奇怪的结果,基于现有内置策略创建 Azure KeyVault 策略时出错 - 'field' 属性 引用的提供程序不存在

Odd result, error creating Azure KeyVault Policy based on existing BuiltIn Policy - provider referenced by the 'field' property doesn't exist

所以...我在将其中一个内置函数转换为自定义函数时遇到了一些困难。 (我为什么要那样做?内部问题,我同意与否无关紧要,所以请不要对我的决定感到失望。:-))

现有内置策略:

https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Certificates_ValidityPeriod.json

问题出现在 json 文件的第 40/43 行。

main.tf 文件包含:

# policy
locals {
  json_keyvault_certmaxvalidityperiod = jsondecode(file("${path.module}/resourceprovider/KeyVault/Certificates should have the specified maximum validity period.json"))
}

resource "azurerm_policy_definition" "CertificatesShouldHaveSpecifiedMaximumValidityPeriod" {
  name         = "CertificatesShouldHaveSpecifiedMaximumValidityPeriod" # must match output.tf and ad ID to main
  policy_type  = "Custom"  #Must always be Custom
  mode         = "All"
  display_name = "CertificatesShouldHaveSpecifiedMaximumValidityPeriod" #add Custom to display name
  description  = "Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault."
  metadata     = jsonencode(local.json_keyvault_certmaxvalidityperiod.properties.metadata)
  policy_rule  = jsonencode(local.json_keyvault_certmaxvalidityperiod.properties.policyRule)
  parameters   = <<PARAMETERS
    {
        "effect" : {
            "type": "string",
            "metadata": {
                "description": "Enable or disable the execution of the policy",
                "displayName": "Effect"
            }
        },
        "maximumValidityInMonths": {
            "type": "integer",
            "metadata": {
                "description": "The limit to how long a certificate may be valid for. Certificates with lengthy validity periods aren\u0027t best practice.",
                "displayName": "The maximum validity in months"
            }
        }
    }
  PARAMETERS
}

按原样使用 json 内容,执行 terraform apply returns:

│ Error: creating/updating Policy Definition "CertificatesShouldHaveSpecifiedMaximumValidityPeriod": policy.DefinitionsClient#CreateOrUpdate: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="InvalidProviderNameInPolicyAlias" Message="The policy definition 'CertificatesShouldHaveSpecifiedMaximumValidityPeriod' rule is invalid. The provider 'Microsoft.KeyVault.Data' referenced by the 'field' property 'Microsoft.KeyVault.Data/vaults/certificates/properties.validityInMonths' of the policy rule doesn't exist."

所以,我查看了 Microsoft.KeyVault.Data 提供者的定义,从下面来看,似乎不应该有“证书”,而应该是“秘密”:

https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Certificates_ValidityPeriod.json

但是...如果我更新第 40/43 行以反映 Microsoft.KeyVault.Data/vaults/secrets,terraform apply returns:

│ Error: creating/updating Policy Definition "CertificatesShouldHaveSpecifiedMaximumValidityPeriod": policy.DefinitionsClient#CreateOrUpdate: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="InvalidProviderNameInPolicyAlias" Message="The policy definition 'CertificatesShouldHaveSpecifiedMaximumValidityPeriod' rule is invalid. The provider 'Microsoft.KeyVault.Data' referenced by the 'field' property 'Microsoft.KeyVault.Data/vaults/secrets/properties.validityInMonths' of the policy rule doesn't exist."

有没有人以前处理过类似的事情?关于如何定义策略规则以适应数据提供者的建议?

无法使用自定义策略类型创建 keyvault 策略,因为 "Microsoft.Keyvault.Data" 仅支持内置策略类型,如参考中给出的 Microsoft 文档 中所述。

如果您在 Azure Policy Extension in Visual Studio Code 中看到,您可以找到 azure 中存在的资源提供者的所有属性,但对于 keyvault,它不存在,它们是空的。

参考:

Details of the policy definition structure - Azure Policy | Microsoft Docs