Powershell 中的 Get-AzPolicyState 与 az cli 中的 az policy state list 之间的区别
Differences between Get-AzPolicyState from Powershell and az policy state list form az cli
如果我运行命令
Get-AzPolicyState -PolicyAssignmentName "xxxxxxxxxxxxxxxxxxxxx" -Filter "ResourceType eq 'Microsoft.KeyVault/vaults'" # | where-object { $_.ComplianceState -eq "NonCompliant" }
我得到一个示例响应:
Timestamp : 22/04/2022 11:38:58
ResourceId : /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourcegroups/group_name/providers/microsoft.keyvault/vaults/resouce_name
PolicyAssignmentId : /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/providers/microsoft.authorization/policyassignments/xxxxxxxxxxxxxxxxxx
PolicyDefinitionId : /providers/microsoft.authorization/policydefinitions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
IsCompliant : False
SubscriptionId : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
ResourceType : Microsoft.KeyVault/vaults
ResourceLocation : northeurope
ResourceGroup : neu-rg-dev-bicep
ResourceTags : tbd
PolicyAssignmentName : xxxxxxxxxxxxxxxxxxxxxx
PolicyAssignmentOwner : tbd
PolicyAssignmentScope : /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
PolicyDefinitionName : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
PolicyDefinitionAction : audit
PolicyDefinitionCategory : tbd
PolicySetDefinitionId : /providers/Microsoft.Authorization/policySetDefinitions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
PolicySetDefinitionName : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
PolicySetDefinitionCategory : security center
ManagementGroupIds : MSDN,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
PolicyDefinitionReferenceId : keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect
ComplianceState : NonCompliant
AdditionalProperties : {[complianceReasonCode, ]}
与Az cli对应的命令是
az policy state list --filter "ResourceType eq 'Microsoft.KeyVault/vaults'" --query "[?complianceState=='NonCompliant']"
结果:
{
"complianceReasonCode": "",
"complianceState": "NonCompliant",
"components": null,
"effectiveParameters": "",
"isCompliant": false,
"managementGroupIds": "MSDN,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"odataContext": "https://management.azure.com/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/providers/Microsoft.PolicyInsights/policyStates/$metadata#latest/$entity",
"odataId": null,
"policyAssignmentId": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/providers/microsoft.authorization/policyassignments/xxxxxxxxxxxxxxxxxx",
"policyAssignmentName": "a26a6876d6c14a45b79d547f",
"policyAssignmentOwner": "tbd",
"policyAssignmentParameters": "",
"policyAssignmentScope": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"policyAssignmentVersion": "",
"policyDefinitionAction": "audit",
"policyDefinitionCategory": "tbd",
"policyDefinitionGroupNames": [
"azure_security_benchmark_v3.0_dp-8"
],
"policyDefinitionId": "/providers/microsoft.authorization/policydefinitions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"policyDefinitionName": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"policyDefinitionReferenceId": "keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect",
"policyDefinitionVersion": "2.0.0",
"policyEvaluationDetails": null,
"policySetDefinitionCategory": "security center",
"policySetDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"policySetDefinitionName": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"policySetDefinitionOwner": "",
"policySetDefinitionParameters": "",
"policySetDefinitionVersion": "47.0.0",
"resourceGroup": "group_name",
"resourceId": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourcegroups/group_name/providers/microsoft.keyvault/vaults/resource_name",
"resourceLocation": "northeurope",
"resourceTags": "tbd",
"resourceType": "Microsoft.KeyVault/vaults",
"subscriptionId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"timestamp": "2022-04-22T11:38:58.831865+00:00"
}
我们可以看到,有些信息不是powershell版本的。具有重大影响的属性之一是 policyDefinitionGroupNames.
有谁知道使用 powershell 属性 的方法吗?
