问题描述
我创建了一个自定义策略,不允许在 Azure Postgresql 服务器的防火墙规则中使用 IP:0.0.0.0,但是它在资源合规性下显示 0 资源,并且当我使用 startIP 创建防火墙规则时它不会拒绝它: 0.0.0.0
这是我的代码:
resource "azurerm_policy_deFinition" "db_fw" {
name = "ap-psqldb-fw-test"
policy_type = "Custom"
mode = "Indexed"
display_name = "Test policy for psql firewall rule"
Metadata = <<MetaDATA
{
"version": "1.0.2","category": "sql"
}
MetaDATA
policy_rule = file("../src/mypolicy.json")
}
resource "azurerm_policy_set_deFinition" "ap_set" {
name = "apset-db-fw-test"
policy_type = "Custom"
display_name = "Test policyset for psql firewall rule"
policy_deFinition_reference {
policy_deFinition_id = "/subscriptions/mysubid/providers/Microsoft.Authorization/policyDeFinitions/ap-psqldb-fw-test"
}
}
resource "azurerm_policy_assignment" "ap_assign" {
name = "test-policy-assignment"
scope = var.resource_group_id
policy_deFinition_id = azurerm_policy_deFinition.db_fw.id
description = "Testing Policy Assignment"
display_name = "Test DB Policy Assignment"
Metadata = <<MetaDATA
{
"version": "1.0.2","category": "sql"
}
MetaDATA
}
mypolicy.json:
{
"if": {
"anyOf": [
{
"allOf": [
{
"field": "type","equals": "Microsoft.DBforPostgresql/servers/firewallRules"
},{
"field": "Microsoft.DBforPostgresql/servers/firewallRules/startIpAddress","equals": "0.0.0.0"
}
]
},{
"allOf": [
{
"field": "type",{
"field": "Microsoft.DBforPostgresql/servers/firewallRules/endIpAddress","equals": "0.0.0.0"
}
]
}
]
},"then" : {
"effect" : "Deny"
}
}
合规状态为:合规 资源合规性:100%(0 分之 0) 范围:mysub/myresourcegroup
我想知道我在这个设置中缺少什么? 如果有人能帮忙解决这个问题,我将不胜感激。
解决方法
以下是对我有用的政策:
政策定义:
{
"properties": {
"displayName": "Not allow unspecified IP/Not allow SourceIP equal to EndIP","policyType": "Custom","mode": "All","description": "","metadata": {
"category": "SQL","version": "1.0.2"
},"parameters": {
"effect": {
"type": "String","metadata": {
"description": "Enable or disable the execution of the policy","displayName": "Effect"
},"allowedValues": [
"audit","disabled","deny"
],"defaultValue": "deny"
},"listOfStartIpAddresses": {
"type": "Array","metadata": {
"description": "List of not-allowed Start IP Addresses for PSQL","displayName": "List of not-allowed Start IP Addresses for PSQL"
},"defaultValue": [
"0.0.0.0"
]
}
},"policyRule": {
"if": {
"anyof": [
{
"field": "Microsoft.DBforPostgreSQL/servers/firewallRules/startIpAddress","notEquals": "[field('Microsoft.DBforPostgreSQL/servers/firewallRules/endIpAddress')]"
},{
"field": "Microsoft.DBforPostgreSQL/servers/firewallRules/startIpAddress","in": "[parameters('listOfStartIpAddresses')]"
}
]
},"then": {
"effect": "[parameters('effect')]"
}
}
},"id": "...","type": "Microsoft.Authorization/policyDefinitions","name": "..."
}