Azure 策略 - 防止在未经身份验证的情况下创建应用服务
Azure policy - prevent the creation of app services without authentication
我希望创建一个策略来防止在未启用身份验证的情况下创建应用程序服务(仅审核它们是不够的)。
以下策略可以正确识别 现有 未启用身份验证的资源:
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "Microsoft.Web/sites/config/siteAuthEnabled",
"equals": "false"
}
]
},
"then": {
"effect": "deny"
}
}
}
然而,它并不会阻止它们首先被创建(通过 ARM 模板或通过门户)。
我怀疑这是因为未明确创建 Microsoft.Web/sites/config 资源。
有人知道这是否可行吗?
您可以尝试使用 Microsoft.Web/sites/siteConfig 别名。
显然,目前 Azure Policy 不支持 Microsoft.Web/sites/config/* 资源类型(Microsoft.Web/sites/config/web 除外)。
引用 @camillemarie from this 类似 GitHub 问题:
authSettings cannot be managed via policy at this time. In the interest of hiding secrets from users in the default Reader role, this resource provider doesn't expose secrets via GET calls (hence the null in /config/web, and lack of GET support for /config/authSettings).
This means that the existing Microsoft.Web/sites/config/siteAuthSettings.* aliases are invalid. We'll look into removing these, but we don't have a good deprecation story at the moment.
参考:
我希望创建一个策略来防止在未启用身份验证的情况下创建应用程序服务(仅审核它们是不够的)。
以下策略可以正确识别 现有 未启用身份验证的资源:
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "Microsoft.Web/sites/config/siteAuthEnabled",
"equals": "false"
}
]
},
"then": {
"effect": "deny"
}
}
}
然而,它并不会阻止它们首先被创建(通过 ARM 模板或通过门户)。
我怀疑这是因为未明确创建 Microsoft.Web/sites/config 资源。
有人知道这是否可行吗?
您可以尝试使用 Microsoft.Web/sites/siteConfig 别名。
显然,目前 Azure Policy 不支持 Microsoft.Web/sites/config/* 资源类型(Microsoft.Web/sites/config/web 除外)。
引用 @camillemarie from this 类似 GitHub 问题:
authSettings cannot be managed via policy at this time. In the interest of hiding secrets from users in the default Reader role, this resource provider doesn't expose secrets via GET calls (hence the null in /config/web, and lack of GET support for /config/authSettings).
This means that the existing Microsoft.Web/sites/config/siteAuthSettings.* aliases are invalid. We'll look into removing these, but we don't have a good deprecation story at the moment.
参考: