如何使用 deployIfNotExists 策略强制在 Azure 存储上配置删除保留?
How to enforce that Delete Retention is configured on Azure Storage by using a deployIfNotExists policy?
我想创建一个策略,自动将 14 天的删除保留策略应用于每个创建的新存储。我认为这可以通过使用 deployIfNotExists
策略来实现,但我无法在 Internet 上找到示例 JSON 或任何东西。
你可以试试下面的代码(顺便说一句,我这边没时间测试):
{
"mode":"All",
"policyRule":{
"if":{
"field":"type",
"equals":"Microsoft.Storage/storageAccounts"
},
"then":{
"effect":"deployIfNotExists",
"details":{
"type":"Microsoft.Storage/storageAccounts",
"roleDefinitionIds":[
"xxx"
],
"deployment":{
"properties":{
"mode":"incremental",
"template":{
"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion":"1.0.0.0",
"parameters":{
"storageAccountName":{
"type":"String",
"metadata":{
"description":"storageAccountName"
}
},
"location":{
"type":"String",
"metadata":{
"description":"location"
}
}
},
"variables":{
},
"resources":[
{
"type":"Microsoft.Storage/storageAccounts",
"apiVersion":"2019-06-01",
"name":"[parameters('storageAccountName')]",
"location":"[parameters('location')]",
"resources":[
{
"name":"default",
"type":"Microsoft.Storage/storageAccounts/managementPolicies",
"apiVersion":"2019-06-01",
"properties":{
"policy":{
"rules":[
"xxx"
]
}
}
}
]
}
],
"outputs":{
}
},
"parameters":{
"storageAccountName":{
"value":"[field('Name')]"
},
"location":{
"value":"[field('location')]"
}
}
}
}
}
}
},
"parameters":{
}
}
这里是 json format of Life cycle management 的详细信息。
我与 Microsoft 进行了交谈,他们上传了一个运行良好的示例。这将是从 Community-Policy:
中提取的 json
{
"properties": {
"displayName": "Deploy Soft-Delete for Blobs",
"mode": "All",
"description": "This policy enables soft-delete for blobs.",
"parameters": {
"retentionInDays": {
"type": "Integer",
"minValue": 1,
"maxValue": 365,
"defaultValue": 7,
"metadata": {
"displayName": "Retention in days",
"description": "This defines how long the deleted object should be retained for. Allowed values are 1 to 365."
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
{
"field": "kind",
"in": [
"Storage",
"StorageV2",
"BlobStorage",
"BlockBlobStorage"
]
}
]
},
"then": {
"effect": "DeployIfNotExists",
"details": {
"type": "Microsoft.Storage/storageAccounts/blobServices",
"existenceCondition": {
"field": "Microsoft.Storage/storageAccounts/blobServices/default.deleteRetentionPolicy.enabled",
"equals": true
},
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"
],
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"storageAccountName": {
"type": "string"
},
"retentionInDays": {
"type": "int"
}
},
"variables": {},
"resources": [
{
"name": "[concat(parameters('storageAccountName'), '/default')]",
"type": "Microsoft.Storage/storageAccounts/blobServices",
"apiVersion": "2019-06-01",
"properties": {
"deleteRetentionPolicy": {
"enabled": true,
"days": "[parameters('retentionInDays')]"
}
}
}
],
"outputs": {}
},
"parameters": {
"storageAccountName": {
"value": "[field('name')]"
},
"retentionInDays": {
"value": "[parameters('retentionInDays')]"
}
}
}
}
}
}
}
}
}
我想创建一个策略,自动将 14 天的删除保留策略应用于每个创建的新存储。我认为这可以通过使用 deployIfNotExists
策略来实现,但我无法在 Internet 上找到示例 JSON 或任何东西。
你可以试试下面的代码(顺便说一句,我这边没时间测试):
{
"mode":"All",
"policyRule":{
"if":{
"field":"type",
"equals":"Microsoft.Storage/storageAccounts"
},
"then":{
"effect":"deployIfNotExists",
"details":{
"type":"Microsoft.Storage/storageAccounts",
"roleDefinitionIds":[
"xxx"
],
"deployment":{
"properties":{
"mode":"incremental",
"template":{
"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion":"1.0.0.0",
"parameters":{
"storageAccountName":{
"type":"String",
"metadata":{
"description":"storageAccountName"
}
},
"location":{
"type":"String",
"metadata":{
"description":"location"
}
}
},
"variables":{
},
"resources":[
{
"type":"Microsoft.Storage/storageAccounts",
"apiVersion":"2019-06-01",
"name":"[parameters('storageAccountName')]",
"location":"[parameters('location')]",
"resources":[
{
"name":"default",
"type":"Microsoft.Storage/storageAccounts/managementPolicies",
"apiVersion":"2019-06-01",
"properties":{
"policy":{
"rules":[
"xxx"
]
}
}
}
]
}
],
"outputs":{
}
},
"parameters":{
"storageAccountName":{
"value":"[field('Name')]"
},
"location":{
"value":"[field('location')]"
}
}
}
}
}
}
},
"parameters":{
}
}
这里是 json format of Life cycle management 的详细信息。
我与 Microsoft 进行了交谈,他们上传了一个运行良好的示例。这将是从 Community-Policy:
中提取的 json{
"properties": {
"displayName": "Deploy Soft-Delete for Blobs",
"mode": "All",
"description": "This policy enables soft-delete for blobs.",
"parameters": {
"retentionInDays": {
"type": "Integer",
"minValue": 1,
"maxValue": 365,
"defaultValue": 7,
"metadata": {
"displayName": "Retention in days",
"description": "This defines how long the deleted object should be retained for. Allowed values are 1 to 365."
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
{
"field": "kind",
"in": [
"Storage",
"StorageV2",
"BlobStorage",
"BlockBlobStorage"
]
}
]
},
"then": {
"effect": "DeployIfNotExists",
"details": {
"type": "Microsoft.Storage/storageAccounts/blobServices",
"existenceCondition": {
"field": "Microsoft.Storage/storageAccounts/blobServices/default.deleteRetentionPolicy.enabled",
"equals": true
},
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"
],
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"storageAccountName": {
"type": "string"
},
"retentionInDays": {
"type": "int"
}
},
"variables": {},
"resources": [
{
"name": "[concat(parameters('storageAccountName'), '/default')]",
"type": "Microsoft.Storage/storageAccounts/blobServices",
"apiVersion": "2019-06-01",
"properties": {
"deleteRetentionPolicy": {
"enabled": true,
"days": "[parameters('retentionInDays')]"
}
}
}
],
"outputs": {}
},
"parameters": {
"storageAccountName": {
"value": "[field('name')]"
},
"retentionInDays": {
"value": "[parameters('retentionInDays')]"
}
}
}
}
}
}
}
}
}