【发布时间】:2019-06-10 08:54:46
【问题描述】:
我正在研究 DeployIfNotExist Azure Policy,它检查所有 vnet,检查是否存在特定的对等互连,如果存在,则检查 UDR 设置是否到位。如果与指定不同,它旨在部署所需的 UDR。
我无法让它工作,目前的状态是初始检查工作正常(报告了不合规的 vnet),但没有对新的/更新的 vnet 进行自动修复。此外,如果我进行手动修复,vnet 仍会被标记为不合规。
Azure Policy Policy 规则如下。
{
"if": {
"anyOf": [
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/virtualNetworks"
},
{
"field": "Microsoft.Network/virtualNetworks/VirtualNetworkPeerings[*].peeringState",
"equals": "Connected"
},
{
"field": "Microsoft.Network/virtualNetworks/VirtualNetworkPeerings[*].name",
"equals": "peerSpokeToHub"
}
]
},
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/virtualNetworks/VirtualNetworkPeerings"
},
{
"field": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id",
"exists": "true"
}
]
}
]
},
"then": {
"effect": "deployIfNotExists",
"details": {
"type": "Microsoft.Network/virtualNetworks/subnets",
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Network/virtualNetworks/subnets/routeTable.id",
"exists": "true"
},
{
"field": "Microsoft.Network/virtualNetworks/subnets/routeTable.routes[*].name",
"equals": "toNVA"
},
{
"field": "Microsoft.Network/virtualNetworks/subnets/routeTable.routes[*].addressPrefix",
"equals": "0.0.0.0/0"
},
{
"field": "Microsoft.Network/virtualNetworks/subnets/routeTable.routes[*].nextHopType",
"equals": "VirtualAppliance"
},
{
"field": "Microsoft.Network/virtualNetworks/subnets/routeTable.routes[*].nextHopIpAddress",
"in": ["10.0.0.1", "10.0.0.2"]
},
{
"field": "Microsoft.Network/virtualNetworks/subnets/routeTable.routes[*].provisioningState",
"equals": "Succeeded"
}
]
},
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"vNetName": {
"type": "string",
"metadata": {
"description": "subnet to attach udr"
}
},
"RouteTableName": {
"type": "string",
"metadata": {
"description": "Name of a route table upon remediation"
}
},
"location": {
"type": "string",
"metadata": {
"description": "location of resource"
}
},
"NVAip": {
"type": "string",
"metadata": {
"description": "NVA IP"
}
}
},
"resources": [
{
"name": "[parameters('RouteTableName')]",
"type": "Microsoft.Network/routeTables",
"apiVersion": "2018-11-01",
"location": "[parameters('location')]",
"properties": {
"routes": [
{
"properties": {
"addressPrefix": "0.0.0.0/0",
"nextHopType": "VirtualAppliance",
"nextHopIpAddress": "[parameters('NVAip')]"
},
"name": "toNVA"
}
]
}
},
{
"apiVersion": "2017-08-01",
"name": "apply-routetable-to-subnet",
"type": "Microsoft.Resources/deployments",
"resourceGroup": "[resourceGroup().name]",
"dependsOn": [
"[concat('Microsoft.Network/routeTables/', 'RouteTable')]"
],
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"apiVersion": "2018-08-01",
"type": "Microsoft.Network/virtualNetworks/subnets",
"name": "[concat(parameters('vNetName'),'/default')]",
"location": "[resourceGroup().location]",
"properties": {
"addressPrefix": "[reference(resourceId(resourceGroup().name, 'Microsoft.Network/virtualNetworks/subnets', parameters('vNetName'), 'default'), '2018-03-01').addressPrefix]",
"routeTable": {
"id": "[resourceId('Microsoft.Network/routeTables', parameters('RouteTableName'))]"
},
"networkSecurityGroup": {
"id": "[reference(resourceId(resourceGroup().name, 'Microsoft.Network/virtualNetworks/subnets', parameters('vNetName'), 'default'), '2018-03-01').networkSecurityGroup.id]"
}
}
}
]
}
}
}
]
},
"parameters": {
"vNetName": {
"value": "[field('fullName')]"
},
"RouteTableName": {
"value": "[parameters('RouteTableName')]"
},
"NVAip": {
"value": "[parameters('fortigateIp')]"
},
"location": {
"value": "[field('location')]"
}
}
}
}
}
}
}
【问题讨论】:
-
当您访问 Azure 门户时,修复选项卡会显示什么?通常会有一个状态指示成功/失败以及有关部署的信息。