我通过 devops 创建了一个 azure 策略。我启用了如下所示的角色(存储贡献者)。为策略创建了身份,但没有为其分配角色。所以我不得不手动创建它来运行修复任务。策略本身不应该创建角色吗?还是部署?
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"
],
我们使用 New-AzDeployment 将其部署为 arm 模板
这是完整的模板
{
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"policyDefinitionName": {
"type": "string"
}
},
"resources": [{
"type": "Microsoft.Authorization/policyDefinitions",
"name": "[parameters('policyDefinitionName')]",
"apiVersion": "2019-09-01",
"properties": {
"displayName": "Deploy Soft-Delete for Blobs",
"mode": "All",
"description": "This policy enables soft-delete for blobs.",
"parameters": {
"retentionInDays": {
"type": "Integer",
"metadata": {
"displayName": "Retention in days",
"description": "This defines how long the deleted object should be retained for. Allowed values are 1 to 365."
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
{
"field": "kind",
"in": [
"Storage",
"StorageV2",
"BlobStorage",
"BlockBlobStorage"
]
},
{
"field": "Microsoft.Storage/storageAccounts/isHnsEnabled",
"equals": false
},
]
},
"then": {
"effect": "DeployIfNotExists",
"details": {
"type": "Microsoft.Storage/storageAccounts/blobServices",
"existenceCondition": {
"field": "Microsoft.Storage/storageAccounts/blobServices/default.deleteRetentionPolicy.enabled",
"equals": true
},
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"
],
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"storageAccountName": {
"type": "string"
},
"retentionInDays": {
"type": "int"
}
},
"variables": {},
"resources": [
{
"name": "[[concat(parameters('storageAccountName'), '/default')]",
"type": "Microsoft.Storage/storageAccounts/blobServices",
"apiVersion": "2019-06-01",
"properties": {
"deleteRetentionPolicy": {
"enabled": true,
"days": "[[parameters('retentionInDays')]"
}
}
}
],
"outputs": {}
},
"parameters": {
"storageAccountName": {
"value": "[[field('name')]"
},
"retentionInDays": {
"value": "[[parameters('retentionInDays')]"
}
}
}
}
}
}
}
}
}]
}
答案 0 :(得分:1)
必须为策略分配创建的托管标识进行角色分配。如果您从门户创建策略分配,我相信这会自动为您完成。 DevOps 中的 ARM 模板需要手动定义。
因此,策略分配也必须与角色分配一起部署。
由于在定义、计划和分配之间使用“dependsOn”的问题,我建议使用单独的 ARM 模板进行分配。因此,带有角色分配的策略分配模板将是独立的,类似于下面的示例模板。
我知道这与您的问题无关,但提起来很烦人。根据我的经验,我不得不在定义部署和后续计划部署之间延迟 2 分钟,然后在分配部署之前再延迟 2 分钟,以避免出现依赖项的 404 错误。
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {
"scope": "[concat('/subscriptions/', subscription().subscriptionId, '/')]"
},
"resources": [
{
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2019-09-01",
"name": "my-policy-assignment",
"location": "westus2",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"displayName": "My Policy Assignment",
"policyDefinitionId": "[concat(variables('scope'), 'providers/Microsoft.Authorization/policySetDefinitions/my-policy-initiative')]",
"scope": "[variables('scope')]",
"notScopes": [],
"parameters": {},
"description": "This is an example assignment for a Stack Overflow post.",
"metadata": {
"category": "My Category"
}
}
},
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2019-04-01-preview",
"name": "b74efc56-19fa-44a3-9665-49b08f7c384d",
"dependsOn": [
"my-policy-assignment"
],
"properties": {
"roleDefinitionId": "[concat(subscription().id, '/providers/Microsoft.Authorization/roleDefinitions/', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]",
"principalType": "ServicePrincipal",
"delegatedManagedIdentityResourceId": "[concat(subscription().id, '/providers/Microsoft.Authorization/policyAssignments/', 'my-policy-assignment')]",
"principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', 'my-policy-assignment'), '2018-05-01', 'Full' ).identity.principalId)]"
}
}
]
}