如何解决我们如何为依赖资源定义天青政策规则?
给出此ARM模板:https://github.com/Azure/azure-quickstart-templates/blob/master/101-redis-cache/azuredeploy.json
我们如何强制启用Redis缓存并启用诊断设置?
仅当Azure团队提供适当的别名时,这才可能吗?
Redis缓存的当前别名集:
{
"Microsoft.Cache/Redis/redisConfiguration": {
"maxfragmentationmemory-reserved": "300","maxmemory-reserved": "200","maxmemory-delta": "200","maxclients": "7500","rdb-backup-enabled": "true","rdb-backup-frequency": "60","rdb-backup-max-snapshot-count": "1","rdb-storage-connection-string": "DefaultEndpointsProtocol=https;AccountName=blobnubldepenclsstgwu2;AccountKey=[key hidden]"
},"Microsoft.Cache/Redis/provisioningState": "Succeeded","Microsoft.Cache/Redis/enableNonSslPort": false,"Microsoft.Cache/Redis/sku.capacity": 1,"Microsoft.Cache/Redis/redisVersion": "4.0.14","Microsoft.Cache/Redis/sku.family": "P","Microsoft.Cache/Redis/hostName": "rc-nuRed-epe-ncls-stg-wu2.redis.cache.windows.net","Microsoft.Cache/Redis/sku.name": "Premium","Microsoft.Cache/Redis/sslPort": 6380,"Microsoft.Cache/Redis/port": 6379,"Microsoft.Cache/Redis/sku": {
"name": "Premium","capacity": 1,"family": "P"
},"Microsoft.Cache/Redis/subnetId": "/subscriptions/d0ee6b93-7d29-45db-aabf-784018016241/resourceGroups/rg-grp-epe-ncls-stg-wu2/providers/Microsoft.Network/virtualNetworks/AZ-BIZ-10.32.223.0-26/subnets/AZ-BIZ-10.32.223.16-28","Microsoft.Cache/Redis/staticIP": "10.32.223.24","Microsoft.Cache/Redis/minimumTlsversion": "1.2","Microsoft.Cache/Redis/shardCount": 2,"Microsoft.Cache/Redis/zones": [
"3"
]
}
解决方法
您需要使用auditIfNotExists或deployIfNotExists策略。 auditIfNotExists将带您入门如何在不进行诊断设置的情况下检测资源,但是deployIfNotExists路线的复杂性要高得多,因此需要更多有关特定应用程序的信息才能解决。
"policyRule": {
"if": {
"allOf": [
{
"field": "type","equals": "Microsoft.Cache/redis"
}
]
},"then": {
"effect": "auditIfNotExists","details": {
"type": "Microsoft.Insights/diagnosticSettings","existenceCondition": {
"allOf": [
{
"field": "Microsoft.Insights/diagnosticSettings/metrics.enabled","equals": "true"
},{
"field": "Microsoft.Insights/diagnosticSettings/metrics[*].retentionPolicy.enabled","equals": "false"
}
]
}
}
}
}
请记住,Redis到今天(2020年10月20日)还没有任何“日志”选项,如果您打算将此选项应用于其他资源,则还需要检查日志选项,并且您的生存状况会看起来像像下面的
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Insights/diagnosticSettings/logs.enabled",{
"field": "Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled","equals": "false"
},{
"field": "Microsoft.Insights/diagnosticSettings/metrics.enabled","equals": "false"
}
]
}
}
这应该使您能够审计诊断日志。如果要创建补救措施,则需要在策略中添加roleDefinition和deployment,并将效果更改为deployIfNotExists。仅作为警告,诊断设置可能很难补救,因为它们还需要存在存储帐户,事件中心或其他资源。如果已经存在并且可以静态定义,则此问题变得更容易解决。但是,如果需要采取补救措施来动态地提供这些支持的基础结构,那么您还必须围绕其他问题在基础结构名称的全局唯一性方面创建规则。
如果您打算沿deployIfNotExists路线走,那么这里是开始的“冰山一角”文档。 https://docs.microsoft.com/en-us/azure/governance/policy/concepts/effects#deployifnotexists
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。
