Question

我创建了一个自定义策略，不允许在 Azure PostgreSQL 服务器的防火墙规则中使用 IP:0.0.0.0，但是它在资源合规性下显示 0 资源，并且当我使用 startIP 创建防火墙规则时它不会拒绝它： 0.0.0.0

这是我的代码：

resource "azurerm_policy_definition" "db_fw" {
  name         = "ap-psqldb-fw-test"
  policy_type  = "Custom"
  mode         = "Indexed"
  display_name = "Test policy for psql firewall rule"

  metadata = <<METADATA
    {
      "version": "1.0.2",
      "category": "SQL"
    }

METADATA


  policy_rule = file("../src/mypolicy.json")

}
resource "azurerm_policy_set_definition" "ap_set" {
  name         = "apset-db-fw-test"
  policy_type  = "Custom"
  display_name = "Test policyset for psql firewall rule"

  policy_definition_reference {
    policy_definition_id = "/subscriptions/mysubid/providers/Microsoft.Authorization/policyDefinitions/ap-psqldb-fw-test"
  }
}
resource "azurerm_policy_assignment" "ap_assign" {
  name                 = "test-policy-assignment"
  scope                = var.resource_group_id
  policy_definition_id = azurerm_policy_definition.db_fw.id
  description          = "Testing Policy Assignment"
  display_name         = "Test DB Policy Assignment"

  metadata = <<METADATA
    {
      "version": "1.0.2",
      "category": "SQL"
    }
METADATA

}

mypolicy.json：

{
    "if": {
      "anyOf": [
        {
          "allOf": [
            {
                "field": "type",
                "equals": "Microsoft.DBforPostgreSQL/servers/firewallRules"
            },
            {
                "field": "Microsoft.DBforPostgreSQL/servers/firewallRules/startIpAddress",
                "equals": "0.0.0.0"
            }
          ]
        },
        {
          "allOf": [
            {
                "field": "type",
                "equals": "Microsoft.DBforPostgreSQL/servers/firewallRules"
            },
            {
                "field": "Microsoft.DBforPostgreSQL/servers/firewallRules/endIpAddress",
                "equals": "0.0.0.0"
            }
          ]
        }
      ]
    },
    "then" : {
      "effect" : "Deny"
    }
}

合规状态为：合规资源合规性：100%（0 分之 0）范围：mysub/myresourcegroup

我想知道我在这个设置中缺少什么？如果有人能帮忙解决这个问题，我将不胜感激。

Answer 1

以下是对我有用的政策：

政策定义：

 {
  "properties": {
    "displayName": "Not allow unspecified IP/Not allow SourceIP equal to EndIP",
    "policyType": "Custom",
    "mode": "All",
    "description": "",
    "metadata": {
      "category": "SQL",
      "version": "1.0.2"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "description": "Enable or disable the execution of the policy",
          "displayName": "Effect"
        },
        "allowedValues": [
          "audit",
          "disabled",
          "deny"
        ],
        "defaultValue": "deny"
      },
      "listOfStartIpAddresses": {
        "type": "Array",
        "metadata": {
          "description": "List of not-allowed Start IP Addresses for PSQL",
          "displayName": "List of not-allowed Start IP Addresses for PSQL"
        },
        "defaultValue": [
          "0.0.0.0"
        ]
      }
    },
    "policyRule": {
      "if": {
        "anyof": [
          {
            "field": "Microsoft.DBforPostgreSQL/servers/firewallRules/startIpAddress",
            "notEquals": "[field('Microsoft.DBforPostgreSQL/servers/firewallRules/endIpAddress')]"
          },
          {
            "field": "Microsoft.DBforPostgreSQL/servers/firewallRules/startIpAddress",
            "in": "[parameters('listOfStartIpAddresses')]"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "...",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "..."
}

psql 防火墙的自定义 Azure 策略不起作用

1 个答案: