Json 如何修复密钥保管库的deployIfNotExists策略_Json_Azure Keyvault_Azure Policy

Json 如何修复密钥保管库的deployIfNotExists策略

json

Json 如何修复密钥保管库的deployIfNotExists策略,json,azure-keyvault,azure-policy,Json,Azure Keyvault,Azure Policy,尝试创建一个DeployIfNotExists策略，该策略将自动在所有关键Vault上设置“networkACLs”属性，但在与之斗争了几周后，我决定尝试操作一个更简单的布尔属性，而不是复杂的对象属性。我选择的属性是“enabledForDeployment”。策略确实可以正确查找不符合要求的密钥保险库，但部署不起作用一旦此“轻松”策略生效，我将返回并尝试将“networkACLs”属性设置为以下值： "networkAcls": { "defaultAction": "Deny",

尝试创建一个DeployIfNotExists策略，该策略将自动在所有关键Vault上设置“networkACLs”属性，但在与之斗争了几周后，我决定尝试操作一个更简单的布尔属性，而不是复杂的对象属性。我选择的属性是“enabledForDeployment”。策略确实可以正确查找不符合要求的密钥保险库，但部署不起作用

一旦此“轻松”策略生效，我将返回并尝试将“networkACLs”属性设置为以下值：

"networkAcls": {
    "defaultAction": "Deny",
    "bypass": "None",
    "ipRules": [
        {"value": "1.1.1.0/24"},
        {"value":"2.2.2.0/24"}
    ],
    "virtualNetworkRules": []
}

政策代码如下

{
  "mode": "All",
  "policyRule": {
    "if": {
      "allof": [
        {
          "field": "type",
          "equals": "Microsoft.KeyVault/vaults"
        },
        {
          "not": {
            "field": "Microsoft.KeyVault/vaults/enabledForDeployment",
            "equals": true
          }
        }
      ]
    },
    "then": {
      "effect": "deployIfNotExists",
      "details": {
        "type": "Microsoft.KeyVault/vaults",
        "name": "[field('name')]",
        "existenceCondition": {
          "field": "Microsoft.KeyVault/vaults/enabledForDeployment",
          "equals": "true"
        },
        "roleDefinitionIds": [
          "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
        ],
        "deployment": {
          "location": "[field('location')]",
          "properties": {
            "mode": "incremental",
            "template": {
              "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
              "contentVersion": "1.0.0.0",
              "parameters": {
                "Name": {
                  "type": "string"
                },
                "location": {
                  "type": "string"
                }
              },
              "resources": [
                {
                  "type": "Microsoft.KeyVault/vaults",
                  "apiVersion": "2018-02-14",
                  "name": "[parameters('Name')]",
                  "location": "[parameters('location')]",
                  "properties": {
                    "enabledForDeployment": true
                  }
                }
              ],
              "outputs": {
                "policy": {
                  "type": "string",
                  "value": "done"
                }
              }
            },
            "parameters": {
              "location": {
                "value": "[field('location')]"
              },
              "Name": {
                "value": "[field('name')]"
              }
            }
          }
        }
      }
    }
  },
  "parameters": {}
}

我当前收到一条“internalServerError”消息。有什么想法吗？

我建议检查你的手臂模板，确保它是正确的。有时，当您使用导出模板功能时，如果不进行测试，ARM模板可能无法工作。如果您对ARM模板有疑问，我会直接向他们提问

@Kemley您是对的。我的手臂模板不正确。它缺少几个必填字段（Sku、访问策略等）。下面是在设置了默认网络允许所有时更新NetworkACL的最终策略

{
  "properties": {
    "displayName": "Vzn Deploy Key Vault NetworkAcls defaultAction",
    "policyType": "Custom",
    "mode": "All",
    "description": "Removes the default allow all networks.  Manually sets 2 firewall rules",
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "deployIfNotExists",
          "disabled"
        ],
        "defaultValue": "deployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.KeyVault/vaults"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.KeyVault/vaults",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395"
          ],
          "existenceCondition": {
            "field": "Microsoft.KeyVault/vaults/networkAcls.defaultAction",
            "equals": "Deny"
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "keyvaultname": {
                    "type": "string"
                  },
                  "locationname": {
                    "type": "string"
                  },
                  "skuname": {
                    "type": "string"
                  },
                  "accessPoliciesname": {
                    "type": "array"
                  }
                },
                "resources": [
                  {
                    "name": "[parameters('keyvaultname')]",
                    "location": "[parameters('locationname')]",
                    "type": "Microsoft.KeyVault/vaults",
                    "apiVersion": "2018-02-14",
                    "properties": {
                      "tenantId": "be42d65b-eb64-4a64-8aa3-ae47eef3af3e",
                      "accessPolicies": "[parameters('accessPoliciesname')]",
                      "sku": {
                        "name": "[parameters('skuname')]",
                        "family": "A"
                      },
                      "networkAcls": {
                        "defaultAction": "Deny",
                        "bypass": "None",
                        "ipRules": [
                          {
                            "value": "1.2.3.0/27"
                          },
                          {
                            "value": "1.5.6.0/24"
                          }
                        ]
                      }
                    }
                  }
                ]
              },
              "parameters": {
                "keyvaultname": {
                  "value": "[field('name')]"
                },
                "locationname": {
                  "value": "[field('location')]"
                },
                "skuname": {
                  "value": "[field('Microsoft.KeyVault/vaults/sku.name')]"
                },
                "accessPoliciesname": {
                  "value": "[field('Microsoft.KeyVault/vaults/accessPolicies')]"
                }
              }
            }
          },
          "name": "[field('name')]"
        }
      }
    }
  }
}