Azure ARM (24) 自定义Azure Policy

　　《Windows Azure Platform 系列文章目录》

 

　　我们可以自定义policy，来符合公司的IT策略。

　　我们这里演示的场景是，增加一个自定义policy，需要用户在创建vnet，或者增加subnet的时候，需要开启service endpoint for Microsoft.Storage

　　否则创建失败

 

{
  "properties": {
    "displayName": "Subnets should have storage account service endpoint",
    "policyType": "Custom",
    "mode": "All",
    "description": "This policy denies the creation of a subnet without a storage account service endpoint.",
    "metadata": {
      "createdBy": "48b0b875-4ccd-4df1-aeb1-166db79d2864",
      "createdOn": "2022-12-14T14:33:16.373002Z",
      "updatedBy": "48b0b875-4ccd-4df1-aeb1-166db79d2864",
      "updatedOn": "2022-12-14T15:14:34.2548617Z"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Deny"
      },
      "excludedSubnets": {
        "type": "Array",
        "metadata": {
          "displayName": "Excluded Subnets",
          "description": "Array of subnet names that are excluded from this policy"
        },
        "defaultValue": [
          "GatewaySubnet",
          "AzureFirewallSubnet",
          "AzureFirewallManagementSubnet"
        ]
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "equals": "Microsoft.Network/virtualNetworks",
                "field": "type"
              },
              {
                "count": {
                  "field": "Microsoft.Network/virtualNetworks/subnets[*]",
                  "where": {
                    "allOf": [
                      {
                        "field": "Microsoft.Network/virtualNetworks/subnets[*].serviceEndpoints[*].service",
                        "notequals": "Microsoft.Storage"
                      },
                      {
                        "field": "Microsoft.Network/virtualNetworks/subnets[*].name",
                        "notIn": "[parameters('excludedSubnets')]"
                      }
                    ]
                  }
                },
                "notEquals": 0
              }
            ]
          },
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Network/virtualNetworks/subnets"
              },
              {
                "field": "name",
                "notIn": "[parameters('excludedSubnets')]"
              },
              {
                "field": "Microsoft.Network/virtualNetworks/subnets/serviceEndpoints[*].service",
                "notequals": "Microsoft.Storage"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/subscriptions/c69f7dec-22a1-4f72-a0b1-07811a7ed54b/providers/Microsoft.Authorization/policyDefinitions/75845297-272d-4bc2-9095-57a575eee51b",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "75845297-272d-4bc2-9095-57a575eee51b",
  "systemData": {
    "createdBy": "",
    "createdByType": "User",
    "createdAt": "2022-12-14T14:33:16.3529038Z",
    "lastModifiedBy": "",
    "lastModifiedByType": "User",
    "lastModifiedAt": "2022-12-14T15:14:34.2209666Z"
  }
}