提问人:r0r0n0a 提问时间:10/20/2023 最后编辑:r0r0n0a 更新时间:10/20/2023 访问量:71
如何通过 Azure Policy 验证 VM 是否具有一组扩展?
How to verify if VM has a set of extensions through Azure policy?
问:
我正在尝试验证VM上是否安装了一组扩展,我编写了以下策略,但我认为它只是在评估第一个扩展,或者策略的行为不符合预期。你能帮忙解决这个问题吗?
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
"equals": "Windows"
}
]
},
"then": {
"effect": "auditIfNotExists",
"details": {
"type": "Microsoft.Compute/virtualMachines/extensions",
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Compute/virtualMachines/extensions/type",
"equals": "NetworkWatcherAgentWindows"
},
{
"field": "Microsoft.Compute/virtualMachines/extensions/type",
"equals": "ConfigurationforWindows"
},
{
"field": "Microsoft.Compute/virtualMachines/extensions/type",
"equals": "DependencyAgentWindows"
},
{
"field": "Microsoft.Compute/virtualMachines/extensions/type",
"equals": "VMAccessAgent"
},
{
"field": "Microsoft.Compute/virtualMachines/extensions/type",
"equals": "AzureDiskEncryption"
}
]
}
}
}
}
}
这些扩展作为类似于类型“Microsoft.Compute/VirtualMachines”的资源列出,以下是已安装的扩展在 ARM 模板中的外观
{
"type": "Microsoft.Compute/virtualMachines/extensions",
"apiVersion": "2023-03-01",
"name": "[concat(parameters('virtualMachines_ironmanjboxsit_name'), '/AzureNetworkWatcherExtension')]",
"location": "eastasia",
"dependsOn": [
"[resourceId('Microsoft.Compute/virtualMachines', parameters('virtualMachines_ironmanjboxsit_name'))]"
],
"properties": {
"autoUpgradeMinorVersion": true,
"publisher": "Microsoft.Azure.NetworkWatcher",
"type": "NetworkWatcherAgentWindows",
"typeHandlerVersion": "1.4"
}
}
错误/有问题的行为:
我正在检查的扩展是 VM 具有的一小部分。例如,下面显示的 VM 上还具有 AzureSecurityCenter 扩展以及我在策略中提到的扩展集。
答:
0赞
Venkat V
10/20/2023
#1
如何通过 Azure Policy 验证 VM 是否具有一组扩展?
这是一个更新的策略,如果指定的扩展不存在,则进行审核windows virtual machinesVM
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"anyOf":[
{
"field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
"exists": "true"
},
{
"field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
"like": "Windows"
}
]
}
]
},
"then": {
"effect": "AuditIfNotExists",
"details": {
"type": "Microsoft.Compute/virtualMachines/extensions",
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Compute/virtualMachines/extensions/type",
"equals": "NetworkWatcherAgentWindows"
},
{
"field": "Microsoft.Compute/virtualMachines/extensions/type",
"equals": "ConfigurationforWindows"
},
{
"field": "Microsoft.Compute/virtualMachines/extensions/type",
"equals": "DependencyAgentWindows"
},
{
"field": "Microsoft.Compute/virtualMachines/extensions/type",
"equals": "VMAccessAgent"
},
{
"field": "Microsoft.Compute/virtualMachines/extensions/type",
"equals": "AzureDiskEncryption"
}
]
}
}
}
},
"parameters": {}
}
将策略分配给范围后,它将开始审核,如下所示。Azure Windows virtual machines
注意:策略在分配后需要一些时间来审核资源,因此请稍等片刻才能看到结果。
评论
0赞
r0r0n0a
10/20/2023
嗨,Venkat,感谢您的回复。但是,我仍然面临同样的困难。即使 VM 上存在扩展,我也会发现资源不合规。这就是我在“不合规”详细信息中看到的原因。不合规原因:当前值必须等于目标值。字段 Microsoft.Compute/virtualMachines/extensions/type 路径属性.type 当前值“WindowsAgent.AzureSecurityCenter” 目标值“NetworkWatcherAgentWindows” 我觉得它采用我在策略中指定扩展并在 VM 中检查它们的顺序,而不是整个集合。
评论