通过策略启用 Azure NSG FlowLogs答案

【问题标题】：Enable Azure NSG FlowLogs through policy通过策略启用 Azure NSG FlowLogs
【发布时间】：2020-02-25 14:12:35
【问题描述】：

尝试创建策略以启用现有 NSG 的 NSG 流日志（如果处于禁用状态）。完成任务的任何建议或参考。提前致谢。

【问题讨论】：

【解决方案1】：

它现在通过 Azure Policy 运行

{
  "mode": "All",
  "policyRule": {
    "if": {
      "field": "type",
      "equals": "Microsoft.Network/networkSecurityGroups"
    },
    "then": {
      "effect": "deployIfNotExists",
      "details": {
        "type": "Microsoft.Network/networkWatchers/flowLogs",
        "resourceGroupName": "NetworkWatcherRG",
        "name": "[concat('networkwatcher_', field('location'), '/Microsoft.Network', resourceGroup().name, field('name'))]",
        "existenceCondition": {
          "allOf": [
            {
              "field": "Microsoft.Network/networkWatchers/flowLogs/targetResourceId",
              "equals": "[concat(resourceGroup().id, '/providers/Microsoft.Network/networkSecurityGroups/', field('name'))]"
            },
            {
              "field": "Microsoft.Network/networkWatchers/flowLogs/enabled",
              "equals": "true"
            },
            {
              "field": "Microsoft.Network/networkWatchers/flowLogs/storageId",
              "equals": "[parameters('storageId')]"
            }
          ]
        },
        "roleDefinitionIds": [
          "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
        ],
        "deployment": {
          "properties": {
            "mode": "incremental",
            "template": {
              "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
              "contentVersion": "1.0.0.0",
              "parameters": {
                "storageId": {
                  "type": "String"
                },
                "nsgName": {
                  "type": "String"
                },
                "nsgRG": {
                  "type": "String"
                },
                "location": {
                  "type": "String"
                },
                "targetResource": {
                  "type": "string"
                }
              },
              "variables": {},
              "resources": [
                {
                  "type": "Microsoft.Network/networkWatchers/flowLogs",
                  "name": "[concat('networkwatcher_', parameters('location'), '/Microsoft.Network', parameters('nsgRG'), parameters('nsgName'))]",
                  "apiVersion": "2019-11-01",
                  "location": "[parameters('location')]",
                  "properties": {
                    "targetResourceId": "[parameters('targetResource')]",
                    "storageId": "[parameters('storageId')]",
                    "enabled": "true",
                    "retentionPolicy": {
                      "days": "0",
                      "enabled": "false"
                    }
                  }
                }
              ]
            },
            "parameters": {
              "storageId": {
                "value": "[parameters('storageId')]"
              },
              "nsgName": {
                "value": "[field('name')]"
              },
              "nsgRG": {
                "value": "[resourceGroup().name]"
              },
              "location": {
                "value": "[field('location')]"
              },
              "targetResource": {
                "value": "[concat(resourceGroup().id, '/providers/Microsoft.Network/networkSecurityGroups/', field('name'))]"
              }
            }
          }
        }
      }
    }
  },
  "parameters": {
    "storageId": {
      "type": "String",
      "metadata": {
        "displayName": "Storage id",
        "description": "A string with the storage id for the flowlogs to be sent to. The format must be: '/subscriptions/{subscription id}/resourceGroups/{resourceGroup name}/providers/Microsoft.Storage/storageAccounts/{storage account name}"
      }
    }
  }
}

【讨论】：