问题描述
使用TF在Azure策略中更改ASC默认ParaMETERS
的正确和简便方法是什么?
例如,将Monitor sql Encryption
设置为AuditIfNotExists
或disabled
以外的任何其他可用值。
解决方法
'ASC Default'是主动的,或者在TF术语中称为azurerm_policy_set_definition。您只需使用“ azurerm_policy_assignment”进行分配。
这些链接可能有帮助:
- https://github.com/Azure/azure-policy/blob/master/built-in-policies/policySetDefinitions/Security%20Center/AzureSecurityCenter.json
- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/policy_assignment
不同主动性的示例:
resource "azurerm_policy_assignment" "audit_k8s_security_restricted_standarts" {
name = "42b8ef37-b724-4e24-bbc8-7a7708edfe00"
scope = local.azure_policy_scope
policy_definition_id = "/providers/Microsoft.Authorization/policySetDefinitions/42b8ef37-b724-4e24-bbc8-7a7708edfe00"
description = "This initiative includes the policies for the Kubernetes cluster pod security restricted standards."
display_name = "Kubernetes cluster pod security restricted standards for Linux-based workloads"
identity { type = "SystemAssigned" }
location = var.primary_location
parameters = <<PARAMETERS
{
"effect": {
"value": "audit"
}
}
PARAMETERS
}
您需要放置适当的policy_definition_id并传递有效参数。从一个简单的参数开始,从TF开始存在错误。