psql 防火墙的自定义 Azure 策略不起作用
Custom Azure Policy for psql firewall doesn't work
我创建了一个自定义策略,不允许在 Azure PostgreSQL 服务器的防火墙规则中使用 IP:0.0.0.0,但是它在资源合规性下显示 0 资源,并且在我创建时它不会拒绝它带有 startIP:0.0.0.0
的防火墙规则
这是我的代码:
resource "azurerm_policy_definition" "db_fw" {
name = "ap-psqldb-fw-test"
policy_type = "Custom"
mode = "Indexed"
display_name = "Test policy for psql firewall rule"
metadata = <<METADATA
{
"version": "1.0.2",
"category": "SQL"
}
METADATA
policy_rule = file("../src/mypolicy.json")
}
resource "azurerm_policy_set_definition" "ap_set" {
name = "apset-db-fw-test"
policy_type = "Custom"
display_name = "Test policyset for psql firewall rule"
policy_definition_reference {
policy_definition_id = "/subscriptions/mysubid/providers/Microsoft.Authorization/policyDefinitions/ap-psqldb-fw-test"
}
}
resource "azurerm_policy_assignment" "ap_assign" {
name = "test-policy-assignment"
scope = var.resource_group_id
policy_definition_id = azurerm_policy_definition.db_fw.id
description = "Testing Policy Assignment"
display_name = "Test DB Policy Assignment"
metadata = <<METADATA
{
"version": "1.0.2",
"category": "SQL"
}
METADATA
}
mypolicy.json:
{
"if": {
"anyOf": [
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.DBforPostgreSQL/servers/firewallRules"
},
{
"field": "Microsoft.DBforPostgreSQL/servers/firewallRules/startIpAddress",
"equals": "0.0.0.0"
}
]
},
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.DBforPostgreSQL/servers/firewallRules"
},
{
"field": "Microsoft.DBforPostgreSQL/servers/firewallRules/endIpAddress",
"equals": "0.0.0.0"
}
]
}
]
},
"then" : {
"effect" : "Deny"
}
}
合规状态为:合规
资源合规性:100%(0 个中的 0 个)
范围:mysub/myresourcegroup
我想知道我在这个设置中缺少什么?
如果有人可以提供帮助,我将不胜感激。
这是对我有用的政策:
策略定义:
{
"properties": {
"displayName": "Not allow unspecified IP/Not allow SourceIP equal to EndIP",
"policyType": "Custom",
"mode": "All",
"description": "",
"metadata": {
"category": "SQL",
"version": "1.0.2"
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"description": "Enable or disable the execution of the policy",
"displayName": "Effect"
},
"allowedValues": [
"audit",
"disabled",
"deny"
],
"defaultValue": "deny"
},
"listOfStartIpAddresses": {
"type": "Array",
"metadata": {
"description": "List of not-allowed Start IP Addresses for PSQL",
"displayName": "List of not-allowed Start IP Addresses for PSQL"
},
"defaultValue": [
"0.0.0.0"
]
}
},
"policyRule": {
"if": {
"anyof": [
{
"field": "Microsoft.DBforPostgreSQL/servers/firewallRules/startIpAddress",
"notEquals": "[field('Microsoft.DBforPostgreSQL/servers/firewallRules/endIpAddress')]"
},
{
"field": "Microsoft.DBforPostgreSQL/servers/firewallRules/startIpAddress",
"in": "[parameters('listOfStartIpAddresses')]"
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
}
},
"id": "...",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "..."
}
我创建了一个自定义策略,不允许在 Azure PostgreSQL 服务器的防火墙规则中使用 IP:0.0.0.0,但是它在资源合规性下显示 0 资源,并且在我创建时它不会拒绝它带有 startIP:0.0.0.0
的防火墙规则这是我的代码:
resource "azurerm_policy_definition" "db_fw" {
name = "ap-psqldb-fw-test"
policy_type = "Custom"
mode = "Indexed"
display_name = "Test policy for psql firewall rule"
metadata = <<METADATA
{
"version": "1.0.2",
"category": "SQL"
}
METADATA
policy_rule = file("../src/mypolicy.json")
}
resource "azurerm_policy_set_definition" "ap_set" {
name = "apset-db-fw-test"
policy_type = "Custom"
display_name = "Test policyset for psql firewall rule"
policy_definition_reference {
policy_definition_id = "/subscriptions/mysubid/providers/Microsoft.Authorization/policyDefinitions/ap-psqldb-fw-test"
}
}
resource "azurerm_policy_assignment" "ap_assign" {
name = "test-policy-assignment"
scope = var.resource_group_id
policy_definition_id = azurerm_policy_definition.db_fw.id
description = "Testing Policy Assignment"
display_name = "Test DB Policy Assignment"
metadata = <<METADATA
{
"version": "1.0.2",
"category": "SQL"
}
METADATA
}
mypolicy.json:
{
"if": {
"anyOf": [
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.DBforPostgreSQL/servers/firewallRules"
},
{
"field": "Microsoft.DBforPostgreSQL/servers/firewallRules/startIpAddress",
"equals": "0.0.0.0"
}
]
},
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.DBforPostgreSQL/servers/firewallRules"
},
{
"field": "Microsoft.DBforPostgreSQL/servers/firewallRules/endIpAddress",
"equals": "0.0.0.0"
}
]
}
]
},
"then" : {
"effect" : "Deny"
}
}
合规状态为:合规 资源合规性:100%(0 个中的 0 个) 范围:mysub/myresourcegroup
我想知道我在这个设置中缺少什么? 如果有人可以提供帮助,我将不胜感激。
这是对我有用的政策:
策略定义:
{
"properties": {
"displayName": "Not allow unspecified IP/Not allow SourceIP equal to EndIP",
"policyType": "Custom",
"mode": "All",
"description": "",
"metadata": {
"category": "SQL",
"version": "1.0.2"
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"description": "Enable or disable the execution of the policy",
"displayName": "Effect"
},
"allowedValues": [
"audit",
"disabled",
"deny"
],
"defaultValue": "deny"
},
"listOfStartIpAddresses": {
"type": "Array",
"metadata": {
"description": "List of not-allowed Start IP Addresses for PSQL",
"displayName": "List of not-allowed Start IP Addresses for PSQL"
},
"defaultValue": [
"0.0.0.0"
]
}
},
"policyRule": {
"if": {
"anyof": [
{
"field": "Microsoft.DBforPostgreSQL/servers/firewallRules/startIpAddress",
"notEquals": "[field('Microsoft.DBforPostgreSQL/servers/firewallRules/endIpAddress')]"
},
{
"field": "Microsoft.DBforPostgreSQL/servers/firewallRules/startIpAddress",
"in": "[parameters('listOfStartIpAddresses')]"
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
}
},
"id": "...",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "..."
}