Azure策略创建deployifnotexists策略
我正在尝试从现有的AuditFnotexists策略创建deployifnotexists策略。它在部署时不会出错,但在评估策略时会出现“没有相关资源与策略定义中的效果详细信息匹配”的错误。当我将AuditFNotExists策略部署到同一个管理组时,它确实工作得很好。我不知道我是否错过了什么 此策略用于在不存在NSG组的情况下创建删除NSG组的警报。 这是deployifnotexists的策略-你们认为它有什么问题吗?任何意见都值得赞赏。多谢各位Azure策略创建deployifnotexists策略,azure,azure-policy,Azure,Azure Policy,我正在尝试从现有的AuditFnotexists策略创建deployifnotexists策略。它在部署时不会出错,但在评估策略时会出现“没有相关资源与策略定义中的效果详细信息匹配”的错误。当我将AuditFNotExists策略部署到同一个管理组时,它确实工作得很好。我不知道我是否错过了什么 此策略用于在不存在NSG组的情况下创建删除NSG组的警报。 这是deployifnotexists的策略-你们认为它有什么问题吗?任何意见都值得赞赏。多谢各位 { "$schema"
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"effect": {
"type": "string",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"AuditIfNotExists",
"deployIfNotExists",
"Disabled"
],
"defaultValue": "deployIfNotExists"
}
},
"variables": {
"actionGroupName": "dsactiongroup"
},
"resources": [
{
"name": "CIS5.2.3-EnsureAuditDeleteNSG",
"type": "Microsoft.Authorization/policyDefinitions",
"apiVersion": "2019-09-01",
"properties": {
"policyType": "Custom",
"displayName": "CIS 5.2.3 Ensure that Activity Log Alert exists for Delete Network Security Group (Scored)",
"description": "Monitor Activity Alerts exist for specific activities.",
"mode": "all",
"metadata": {
"category": "Audit"
},
"parameters": {
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions"
}
]
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.Insights/ActivityLogAlerts",
"existenceCondition": {
"allOf": [
{
"allOf": [
{
"not": {
"field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field",
"notEquals": "category"
}
},
{
"not": {
"field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals",
"notEquals": "Administrative"
}
}
]
},
{
"allOf": [
{
"not": {
"field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field",
"notEquals": "resourceType"
}
},
{
"not": {
"field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals",
"notEquals": "microsoft.network/networksecuritygroups"
}
}
]
},
{
"allOf": [
{
"not": {
"field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field",
"notEquals": "operationName"
}
},
{
"not": {
"field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals",
"notEquals": "Microsoft.Network/networkSecurityGroups/delete"
}
}
]
}
]
},
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa"
],
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
},
"variables": {
"actionGroupName": "dactiongroup"
},
"resources": [
{
"name": "NSGRuleDeleted",
"type": "Microsoft.Insights/activityLogAlerts",
"location": "global",
"apiVersion": "2017-04-01",
"properties": {
"description": "NSG Rule Deleted",
"enabled": true,
"condition": {
"allOf": [
{
"field": "category",
"equals": "Administrative"
},
{
"field": "operationName",
"equals": "Microsoft.Network/networkSecurityGroups/securityRules/delete"
}
]
},
"actions": {
"actionGroups": [
{
"actionGroupId": "[resourceId('Microsoft.Insights/actionGroups', variables('actionGroupName'))]"
}
]
}
}
}
],
"outputs": {}
},
"parameters": {
}
}
}
}
}
}
}
}
]
}
仍然和这些家伙呆在一起-试图把这件事搞砸,希望有人能给点建议:)你找到解决办法了吗?您在何处看到此错误?获得此错误的人有以下解释:在then.details.type中定义的类型的资源,与在策略规则的if部分中定义的资源相关的资源不存在。仍然和这些家伙呆在一起-试图把这件事搞砸,希望有人能给点建议:)你找到解决办法了吗?您在何处看到此错误?获得此错误的人有以下解释:在then.details.type中定义的类型的资源,与在策略规则的if部分中定义的资源相关的资源不存在。