Azure策略:删除资源组上的锁 [英] Azure Policy: Delete lock on resource group

问题描述

我尝试使用Azure策略检查生产订阅中的所有资源组是否都具有"CanNotDelete"锁.

I try do use Azure Policy to check if all resource groups in my production subscription have a "CanNotDelete" lock.

我制定了一个受这本书启发的政策问题，结果可以在下面找到.

I built a policy inspired by this question, the result can be found below.

在测试时，我发现没有锁定的资源组被正确地检测为不兼容".但是，如果资源组包含具有专用锁的资源(Scope = resource，例如仅在KeyVault上)，则整个资源组将被标记为合规-即使只有一个资源确实具有锁.有没有一种方法可以设计 existenceCondition ，使锁必须位于整个资源组上?

While testing this, I found out that resource groups without a lock are correctly detected as "non-compliant". However, if a resource group contains a resource which has a dedicated lock (Scope=resource, e.g. only on a KeyVault), the whole resource group will be marked as compliant - even tough only one resource really has a lock. Is there a way to design the existenceCondition so that the lock has to be on the whole resource group?

{
  "mode": "All",
  "policyRule": {
    "if": {
      "field": "type",
      "equals": "Microsoft.Resources/subscriptions/resourceGroups"
    },
    "then": {
      "effect": "deployIfNotExists",
      "details": {
        "type": "Microsoft.Authorization/locks",
        "existenceCondition": {
          "field": "Microsoft.Authorization/locks/level",
          "equals": "CanNotDelete"
        },
        "roleDefinitionIds": [
          "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9",
          "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
        ],
        "deployment": {
          "properties": {
            "mode": "incremental",
            "template": {
              "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",
              "contentVersion": "1.0.0.0",
              "resources": [
                {
                  "type": "Microsoft.Authorization/locks",
                  "apiVersion": "2017-04-01",
                  "name": "ResourceLock",
                  "properties": {
                    "level": "CanNotDelete",
                    "notes": "Prevent accidental deletion of resources"
                  }
                }
              ]
            }
          }
        }
      }
    }
  },
  "parameters": {}
}

推荐答案

我不这么认为，因为locks属性中没有任何内容详细说明了被阻止的作用域级别.

I do not think so since there is nothing in the locks property that details what scope level is being blocked.

这篇关于Azure策略:删除资源组上的锁的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！