Azure 策略:存储帐户最低 TLS 部署不存在
Azure Policy : Storage Account min TLS DeployNot Exisit
当 TLS 设置不等于 TLS 1.2 时,尝试为我所有现有的存储帐户更新 TLS 1.2
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
{
"field": "location",
"in": "[parameters('deploymentLocations')]"
}
]
},
"then": {
"effect": "deployIfNotExists",
"details": {
"type": "Microsoft.Storage/storageAccounts",
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Storage/storageAccounts/minimumTlsVersion",
"Equals": "TLS1_2"
},
{
"exists": "true",
"field": "Microsoft.Storage/storageAccounts/minimumTlsVersion"
}
]
},
问题是该策略也显示了 TLS 1.1 中的存储帐户的合规性,这不应该!
我尝试用 anyOf 修改 existenceCondition 没有运气仍然是同样的问题。想我在 existenceCondtion
上遗漏了一些东西
您可以尝试以下策略:
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
{
"anyOf": [
{
"field": "Microsoft.Storage/storageAccounts/minimumTlsVersion",
"exists": "false"
},
{
"field": "Microsoft.Storage/storageAccounts/minimumTlsVersion",
"notEquals": "TLS1_2"
}
]
}
]
},
"then": {
"effect": "modify",
"details": {
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"conflictEffect": "audit",
"operations": [
{
"operation": "addOrReplace",
"field": "Microsoft.Storage/storageAccounts/minimumTlsVersion",
"value": "TLS1_2"
}
]
}
}
},
"parameters": {}
}
它将所有新资源的 TLS 修改为 1.2。旧资源经过审核,可以通过 Azure 门户中 Azure Policy 页面的修复任务进行更改。
当 TLS 设置不等于 TLS 1.2 时,尝试为我所有现有的存储帐户更新 TLS 1.2
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
{
"field": "location",
"in": "[parameters('deploymentLocations')]"
}
]
},
"then": {
"effect": "deployIfNotExists",
"details": {
"type": "Microsoft.Storage/storageAccounts",
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Storage/storageAccounts/minimumTlsVersion",
"Equals": "TLS1_2"
},
{
"exists": "true",
"field": "Microsoft.Storage/storageAccounts/minimumTlsVersion"
}
]
},
问题是该策略也显示了 TLS 1.1 中的存储帐户的合规性,这不应该!
我尝试用 anyOf 修改 existenceCondition 没有运气仍然是同样的问题。想我在 existenceCondtion
您可以尝试以下策略:
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
{
"anyOf": [
{
"field": "Microsoft.Storage/storageAccounts/minimumTlsVersion",
"exists": "false"
},
{
"field": "Microsoft.Storage/storageAccounts/minimumTlsVersion",
"notEquals": "TLS1_2"
}
]
}
]
},
"then": {
"effect": "modify",
"details": {
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"conflictEffect": "audit",
"operations": [
{
"operation": "addOrReplace",
"field": "Microsoft.Storage/storageAccounts/minimumTlsVersion",
"value": "TLS1_2"
}
]
}
}
},
"parameters": {}
}
它将所有新资源的 TLS 修改为 1.2。旧资源经过审核,可以通过 Azure 门户中 Azure Policy 页面的修复任务进行更改。