我从以下位置复制了示例:https://github.com/Azure/azure-policy/blob/master/samples/Network/no-route-table-in-ER-Network/azurepolicy.rules.json,而试图创建一个策略来拒绝没有NSG的子网。
{
"if": {
"anyOf": [
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/virtualNetworks"
},
{
"field": "Microsoft.Network/virtualNetworks/subnets[*].networkSecurityGroup.id",
"exists": false
}
]
},
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/virtualNetworks/subnets"
},
{
"field": "Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id",
"exists": false
}
]
}
]
},
"then": {
"effect": "deny"
}
}
策略可以正常工作,并且可以在不分配NSG并将NSG从子网中删除的情况下停止创建子网。但是,即使虚拟网络很好,它也会报告虚拟网络不合规。如何使此策略仅报告子网而不报告虚拟网络?
答案 0 :(得分:0)
我设法通过一点点改变逻辑来使它起作用:
{
"if": {
"anyOf": [
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/virtualNetworks"
},
{
"not": {
"field": "Microsoft.Network/virtualNetworks/subnets[*].networkSecurityGroup.id",
"exists": true
}
}
]
},
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/virtualNetworks/subnets"
},
{
"not": {
"field": "Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id",
"exists": true
}
}
]
}
]
},
"then": {
"effect": "deny"
}
}