Does anyone know a way to get that property using powershell
正如上面 @Todd 所建议的,我们已经尝试了同样的方法来获得您正在寻找的 属性,
尝试使用下面的 cmdlts:
$outVar = Get-AzPolicyState -PolicyAssignmentName "xxxxxxxxx0" -Filter "ResourceType eq 'Microsoft.KeyVault/vaults'" # | where-object { $_.ComplianceState -eq "NonCompliant" }
要检查 属性 是否可用,请使用 $outVar | Get-Member
更多信息请参考此MS DOC| Get-AzPolicyState & Azure policy Definition structure
如果我运行命令
Get-AzPolicyState -PolicyAssignmentName "xxxxxxxxxxxxxxxxxxxxx" -Filter "ResourceType eq 'Microsoft.KeyVault/vaults'" # | where-object { $_.ComplianceState -eq "NonCompliant" }
我得到一个示例响应:
Timestamp : 22/04/2022 11:38:58
ResourceId : /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourcegroups/group_name/providers/microsoft.keyvault/vaults/resouce_name
PolicyAssignmentId : /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/providers/microsoft.authorization/policyassignments/xxxxxxxxxxxxxxxxxx
PolicyDefinitionId : /providers/microsoft.authorization/policydefinitions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
IsCompliant : False
SubscriptionId : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
ResourceType : Microsoft.KeyVault/vaults
ResourceLocation : northeurope
ResourceGroup : neu-rg-dev-bicep
ResourceTags : tbd
PolicyAssignmentName : xxxxxxxxxxxxxxxxxxxxxx
PolicyAssignmentOwner : tbd
PolicyAssignmentScope : /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
PolicyDefinitionName : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
PolicyDefinitionAction : audit
PolicyDefinitionCategory : tbd
PolicySetDefinitionId : /providers/Microsoft.Authorization/policySetDefinitions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
PolicySetDefinitionName : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
PolicySetDefinitionCategory : security center
ManagementGroupIds : MSDN,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
PolicyDefinitionReferenceId : keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect
ComplianceState : NonCompliant
AdditionalProperties : {[complianceReasonCode, ]}
与Az cli对应的命令是
az policy state list --filter "ResourceType eq 'Microsoft.KeyVault/vaults'" --query "[?complianceState=='NonCompliant']"
结果:
{
"complianceReasonCode": "",
"complianceState": "NonCompliant",
"components": null,
"effectiveParameters": "",
"isCompliant": false,
"managementGroupIds": "MSDN,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"odataContext": "https://management.azure.com/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/providers/Microsoft.PolicyInsights/policyStates/$metadata#latest/$entity",
"odataId": null,
"policyAssignmentId": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/providers/microsoft.authorization/policyassignments/xxxxxxxxxxxxxxxxxx",
"policyAssignmentName": "a26a6876d6c14a45b79d547f",
"policyAssignmentOwner": "tbd",
"policyAssignmentParameters": "",
"policyAssignmentScope": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"policyAssignmentVersion": "",
"policyDefinitionAction": "audit",
"policyDefinitionCategory": "tbd",
"policyDefinitionGroupNames": [
"azure_security_benchmark_v3.0_dp-8"
],
"policyDefinitionId": "/providers/microsoft.authorization/policydefinitions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"policyDefinitionName": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"policyDefinitionReferenceId": "keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect",
"policyDefinitionVersion": "2.0.0",
"policyEvaluationDetails": null,
"policySetDefinitionCategory": "security center",
"policySetDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"policySetDefinitionName": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"policySetDefinitionOwner": "",
"policySetDefinitionParameters": "",
"policySetDefinitionVersion": "47.0.0",
"resourceGroup": "group_name",
"resourceId": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourcegroups/group_name/providers/microsoft.keyvault/vaults/resource_name",
"resourceLocation": "northeurope",
"resourceTags": "tbd",
"resourceType": "Microsoft.KeyVault/vaults",
"subscriptionId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"timestamp": "2022-04-22T11:38:58.831865+00:00"
}
我们可以看到,有些信息不是powershell版本的。具有重大影响的属性之一是 policyDefinitionGroupNames.
有谁知道使用 powershell 属性 的方法吗?
Does anyone know a way to get that property using powershell
正如上面 @Todd 所建议的,我们已经尝试了同样的方法来获得您正在寻找的 属性,
尝试使用下面的 cmdlts:
$outVar = Get-AzPolicyState -PolicyAssignmentName "xxxxxxxxx0" -Filter "ResourceType eq 'Microsoft.KeyVault/vaults'" # | where-object { $_.ComplianceState -eq "NonCompliant" }
要检查 属性 是否可用,请使用 $outVar | Get-Member
更多信息请参考此MS DOC| Get-AzPolicyState & Azure policy Definition structure