如何解决由于政策到位,SQL Server 在 Azure 上创建失败
我们正在使用 ARM 模板创建 sql Server,但由于有适当的策略,我们无法创建 sql Server,以下是 2 个策略例外:
##[error]资源“xxxxx”被政策禁止。错误类型:PolicyViolation,策略定义名称:sql Server 应使用虚拟网络服务终结点 (NPD),策略分配名称:NPD1a8a9dc8-aef3-421a-93。错误类型:PolicyViolation,策略定义名称:应启用 sql 服务器上的审计 (NPD),策略分配名称:NPD7885d0ef-a3de-44a3-9a。
以下是我们正在使用的 ARM 模板,我不确定为什么它会失败,因为现在我们在创建 sql Server 时还启用了 VNet 规则和审计:
{
"$schema": http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#,"contentVersion": "1.0.0.0","parameters": {
"serverName": {
"type": "string","Metadata": {
"description": "The name of the new database server to create."
}
},"location": {
"type": "string","Metadata": {
"description": "The location of the database server."
}
},"serverVersion": {
"type": "string","defaultValue" : "12.0"
},"administratorLogin": {
"type": "string","Metadata": {
"description": "The account name to use for the database server administrator."
}
},"administratorLoginPassword": {
"type": "securestring","Metadata": {
"description": "The password to use for the database server administrator."
}
},"storageAccountName": {
"type": "string","Metadata": {
"description": "The name of the new storage account to create."
}
},"emailAddresses": {
"type": "string","defaultValue": "","Metadata": {
"description": "Email address for alerts."
}
},"privateEndpointName": {
"type": "string"
},"vnetName": {
"type": "string"
},"vnetRg": {
"type": "string","Metadata": {
"description": "Resource Group Name of VNet"
}
},"subnet1Name": {
"type": "string"
},"storageType": {
"type": "string","defaultValue": "Standard_GRS","allowedValues": [
"Standard_lrs","Standard_ZRS","Standard_GRS","Standard_RAGRS","Premium_lrs"
]
},"BUSInesS-OWNER": {
"type": "string"
},"COST-CENTER": {
"type": "int"
},"LIFECYCLE": {
"type": "string"
},"APPLICATION": {
"type": "string"
},"PROJECT-CODE": {
"type": "string"
},"TECHNICAL-OWNER": {
"type": "string"
},"GL-CODE": {
"type": "string"
}
},"resources": [
{
"name": "[parameters('serverName')]","type": "Microsoft.sql/servers","location": "[parameters('location')]","apiVersion": "2014-04-01-preview","properties": {
"administratorLogin": "[parameters('administratorLogin')]","administratorLoginPassword": "[parameters('administratorLoginPassword')]","version": "[parameters('serverVersion')]","minimalTlsversion": "1.2","publicNetworkAccess": "disabled"
},"tags": {
"BUSInesS-OWNER": "[parameters('BUSInesS-OWNER')]","COST-CENTER": "[parameters('COST-CENTER')]","LIFECYCLE": "[parameters('LIFECYCLE')]","APPLICATION": "[parameters('APPLICATION')]","PROJECT-CODE": "[parameters('PROJECT-CODE')]","TECHNICAL-OWNER": "[parameters('TECHNICAL-OWNER')]","GL-CODE": "[parameters('GL-CODE')]"
},"resources": [
{
"name": "sergiodb1","type": "databases","tags": {
"BUSInesS-OWNER": "[parameters('BUSInesS-OWNER')]","GL-CODE": "[parameters('GL-CODE')]"
},"apiVersion": "2015-05-01-preview","dependsOn": [
"[parameters('serverName')]"
],"properties": {
"edition": "Basic","collation": "sql_latin1_General_CP1_CI_AS"
}
},{
"type": "Microsoft.sql/servers/virtualNetworkRules","apiVersion": "2020-08-01-preview","name": "[concat(parameters('serverName'),'/allow-',parameters('subnet1Name'))]","dependsOn": [ "[resourceId('Microsoft.sql/servers',parameters('serverName'))]" ],"properties": {
"virtualNetworksubnetId": "[resourceId(parameters('vnetRg'),'Microsoft.Network/virtualNetworks/subnets',parameters('vnetName'),"ignoreMissingVnetServiceEndpoint": false
}
},{
"apiVersion": "2014-04-01-preview","type": "firewallrules","name": "AllowAllWindowsAzureIps","dependsOn": [
"[concat('Microsoft.sql/servers/',parameters('serverName'))]"
],"properties": {
"endIpAddress": "0.0.0.0","startIpAddress": "0.0.0.0"
}
},{
"name": "Default","type": "auditingSettings","apiVersion": "2017-03-01-preview","properties": {
"State": "Enabled","storageEndpoint": "[concat('https://',parameters('storageAccountName'),'.blob.core.windows.net')]","storageAccountAccessKey": "[listKeys(resourceId('Microsoft.Storage/storageAccounts',parameters('storageAccountName')),providers('Microsoft.Storage','storageAccounts').apiVersions[0]).keys[0].value]","retentionDays": 365,"auditactionsAndGroups": null,"storageAccountSubscriptionId": "[subscription().subscriptionId]","isstorageSecondaryKeyInUse": false,"isAzureMonitorTargetEnabled": false
}
},{
"name": "DefaultSAP","type": "securityAlertPolicies",parameters('serverName'))]","[concat('Microsoft.sql/servers/',parameters('serverName'),'/auditingSettings/Default')]"
],"properties": {
"state": "Enabled","disableDalerts": null,"emailAddresses": "[array(parameters('emailAddresses'))]","emailAccountAdmins": true,"retentionDays": 365
}
},{
"name": "VulnerabilityAssessment","type": "vulnerabilityAssessments","apiVersion": "2018-06-01-preview",'/auditingSettings/Default')]",'/securityAlertPolicies/DefaultSAP')]"
],"properties": {
"storageContainerPath": "[concat('https://','.blob.core.windows.net','/vulnerability-assessment')]","recurringScans": {
"isEnabled": true,"emailSubscriptionAdmins": true,"emails": []
}
}
}
]
},{
"type": "Microsoft.Network/privateEndpoints","apiVersion": "2020-06-01","name": "[parameters('privateEndpointName')]","dependsOn": [
"[parameters('serverName')]"
],"properties": {
"subnet": {
"id": "[resourceId(parameters('vnetRg'),parameters('subnet1Name'))]"
},"privateLinkServiceConnections": [
{
"name": "[parameters('privateEndpointName')]","properties": {
"privateLinkServiceId": "[resourceId('Microsoft.sql/servers',"groupIds": [
"sqlServer"
]
}
}
]
},"GL-CODE": "[parameters('GL-CODE')]"
}
}
],"outputs": {
}
}
解决方法
已解决:我的 ARM 模板格式存在问题,但最重要的是在 EASTUS 中配置 SQL Server 时,创建 Pvt 端点的 VNet 区域设置为 EASTUS2。修复区域和 ARM 模板后,我能够成功部署它。以下是更正后的 ARM 模板:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#","contentVersion": "1.0.0.0","parameters":{
"serverName": {
"type": "string","metadata": {
"description": "The name of the new database server to create."
}
},"location": {
"type": "string","metadata": {
"description": "The location of the database server."
}
},"serverVersion": {
"type": "string","defaultValue" : "12.0"
},"administratorLogin": {
"type": "string","metadata": {
"description": "The account name to use for the database server administrator."
}
},"administratorLoginPassword": {
"type": "securestring","metadata": {
"description": "The password to use for the database server administrator."
}
},"storageAccountName": {
"type": "string","metadata": {
"description": "The name of the new storage account to create."
}
},"emailAddresses": {
"type": "string","defaultValue": "","metadata": {
"description": "Email address for alerts."
}
},"privateEndpointName": {
"type": "string"
},"vnetName": {
"type": "string"
},"vnetRg": {
"type": "string","metadata": {
"description": "Resource Group Name of VNet"
}
},"subnet1Name": {
"type": "string"
},"storageType": {
"type": "string","defaultValue": "Standard_GRS","allowedValues": [
"Standard_LRS","Standard_ZRS","Standard_GRS","Standard_RAGRS","Premium_LRS"
]
},"BUSINESS-OWNER": {
"type": "string"
},"COST-CENTER": {
"type": "int"
},"LIFECYCLE": {
"type": "string"
},"APPLICATION": {
"type": "string"
},"PROJECT-CODE": {
"type": "string"
},"TECHNICAL-OWNER": {
"type": "string"
},"GL-CODE": {
"type": "string"
}
},"variables": {
"databaseName": "[concat(parameters('serverName'),'/sample-db')]"
},"resources": [
{
"type": "Microsoft.Sql/servers","apiVersion": "2020-02-02-preview","name": "[parameters('serverName')]","location": "[parameters('location')]","tags": {
"displayName": "[parameters('serverName')]","BUSINESS-OWNER": "xxx","COST-CENTER": "11","LIFECYCLE": "xx","APPLICATION": "xx","PROJECT-CODE": "xx","TECHNICAL-OWNER": "xxx","GL-CODE": "111"
},"kind": "v12.0","properties": {
"administratorLogin": "[parameters('administratorLogin')]","administratorLoginPassword": "[parameters('administratorLoginPassword')]","version": "12.0","minimalTlsVersion": "1.2","publicNetworkAccess": "Disabled"
},"resources": [
{
"type": "Microsoft.Sql/servers/databases","name": "[variables('databaseName')]","dependsOn": [
"[resourceId('Microsoft.Sql/servers',parameters('serverName'))]"
],"tags": {
"displayName": "[variables('databaseName')]","sku": {
"name": "Basic","tier": "Basic","capacity": 5
},"properties": {
"collation": "SQL_Latin1_General_CP1_CI_AS","edition": "Basic","maxSizeBytes": 104857600,"requestedServiceObjectiveName": "Basic","sampleName": "AdventureWorksLT"
}
},{
