Azure 策略将额外资源报告为不合规

Question

我从https://github.com/Azure/azure-policy/blob/master/samples/Network/no-route-table-in-ER-Network/azurepolicy.rules.json 复制了示例，而是尝试创建拒绝没有 NSG 的子网的策略。

{
   "if": {
      "anyOf": [
         {
            "allOf": [
               {
                  "field": "type",
                  "equals": "Microsoft.Network/virtualNetworks"
               },
               {

                     "field": "Microsoft.Network/virtualNetworks/subnets[*].networkSecurityGroup.id",
                     "exists": false

               }
            ]
         },
         {
            "allOf": [
               {
                  "field": "type",
                  "equals": "Microsoft.Network/virtualNetworks/subnets"
               },
               {
                  "field": "Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id",
                  "exists": false
               }
            ]
         }
      ]
   },
   "then": {
      "effect": "deny"
   }
}

策略运行良好，在不分配 NSG 和从子网中删除 NSG 的情况下停止创建子网。但是，即使虚拟网络没问题，它也会将虚拟网络报告为不合规。如何使此策略仅报告子网而不报告虚拟网络？

Answer 1

我设法通过稍微改变逻辑来实现这一点：

{
  "if": {
    "anyOf": [
      {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/virtualNetworks"
          },
          {
            "not": {
              "field": "Microsoft.Network/virtualNetworks/subnets[*].networkSecurityGroup.id",
              "exists": true
            }
          }
        ]
      },
      {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/virtualNetworks/subnets"
          },
          {
            "not": {
              "field": "Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id",
              "exists": true
            }
          }
        ]
      }
    ]
  },
  "then": {
    "effect": "deny"
  }
}