Azure Policy 存储帐户保留策略未标记资源

Posted

技术标签:

【中文标题】Azure Policy 存储帐户保留策略未标记资源【英文标题】:Azure Policy Storage Accounts retention policy not flagging the resource 【发布时间】:2020-09-28 19:02:36 【问题描述】:

我正在使用下面的代码来监控存储帐户的保留策略。似乎我有正确的别名,但是当我看到合规性报告时显示“100% 合规 0 出 0”。版本控制和私有链接策略也有同样的问题。我有与这些类似的存储帐户策略,但它们实际上返回目标存储帐户的数量,唯一的区别是它们没有像这些那样引用 blob 服务别名。感谢您的任何回答。


resource "azurerm_policy_definition" "sa-ensure-versioning-enabled-policy" 

  name         = "sa-ensure-versioning-enabled-policy-definition"

  policy_type  = "Custom"

  mode         = "All"

  #management_group_name = var.management_group_name

  display_name = "Ensure versioning enabled policy"



  metadata = <<METADATA

      

      "version": "1.0.0",

      "category": "Storage"

    

  METADATA



  policy_rule = <<POLICY_RULE

          

        "if": 

            "allOf": [

                

                    "field": "type",

                    "equals": "Microsoft.Storage/storageAccounts"

                ,

                

                "not": 

                  "field":"Microsoft.Storage/storageAccounts/blobServices/default.isVersioningEnabled",

                  "equals": "true"

                 

                

            ]

        ,

        "then": 

            "effect": "[parameters('effect')]"    

        

    

  POLICY_RULE



  parameters = <<PARAMETERS

      

        "effect": 

          "type": "String",

          "metadata": 

            "displayName": "Effect",

            "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy."

          ,

          "allowedValues": [

            "audit",

            "deny",

            "disabled"

          ],

          "defaultValue": "audit"

        

    

  PARAMETERS







resource "azurerm_policy_assignment" "sa-ensure-versioning-enabled-policy-assignment" 

  name                 = "sa-ensure-versioning-enabled-policy-assignment"

  scope                = data.azurerm_subscription.current.id

  policy_definition_id = azurerm_policy_definition.sa-ensure-versioning-enabled-policy.id

  description          = "Storage Account ensure delete retention policy."

  display_name         = "Ensure versioning enabled policy"



  parameters = <<PARAMETERS

      

        "effect": 

          "value": "audit"

          

      

  PARAMETERS


添加此代码以使策略正常工作。


    "mode": "All",
    "policyRule": 
        "if": 
            "field": "type",
            "equals": "Microsoft.Storage/storageAccounts"
        ,
        "then": 
            "effect": "auditIfNotExists",
            "details": 
                "type": "Microsoft.Storage/storageAccounts/blobServices",
                "roleDefinitionIds": [
                    "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
                ],
                "existenceCondition": 
                    "field": "Microsoft.Storage/storageAccounts/blobServices/deleteRetentionPolicy.enabled",
                    "equals": "true"
                
            
        
    ,
    "parameters": 

【问题讨论】:

【参考方案1】:

似乎是 Azure 中的这个 ia 错误,记录在这里:https://github.com/Azure/azure-policy/issues/377。显然 Microsoft.Storage/storageAccounts/blobServices 尚未运行。解决方案的 ETA 表示 2020 年 9 月,但该日期和之前的一些日期已经过去。

【讨论】:

能否确保通过 Azure 策略为 blob 启用软删除? 现在可以在 roleDefinitons 的帮助下完成,请参阅上面的代码。【参考方案2】:

任何引用 Microsoft.Storage/storageAccounts/blobServices 的策略都应使用以下代码正常工作。(删除保留、版本控制等) 现在可以使用以下策略:

    "mode": "All",
    "policyRule": 
        "if": 
            "field": "type",
            "equals": "Microsoft.Storage/storageAccounts"
        ,
        "then": 
            "effect": "auditIfNotExists",
            "details": 
                "type": "Microsoft.Storage/storageAccounts/blobServices",
                "roleDefinitionIds": [
                    "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
                ],
                "existenceCondition": 
                    "field": "Microsoft.Storage/storageAccounts/blobServices/deleteRetentionPolicy.enabled",
                    "equals": "true"
                
            
        
    ,
    "parameters": 

【讨论】:

以上是关于Azure Policy 存储帐户保留策略未标记资源的主要内容,如果未能解决你的问题,请参考以下文章

使用 ARM 模板对 Azure 存储帐户容器设置合法保留

使用Azure Policy(策略)强制实现资源Tag的坑

创建没有标记的资源组时 Azure Policy 的奇怪行为

Azure Policy Deny:如果资源组名称中不存在标记之一

Azure 策略 - 拒绝使用特定标记创建资源

Azure Policy 一个策略分配中的多个标签