"type": "Microsoft.Network/privateEndpoints","apiVersion": "2020-06-01","name": "[parameters('privateEndpointName')]","tags": {
"BUSINESS-OWNER": "xxx","properties": {
"subnet": {
"id": "[resourceId(parameters('vnetRg'),'Microsoft.Network/virtualNetworks/subnets',parameters('vnetName'),parameters('subnet1Name'))]"
},"privateLinkServiceConnections": [
{
"name": "[parameters('privateEndpointName')]","properties": {
"privateLinkServiceId": "[resourceId('Microsoft.Sql/servers',parameters('serverName'))]","groupIds": [
"sqlServer"
]
}
}
]
}
},{
"name": "Default","type": "auditingSettings","apiVersion": "2017-03-01-preview","dependsOn": ["[resourceId('Microsoft.Sql/servers',parameters('serverName'))]"],"properties": {
"State": "Enabled","storageEndpoint": "[concat('https://',parameters('storageAccountName'),'.blob.core.windows.net')]","storageAccountAccessKey": "[listKeys(resourceId('Microsoft.Storage/storageAccounts',parameters('storageAccountName')),providers('Microsoft.Storage','storageAccounts').apiVersions[0]).keys[0].value]","retentionDays": 365,"auditActionsAndGroups": null,"storageAccountSubscriptionId": "[subscription().subscriptionId]","isStorageSecondaryKeyInUse": false,"isAzureMonitorTargetEnabled": false
}
},{
"name": "DefaultSAP","type": "securityAlertPolicies","[concat('Microsoft.Sql/servers/',parameters('serverName'),'/auditingSettings/Default')]"
],"properties": {
"state": "Enabled","disabledAlerts": null,"emailAddresses": "[array(parameters('emailAddresses'))]","emailAccountAdmins": true,"retentionDays": 365
}
}
]
}
]
}
请确保您在模板上使用的子网已分配 Microsoft.Sql 类型名称,这意味着它已经是一个虚拟服务端点。
以下脚本可以将类型名称 Microsoft.Sql 添加到您的子网。但只有当您的子网缺少类型名称时,脚本才会尝试添加。
### 1. LOG into to your Azure account,needed only once per PS session. Assign variables.
$yesno = Read-Host 'Do you need to log into Azure (only one time per powershell.exe session)? [yes/no]'
if ('yes' -eq $yesno) { Connect-AzAccount }
# Assignments to variables used by the later scripts.
# You can EDIT these values,if necessary.
$SubscriptionName = 'yourSubscriptionName'
Select-AzSubscription -SubscriptionName "$SubscriptionName"
$ResourceGroupName = 'yourRGName'
$VNetName = 'yourVNetName'
$SubnetName = 'yourSubnetName'
$SubnetAddressPrefix = 'Obtain this value from the Azure portal.' # Looks roughly like: '10.0.0.0/24'
$ServiceEndpointTypeName_SqlDb = 'Microsoft.Sql' # Do NOT edit. Is official value.
### 2. Search for your virtual network,and then for your subnet.
# Search for the virtual network.
$vnet = $null
$vnet = Get-AzVirtualNetwork -ResourceGroupName $ResourceGroupName -Name $VNetName
if ($vnet -eq $null) {
Write-Host "Caution: No virtual network found by the name '$VNetName'."
return
}
$subnet = $null
for ($nn = 0; $nn -lt $vnet.Subnets.Count; $nn++) {
$subnet = $vnet.Subnets[$nn]
if ($subnet.Name -eq $SubnetName) { break }
$subnet = $null
}
if ($null -eq $subnet) {
Write-Host "Caution: No subnet found by the name '$SubnetName'"
Return
}
### 3. Is your subnet tagged as 'Microsoft.Sql' endpoint server type?
$endpointMsSql = $null
for ($nn = 0; $nn -lt $subnet.ServiceEndpoints.Count; $nn++) {
$endpointMsSql = $subnet.ServiceEndpoints[$nn]
if ($endpointMsSql.Service -eq $ServiceEndpointTypeName_SqlDb) {
$endpointMsSql
break
}
$endpointMsSql = $null
}
if ($null -eq $endpointMsSql) {
Write-Host "Good: Subnet found,and is already tagged as an endpoint of type '$ServiceEndpointTypeName_SqlDb'."
return
} else {
Write-Host "Caution: Subnet found,but not yet tagged as an endpoint of type '$ServiceEndpointTypeName_SqlDb'."
# Ask the user for confirmation.
$yesno = Read-Host 'Do you want the PS script to apply the endpoint type name to your subnet? [yes/no]'
if ('no' -eq $yesno) { return }
}
### 4. Add a Virtual Service endpoint of type name 'Microsoft.Sql',on your subnet.
$setParams = @{
Name = $SubnetName
AddressPrefix = $SubnetAddressPrefix
VirtualNetwork = $vnet
ServiceEndpoint = $ServiceEndpointTypeName_SqlDb
}
$vnet = Set-AzVirtualNetworkSubnetConfig @setParams
# Persist the subnet update.
$vnet = Set-AzVirtualNetwork -VirtualNetwork $vnet
for ($nn = 0; $nn -lt $vnet.Subnets.Count; $nn++) {
$vnet.Subnets[0].ServiceEndpoints # Display.
}
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。
