Question

使用JMESPath.Net将Azure策略规则JSON与C＃中Azure REST API JSON的输出进行比较

我已经尝试使用JMESPath.Net NuGet包来查询JSON数据。

{
  "properties": {
    "displayName": "Audit if Key Vault has no virtual network rules",
    "policyType": "Custom",
    "mode": "Indexed",
    "description": "Audits Key Vault vaults if they do not have virtual network service endpoints set up. More information on virtual network service endpoints in Key Vault is available here: _https://docs.microsoft.com/en-us/azure/key-vault/key-vault-overview-vnet-service-endpoints",
    "metadata": {
      "category": "Key Vault",
      "createdBy": "xxxxxx",
      "createdOn": "xxxxxx",
      "updatedBy": "xxxxxx",
      "updatedOn": "xxxxxx"
    },
    "parameters": {},
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.KeyVault/vaults"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.KeyVault/vaults/networkAcls.virtualNetworkRules[*].id",
                "exists": "false"
              },
              {
                "field": "Microsoft.KeyVault/vaults/networkAcls.virtualNetworkRules[*].id",
                "notLike": "*"
              },
              {
                "field": "Microsoft.KeyVault/vaults/networkAcls.defaultAction",
                "equals": "Allow"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "audit"
      }
    }
  },
  "id": "xxxxxxx",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "wkpolicydef"
}

Azure KeyVault的Azure REST API输出

{  
    "id":"xxxxxx",
    "name":"xxxxx",
    "type":"Microsoft.KeyVault/vaults",
    "location":"eastus",
    "tags":{},
    "properties":{  
       "sku":{  
          "family":"A",
          "name":"Standard"
       },
       "tenantId":"xxxxxx",
       "networkAcls":{  
          "bypass":"AzureServices",
          "defaultAction":"Deny",
          "ipRules":[  

          ],
          "virtualNetworkRules":[  
             {  
                "id":"xxxxxxx"
             }
          ]
       },
       "accessPolicies":[  
          {  
             "tenantId":"xxxxx",
             "objectId":"xxxxxxx",
             "permissions":{  
                "keys":[  
                   "Get",
                   "List",
                   "Update",
                   "Create",
                   "Import",
                   "Delete",
                   "Recover",
                   "Backup",
                   "Restore"
                ],
                "secrets":[  
                   "Get",
                   "List",
                   "Set",
                   "Delete",
                   "Recover",
                   "Backup",
                   "Restore"
                ],
                "certificates":[  
                   "Get",
                   "List",
                   "Update",
                   "Create",
                   "Import",
                   "Delete",
                   "Recover",
                   "Backup",
                   "Restore",
                   "ManageContacts",
                   "ManageIssuers",
                   "GetIssuers",
                   "ListIssuers",
                   "SetIssuers",
                   "DeleteIssuers"
                ]
             }
          }
       ],
       "enabledForDeployment":false,
       "enabledForDiskEncryption":false,
       "enabledForTemplateDeployment":false,
       "vaultUri":"https://xxxxxxx.vault.azure.net/",
       "provisioningState":"Succeeded"
    }
 }

我们需要将规则的类型与资源输出json进行比较，如果匹配，则使用资源输出json验证策略规则条件。在这种情况下，该规则要求具有虚拟网络规则ID，并且资源json必须在keyvault中配置相同。

C＃使用Azure REST API输出JSON评估Azure策略规则JSON并应用策略规则

Azure KeyVault的Azure REST API输出

0 个答案: