我们如何为依赖资源定义 Azure Policy 规则?
How do we define azure policy rules for dependent resources?
鉴于此 ARM 模板:https://github.com/Azure/azure-quickstart-templates/blob/master/101-redis-cache/azuredeploy.json
我们如何强制部署 Redis 缓存并启用诊断设置?
是否只有 Azure 团队提供适当的别名才能实现?
Redis 缓存的当前别名集:
{
"Microsoft.Cache/Redis/redisConfiguration": {
"maxfragmentationmemory-reserved": "300",
"maxmemory-reserved": "200",
"maxmemory-delta": "200",
"maxclients": "7500",
"rdb-backup-enabled": "true",
"rdb-backup-frequency": "60",
"rdb-backup-max-snapshot-count": "1",
"rdb-storage-connection-string": "DefaultEndpointsProtocol=https;AccountName=blobnubldepenclsstgwu2;AccountKey=[key hidden]"
},
"Microsoft.Cache/Redis/provisioningState": "Succeeded",
"Microsoft.Cache/Redis/enableNonSslPort": false,
"Microsoft.Cache/Redis/sku.capacity": 1,
"Microsoft.Cache/Redis/redisVersion": "4.0.14",
"Microsoft.Cache/Redis/sku.family": "P",
"Microsoft.Cache/Redis/hostName": "rc-nuRed-epe-ncls-stg-wu2.redis.cache.windows.net",
"Microsoft.Cache/Redis/sku.name": "Premium",
"Microsoft.Cache/Redis/sslPort": 6380,
"Microsoft.Cache/Redis/port": 6379,
"Microsoft.Cache/Redis/sku": {
"name": "Premium",
"capacity": 1,
"family": "P"
},
"Microsoft.Cache/Redis/subnetId": "/subscriptions/d0ee6b93-7d29-45db-aabf-784018016241/resourceGroups/rg-grp-epe-ncls-stg-wu2/providers/Microsoft.Network/virtualNetworks/AZ-BIZ-10.32.223.0-26/subnets/AZ-BIZ-10.32.223.16-28",
"Microsoft.Cache/Redis/staticIP": "10.32.223.24",
"Microsoft.Cache/Redis/minimumTlsVersion": "1.2",
"Microsoft.Cache/Redis/shardCount": 2,
"Microsoft.Cache/Redis/zones": [
"3"
]
}
您需要使用 auditIfNotExists
或 deployIfNotExists
政策。 auditIfNotExists
将让您开始了解如何在没有诊断设置的情况下检测资源,但是 deployIfNotExists
路由中的复杂性要高得多,需要更多关于您的特定应用程序的信息才能解决。
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Cache/redis"
}
]
},
"then": {
"effect": "auditIfNotExists",
"details": {
"type": "Microsoft.Insights/diagnosticSettings",
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
"equals": "true"
},
{
"field": "Microsoft.Insights/diagnosticSettings/metrics[*].retentionPolicy.enabled",
"equals": "false"
}
]
}
}
}
}
请记住,截至今天(2020 年 10 月 20 日),Redis 特别没有任何“日志”选项。如果您打算将其应用于其他资源,您还需要检查日志选项和您的存在条件将如下所示
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
"equals": "true"
},
{
"field": "Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled",
"equals": "false"
},
{
"field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
"equals": "true"
},
{
"field": "Microsoft.Insights/diagnosticSettings/metrics[*].retentionPolicy.enabled",
"equals": "false"
}
]
}
}
这应该让您能够审核诊断日志。如果要创建补救措施,则需要向策略添加 roleDefinition
和 deployment
,并将效果更改为 deployIfNotExists
。只是一个警告,诊断设置可能很难修复,因为它们还需要存在存储帐户、事件中心或其他资源。如果这已经存在并且可以静态定义,那么这个问题就更容易解决了。但是,如果需要进行补救以动态配置这些支持基础设施,那么您还必须围绕基础设施名称的全局唯一性以及其他问题创建规则。
如果您打算走 deployIfNotExists
路线,这里是您需要了解的“冰山一角”文档才能开始。 https://docs.microsoft.com/en-us/azure/governance/policy/concepts/effects#deployifnotexists
鉴于此 ARM 模板:https://github.com/Azure/azure-quickstart-templates/blob/master/101-redis-cache/azuredeploy.json
我们如何强制部署 Redis 缓存并启用诊断设置?
