Azure Policy Storage Accounts保留策略未标记资源

编程问答 2022-06-11

问题描述

我正在使用下面的代码来监视存储帐户的保留策略。似乎我的别名正确,但是当我看到“遵从性”报告显示“ 100%符合0的0”时。版本控制和专用链接策​​略存在相同问题。我有与这些类似的存储帐户策略,但是它们实际上返回了目标存储帐户的数量,唯一的区别是它们没有像这样那样引用Blob服务别名。感谢您的回答。


resource "azurerm_policy_deFinition" "sa-ensure-versioning-enabled-policy" {

  name         = "sa-ensure-versioning-enabled-policy-deFinition"

  policy_type  = "Custom"

  mode         = "All"

  #management_group_name = var.management_group_name

  display_name = "Ensure versioning enabled policy"



  Metadata = <<MetaDATA

      {

      "version": "1.0.0","category": "Storage"

    }

  MetaDATA



  policy_rule = <<POLICY_RULE

          {

        "if": {

            "allOf": [

                {

                    "field": "type","equals": "Microsoft.Storage/storageAccounts"

                },{

                "not": {

                  "field":"Microsoft.Storage/storageAccounts/blobServices/default.isversioningEnabled","equals": "true"

                 }

                }

            ]

        },"then": {

            "effect": "[parameters('effect')]"    

        }

    }

  POLICY_RULE



  parameters = <<ParaMETERS

      {

        "effect": {

          "type": "String","Metadata": {

            "displayName": "Effect","description": "'Audit' allows a non-compliant resource to be created,but flags it as non-compliant. 'Deny' blocks the resource creation. 'disable' turns off the policy."

          },"allowedValues": [

            "audit","deny","disabled"

          ],"defaultValue": "audit"

        }

    }

  ParaMETERS



}



resource "azurerm_policy_assignment" "sa-ensure-versioning-enabled-policy-assignment" {

  name                 = "sa-ensure-versioning-enabled-policy-assignment"

  scope                = data.azurerm_subscription.current.id

  policy_deFinition_id = azurerm_policy_deFinition.sa-ensure-versioning-enabled-policy.id

  description          = "Storage Account ensure delete retention policy."

  display_name         = "Ensure versioning enabled policy"



  parameters = <<ParaMETERS

      {

        "effect": {

          "value": "audit"

          }

      }

  ParaMETERS

}

解决方法

似乎是Azure中的一个错误,在此处记录:https://github.com/Azure/azure-policy/issues/377。显然Microsoft.Storage/storageAccounts/blobServices尚未运行。解决方案的预计到达时间为2020年9月,但该日期和之前的日期已经过去。

,

任何涉及 Microsoft.Storage/storageAccounts/blobServices 的策略都应该使用下面的代码也能正常工作。(删除保留、版本控制等) 这现在可以使用以下政策:

    "mode": "All","policyRule": {
        "if": {
            "field": "type","equals": "Microsoft.Storage/storageAccounts"
        },"then": {
            "effect": "auditIfNotExists","details": {
                "type": "Microsoft.Storage/storageAccounts/blobServices","roleDefinitionIds": [
                    "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
                ],"existenceCondition": {
                    "field": "Microsoft.Storage/storageAccounts/blobServices/deleteRetentionPolicy.enabled","equals": "true"
                }
            }
        }
    },"parameters": {}
}
accountazureazurepolicyretentionstorage