Azure策略,排除资源类型

ukqbszuj  于 2023-11-21  发布在  其他
关注(0)|答案(1)|浏览(141)

我当前正在使用此策略成功禁用Azure存储帐户的公共访问。但是,在设置功能应用程序或应用程序服务时,相同的策略阻止了它们的创建。我正在尝试对策略进行调整以排除功能应用程序和应用程序服务,从而允许在不被此策略阻止的情况下创建它们。
下面是我尝试过的JSON,但它并没有像预期的那样工作。它仍然阻止创建Function Apps和App Services,这表明应该限制Azure Storage帐户的公共访问。
尝试使用此策略来豁免功能和应用程序服务,但仍被策略阻止

type here  `{
  "mode": "Indexed",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "notequals": "Microsoft.Web/sites"
        },
        {
          "anyOf": [
            {
              "field": "type",
              "equals": "Microsoft.Storage/storageAccounts"
            },
            {
              "field": "Microsoft.Storage/storageAccounts/networkAcls.defaultAction",
              "notEquals": "Deny"
            }
          ]
        }
      ]
    },
    "then": {
      "effect": "[parameters('effect')]"
    }
  },
  "parameters": {
    "effect": {
      "type": "String",
      "metadata": {
        "displayName": "Effect",
        "description": "The effect determines what happens when the policy rule is evaluated to match"
      },
      "allowedValues": [
        "Audit",
        "Deny",
        "Disabled"
      ],
      "defaultValue": "Audit"
    }
  }
}

字符串

a64a0gku

a64a0gku1#

您需要创建两个单独的策略定义,一个用于存储帐户,另一个用于功能应用/应用服务
例如,函数应用策略:

{
  "mode": "Indexed",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Web/sites"
        }
      ]
    },
    "then": {
      "effect": "Audit"  // You can choose "Audit," "Deny," or "Disabled" as needed
    }
  }
}

字符串

相关问题