是否只有 Azure 团队提供适当的别名才能实现?
Redis 缓存的当前别名集:
{
"Microsoft.Cache/Redis/redisConfiguration": {
"maxfragmentationmemory-reserved": "300",
"maxmemory-reserved": "200",
"maxmemory-delta": "200",
"maxclients": "7500",
"rdb-backup-enabled": "true",
"rdb-backup-frequency": "60",
"rdb-backup-max-snapshot-count": "1",
"rdb-storage-connection-string": "DefaultEndpointsProtocol=https;AccountName=blobnubldepenclsstgwu2;AccountKey=[key hidden]"
},
"Microsoft.Cache/Redis/provisioningState": "Succeeded",
"Microsoft.Cache/Redis/enableNonSslPort": false,
"Microsoft.Cache/Redis/sku.capacity": 1,
"Microsoft.Cache/Redis/redisVersion": "4.0.14",
"Microsoft.Cache/Redis/sku.family": "P",
"Microsoft.Cache/Redis/hostName": "rc-nuRed-epe-ncls-stg-wu2.redis.cache.windows.net",
"Microsoft.Cache/Redis/sku.name": "Premium",
"Microsoft.Cache/Redis/sslPort": 6380,
"Microsoft.Cache/Redis/port": 6379,
"Microsoft.Cache/Redis/sku": {
"name": "Premium",
"capacity": 1,
"family": "P"
},
"Microsoft.Cache/Redis/subnetId": "/subscriptions/d0ee6b93-7d29-45db-aabf-784018016241/resourceGroups/rg-grp-epe-ncls-stg-wu2/providers/Microsoft.Network/virtualNetworks/AZ-BIZ-10.32.223.0-26/subnets/AZ-BIZ-10.32.223.16-28",
"Microsoft.Cache/Redis/staticIP": "10.32.223.24",
"Microsoft.Cache/Redis/minimumTlsVersion": "1.2",
"Microsoft.Cache/Redis/shardCount": 2,
"Microsoft.Cache/Redis/zones": [
"3"
]
}
您需要使用 auditIfNotExists
或 deployIfNotExists
政策。 auditIfNotExists
将让您开始了解如何在没有诊断设置的情况下检测资源,但是 deployIfNotExists
路由中的复杂性要高得多,需要更多关于您的特定应用程序的信息才能解决。
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Cache/redis"
}
]
},
"then": {
"effect": "auditIfNotExists",
"details": {
"type": "Microsoft.Insights/diagnosticSettings",
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
"equals": "true"
},
{
"field": "Microsoft.Insights/diagnosticSettings/metrics[*].retentionPolicy.enabled",
"equals": "false"
}
]
}
}
}
}
请记住,截至今天(2020 年 10 月 20 日),Redis 特别没有任何“日志”选项。如果您打算将其应用于其他资源,您还需要检查日志选项和您的存在条件将如下所示
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
"equals": "true"
},
{
"field": "Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled",
"equals": "false"
},
{
"field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
"equals": "true"
},
{
"field": "Microsoft.Insights/diagnosticSettings/metrics[*].retentionPolicy.enabled",
"equals": "false"
}
]
}
}
这应该让您能够审核诊断日志。如果要创建补救措施,则需要向策略添加 roleDefinition
和 deployment
,并将效果更改为 deployIfNotExists
。只是一个警告,诊断设置可能很难修复,因为它们还需要存在存储帐户、事件中心或其他资源。如果这已经存在并且可以静态定义,那么这个问题就更容易解决了。但是,如果需要进行补救以动态配置这些支持基础设施,那么您还必须围绕基础设施名称的全局唯一性以及其他问题创建规则。
如果您打算走 deployIfNotExists
路线,这里是您需要了解的“冰山一角”文档才能开始。 https://docs.microsoft.com/en-us/azure/governance/policy/concepts/effects#deployifnotexists