提问人:Paul Jolly 提问时间:11/10/2023 更新时间:11/10/2023 访问量:20
Azure NSG 流日志内置策略在创建新资源时不修正 [已关闭]
Azure NSG Flow Log built in policy not remediating on creating a new resource [closed]
问:
我在 Azure 中使用内置的 NSG 流日志策略 - 使用目标网络安全组部署流日志资源,但该策略的行为方式对我来说有所不同。
如果创建新的 NSG - 不会创建流日志(我期望内置策略会考虑到 DeployIfNotExists 效果而自动创建)
修正有效,并创建流日志,但资源仍显示为不合规。
不合规原因 没有相关资源与策略定义中的效果详细信息匹配。(错误代码:ResourceNotFound) 存在条件 类型 Microsoft.Network/networkWatchers/flowlogs
知道这里发生了什么吗?
注意:位置和网络观察者区域一切都是英国南部
{
"properties": {
"displayName": "Deploy a flow log resource with target network security group",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "Configures flow log for specific network security group. It will allow to log information about IP traffic flowing through an network security group. Flow log helps to identify unknown or undesired traffic, verify network isolation and compliance with enterprise access rules, analyze network flows from compromised IPs and network interfaces.",
"metadata": {
"version": "1.1.0",
"category": "Network"
},
"parameters": {
"nsgRegion": {
"type": "String",
"metadata": {
"displayName": "NSG Region",
"description": "This Policy will review NSGs only in the selected region. You can create other assignments to include other regions.",
"strongType": "location"
}
},
"storageId": {
"type": "String",
"metadata": {
"displayName": "Storage id",
"description": "A string with the storage id for the flowlogs to be sent to. It will be used for deployment purposes only. Make sure this storage account is located in the same region as the NSG. The format must be: '/subscriptions/{subscription id}/resourceGroups/{resourceGroup name}/providers/Microsoft.Storage/storageAccounts/{storage account name}",
"assignPermissions": true
}
},
"networkWatcherRG": {
"type": "String",
"metadata": {
"displayName": "Network Watchers RG",
"description": "The name of the resource group where the flowLog resources will be created. This will be used only if a deployment is required. This is the resource group where the Network Watchers are located.",
"strongType": "existingResourceGroups"
}
},
"networkWatcherName": {
"type": "String",
"metadata": {
"displayName": "Network Watcher name",
"description": "The name of the network watcher under which the flowLog resources will be created. Make sure it belongs to the same region as the NSG."
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/networkSecurityGroups"
},
{
"field": "location",
"equals": "[parameters('nsgRegion')]"
}
]
},
"then": {
"effect": "deployIfNotExists",
"details": {
"type": "Microsoft.Network/networkWatchers/flowlogs",
"resourceGroupName": "[if(empty(coalesce(field('Microsoft.Network/networkSecurityGroups/flowLogs'))), parameters('networkWatcherRG'), split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[4])]",
"name": "[if(empty(coalesce(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id'))), 'null/null', concat(split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[8], '/', split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[10]))]",
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Network/networkWatchers/flowLogs/enabled",
"equals": "true"
},
{
"field": "Microsoft.Network/networkWatchers/flowLogs/storageId",
"equals": "[parameters('storageId')]"
}
]
},
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"storageId": {
"type": "String"
},
"networkWatcherRG": {
"type": "String"
},
"networkWatcherName": {
"type": "String"
},
"flowlogName": {
"type": "String"
},
"location": {
"type": "String"
},
"targetResource": {
"type": "string"
}
},
"resources": [
{
"type": "Microsoft.Resources/deployments",
"name": "[concat('flowlogDeployment-', uniqueString(parameters('flowlogName')))]",
"apiVersion": "2019-10-01",
"resourceGroup": "[parameters('networkWatcherRG')]",
"properties": {
"mode": "incremental",
"parameters": {},
"template": {
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"resources": [
{
"type": "Microsoft.Network/networkWatchers/flowLogs",
"name": "[concat(parameters('networkWatcherName'), '/', parameters('flowlogName'))]",
"apiVersion": "2019-11-01",
"location": "[parameters('location')]",
"properties": {
"targetResourceId": "[parameters('targetResource')]",
"storageId": "[parameters('storageId')]",
"enabled": "true",
"retentionPolicy": {
"days": "0",
"enabled": "false"
}
}
}
]
}
}
}
]
},
"parameters": {
"storageId": {
"value": "[parameters('storageId')]"
},
"networkWatcherRG": {
"value": "[if(empty(coalesce(field('Microsoft.Network/networkSecurityGroups/flowLogs'))), parameters('networkWatcherRG'), split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[4])]"
},
"networkWatcherName": {
"value": "[if(empty(coalesce(field('Microsoft.Network/networkSecurityGroups/flowLogs'))), parameters('networkWatcherName'), split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[8])]"
},
"flowlogName": {
"value": "[if(empty(coalesce(field('Microsoft.Network/networkSecurityGroups/flowLogs'))), concat(take(concat(field('name'), '-', resourceGroup().name), 72), '-', 'flowlog'), split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[10])]"
},
"location": {
"value": "[field('location')]"
},
"targetResource": {
"value": "[concat(resourceGroup().id, '/providers/Microsoft.Network/networkSecurityGroups/', field('name'))]"
}
}
}
}
}
}
}
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/0db34a60-64f4-4bf6-bd44-f95c16cf34b9",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "0db34a60-64f4-4bf6-bd44-f95c16cf34b9"
}
答: 暂无答案
评论