场景一: Effect: Deny
即使我在部署 Keyvault 时添加了私有端点,验证也会失败。
场景 2:Effect:Audit
即使验证通过,我也尝试创建一个没有私有端点的密钥库,但在单击创建后它会按照策略失败。
如果我使用私有端点创建,那么它会成功部署。
【讨论】:
嗯...在我的第一次尝试中,我测试了审计效果。而且我能够在没有私有端点的情况下部署 KV。当然,它被政策标记为“不合规”,但在我的情况下这还不够。但是,如果我在您的案例部署(没有私有端点的 KV)中理解正确(尽管它设置为“审核”)? 您好@skinex11,是的,如果我尝试从门户使用公共端点创建但成功添加私有部署,如图所示,它被策略阻止,但拒绝没有新的 kv 能够部署(使用公共/私有端点) 我已经在我的环境中对此进行了测试,结果与您的不同。当策略设置为审核 KV 的验证和部署时,没有私有端点完成,没有任何错误或警告。我真的很好奇我们的环境之间有什么区别。我有干净的 Visual Studio 订阅以进行测试设置。 @skinex,让我们把讨论移到聊天室,你可以加入这个房间:chat.***.com/rooms/237664/chat-for-ansuman-and-skinex以上是关于使用策略阻止的专用端点部署 keyVault的主要内容,如果未能解决你的问题,请参考以下文章
使用KeyVaultClient定义Azure KeyVault密钥上的策略
Tyrus 端点阻止 Glassfish (Payara) 中的线程