【发布时间】:2020-07-27 09:25:54
【问题描述】:
我有以下政策规则。最后,它应该检查订阅级别的资源组是否存在。如果不存在,则应启动修复任务部署。我想将参数传递给这条规则。
{
"if": {
"field": "type",
"equals": "Microsoft.Resources/subscriptions"
},
"then": {
"effect": "DeployIfNotExists",
"details": {
"type": "Microsoft.Resources/subscriptions/resourceGroups",
"name": "my_resource_group",
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/{builtinroleGUID}"
],
"existenceScope": "Subscription",
"existenceCondition": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"field": "name",
"equals": "parameters('resourceGroup')"
}
]
},
"deploymentScope": "Subscription",
"deployment": {
"location": "westeurope",
"properties": {
"mode": "incremental",
"parameters": {
"targetResourceGroup": {
"value": "[parameters('resourceGroup')]"
},
"ascWorkflowName": {
"value": "[parameters('securityAutomationWorkflowName')]"
},
"location": {
"value": "[parameters('location')]"
},
"logicAppName": {
"value": "[parameters('logicAppName')]"
},
"logicAppSubscription": {
"value": "[parameters('logicAppSubscription')]"
}
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"targetResourceGroup": {
"type": "string"
},
"ascWorkflowName": {
"type": "string"
},
"location": {
"type": "string",
"defaultValue": "westeurope"
},
"logicAppName": {
"type": "string"
},
"logicAppSubscription": {
"type": "string"
}
},
"variables": {
"logicAppName": "[parameters('logicAppName')]",
"logicAppTriggerName": "When_an_Azure_Security_Center_Recommendation_is_created_or_triggered",
"logicAppResourceId": "[concat('/subscriptions/', parameters('logicAppSubscription'), '/resourceGroups/', parameters('targetResourceGroup') , '/providers/Microsoft.Logic/workflows/', variables('logicAppName'))]",
"ascWorkflowTriggerId": "[concat('/subscriptions/', parameters('logicAppSubscription'), '/resourceGroups/', parameters('targetResourceGroup') , '/providers/Microsoft.Logic/workflows/', variables('logicAppName') ,'/triggers/', variables('logicAppTriggerName'))]"
},
"resources": [
{
"apiVersion": "2019-01-01-preview",
"name": "[parameters('ascWorkflowName')]",
"type": "Microsoft.Security/automations",
"location": "westeurope",
"tags": {},
"properties": {
"description": "Workflow to push security center recommendations to our logicApp that routes it to serviceNow",
"isEnabled": true,
"scopes": [
{
"description": "[concat('scope for current subscriptionId:', subscription().subscriptionId)]",
"scopePath": "[concat('/subscriptions/',subscription().subscriptionId)]"
}
],
"sources": [
{
"eventSource": "Assessments",
"ruleSets": [
{
"rules": [
{
"propertyJPath": "type",
"propertyType": "String",
"expectedValue": "Microsoft.Security/assessments",
"operator": "Contains"
}
]
}
]
}
],
"actions": [
{
"logicAppResourceId": "[variables('logicAppResourceId')]",
"actionType": "LogicApp",
"uri": "[listCallbackUrl(variables('ascWorkflowTriggerId'), '2016-06-01').value]"
}
]
}
}
]
}
}
}
}
}
}
通过此设置,我希望 resourceGroup 参数引用链接到父策略集/initiative 的参数。 但我得到的是在 powershell 中使用 azure-cli 的错误。为什么我会收到错误消息?
function ConvertTo-PolicyJson {
param (
[PSCustomObject] $inputObject
)
# See this issue with convertto-json array serialization problem -
# https://stackoverflow.com/questions/20848507/why-does-powershell-give-different-result-in-one-liner-than-two-liner-when-conve/38212718#38212718
# Remove the redundant ETS-supplied .Count property
$removed = Remove-TypeData System.Array -erroraction 'silentlycontinue'
$json = ConvertTo-Json $inputObject -Depth 10
return $json.replace('"', '\"').replace("`n","").replace("`r","" )
}
...
$policyRuleParametersJson = ConvertTo-PolicyJson @{
"resourceGroup" = @{
"type" = "String"
"defaultValue" = "$ResourceGroup"
"metadata" = @{
"description" = "The resource group where the resources are located in"
"displayName" = "Resource group"
"strongType" = "existingResourceGroups"
}
}}
...
$policySetJson = ConvertTo-PolicyJson @(
@{
"policyDefinitionId" = "/subscriptions/$Subscription/providers/Microsoft.Authorization/policyDefinitions/$ResourceGroupExistsPolicyName"
"parameters" = @{
"resourceGroup" = @{
"value" = "my_resource_group"
} }
...
$policyDefinitionSetCreateResult = az policy set-definition create `
--subscription $Subscription `
--definitions $policySetJson `
--params $policyRuleParametersJson `
--name $PolicySetName `
--description $PolicySetDescription `
--display-name $PolicySetDisplayName
我得到的错误是:
The policy set 'my-policy-set' has defined parameters 'resourceGroup' which are not used in referenced policy definitions. Please either remove these parameters from the definition or ensure that they are used.
但据我所知,我使用了 resourceGroup 参数。 顺便说一句,我将错误示例压缩为一个参数(resourceGroup)。最后我想使用更多的参数。
有人可以帮忙吗?
【问题讨论】: