尝试配置允许分配的 Azure 角色定义 ID(角色),通过角色分配,利用 Azure 策略。
以下策略的创建都没有错误,但尽管创建/分配了此策略,但所有角色仍然可以进行 Azure 角色分配。
我尝试过参数值 snytax '/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c' 以及角色 ID 'b24988ac-6180-42a0-ab82c'
>当涉及到实际阻止角色分配的政策时,似乎没什么关系
我有硬编码值,以及尝试过的参数
遵循此线程的政策,不会阻止任何角色分配:
Azure Policy to restrict role based access control(IAM) to users at Resource group level in Azure
resource "azurerm_policy_definition" "allowedRoleAssignments" {
name = "${var.project_ident}-${var.cs_env_ident}-allowedRoleAssignments"
policy_type = "Custom"
mode = "Indexed"
display_name = "${var.project_ident}-${var.cs_env_ident}-allowedRoleAssignments"
management_group_name = var.mgmtGroupName
metadata = <<METADATA
{
"category": "General"
}
METADATA
policy_rule = <<POLICY_RULE
{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Authorization/roleAssignments"
},
{
"not": {
"field": "Microsoft.Authorization/roleAssignments/roleDefinitionId",
"in": "[parameters('roleDefinitionIds')]"
}
}
]
},
"then": {
"effect": "deny"
}
}
POLICY_RULE
parameters = <<PARAMETERS
{
"roleDefinitionIds": {
"type": "Array",
"metadata": {
"displayName": "roleDefinitionIds",
"description": "This policy defines a blacklist of role definitions that cannot be used in IAM, for role assignments"
}
}
}
PARAMETERS
}
初始参数:
policy_definition_reference {
policy_definition_id = azurerm_policy_definition.allowedRoleAssignments.id
parameters = {
roleDefinitionIds = "[parameters('roleDefinitionIds')]"
}
}
政策分配:
resource "azurerm_policy_assignment" "set-assignment-1" {
name = "${var.cs_env_ident}-sec-controls"
scope = var.policy_assignment_scope
description = "policy set definition assignment to specified management groups"
display_name = "${var.project_ident}-${var.cs_env_ident}-sec-controls"
policy_definition_id = var.policy_set_definition_id
identity { type = "SystemAssigned" }
location = var.location
parameters = <<PARAMETERS
{
"roleDefinitionIds": {
"value": ${jsonencode(var.roleDefinitionIds)}
}
}
PARAMETERS
}
通过 Terraform 变量在策略分配中传递的参数:
variable "roleDefinitionIds" {
description = "List of allowed role definition Ids"
default = [
"/providers/Microsoft.Authorization/roleDefinitions/1c0163c0-47e6-4577-8991-ea5c82e286e4"
]
}
针对具有相似但不同逻辑的其他线程尝试的策略来实现相同的目标,但实际上也不会阻止角色分配:
非常有用的指南,由 Azure 员工制作,但同样,该政策不限制任何角色分配
其他类似主题 Azure custom role: authorize role assignment for a specific set of roles
resource "azurerm_policy_definition" "allowedRoleAssignments" {
name = "${var.project_ident}-${var.cs_env_ident}-allowedRoleAssignments"
policy_type = "Custom"
mode = "Indexed"
display_name = "${var.project_ident}-${var.cs_env_ident}-allowedRoleAssignments"
management_group_name = var.mgmtGroupName
metadata = <<METADATA
{
"category": "General"
}
METADATA
policy_rule = <<POLICY_RULE
{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Authorization/roleAssignments"
},
{
"value": "[last(split(field('Microsoft.Authorization/roleAssignments/roleDefinitionId'),'/'))]",
"notIn": "[parameters('roleDefinitionIds')]"
}
]
},
"then": {
"effect": "Deny"
}
}
POLICY_RULE
parameters = <<PARAMETERS
{
"roleDefinitionIds": {
"type": "Array",
"metadata": {
"displayName": "roleDefinitionIds",
"description": "This policy defines a blacklist of role definitions that cannot be used in IAM, for role assignments"
}
}
}
PARAMETERS
}
任何帮助将不胜感激。这些策略在创建时不会失败,而且在逻辑上似乎是有道理的。
我不明白为什么无论是创建为白名单还是黑名单,角色分配都不会失败
我正在管理组上创建和分配这些策略,因此请使用管理组内的订阅/资源进行验证。
我尝试了一系列角色定义 ID、单个定义 ID,但没有成功拒绝每个策略的匹配角色分配。
答案 0 :(得分:0)
经过大量测试和阅读后,此问题已得到解决。 问题在于 Azure RBAC 角色定义 ID 不是资源且未标记,因此问题出在策略模式中:
标记的资源和位置使用索引策略模式进行处理
mode = "Indexed"
要解决此问题,需要将策略模式设置为“全部”
mode = "All"
其他方面,我已经在这个问题中提供了一个完整的工作解决方案!
干杯