在 Azure Policy 中检查 Azure VM 的 PowerState

【问题标题】:Check PowerState of Azure VM inside of Azure Policy在 Azure Policy 中检查 Azure VM 的 PowerState
【发布时间】:2021-03-17 08:43:10
【问题描述】:

我正在制定一项 Azure 策略,以使用自定义标记审核正在运行的 VM,该标记指示假定 VM 已停用。 VM 的 PowerState 不是普通的 ARM 属性,但你可以在 VM 的 instanceView 中找到有关 State 的信息:

{
  "vmAgent": {
    "vmAgentVersion": "2.7.41491.1008",
    "statuses": [
      {
        "code": "ProvisioningState/succeeded",
        "level": "Info",
        "displayStatus": "Ready",
        "message": "GuestAgent is running and processing the extensions.",
        "time": "2021-03-17T08:29:33+00:00"
      }
    ]
  },
  "disks": [
    {
      "name": "DecomissionedVM_OsDisk_1_cfeff76df794480383af685c6062e9b9",
      "statuses": [
        {
          "code": "ProvisioningState/succeeded",
          "level": "Info",
          "displayStatus": "Provisioning succeeded",
          "time": "2021-03-17T08:09:56.3998144+00:00"
        }
      ]
    }
  ],
  "bootDiagnostics": {},
  "statuses": [
    {
      "code": "ProvisioningState/succeeded",
      "level": "Info",
      "displayStatus": "Provisioning succeeded",
      "time": "2021-03-17T08:10:06.4623615+00:00"
    },
    {
      "code": "PowerState/running",
      "level": "Info",
      "displayStatus": "VM running"
    }
  ]
}

StatusCode 还有一个有效别名,可用于创建策略定义:

{
    "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "variables": {
        "policyName": "restrict-startup-of-decomissioned-vms",
        "policyDisplayName": "Restrict startup of decomissioned VMs",
        "policyDescription": "Restrict startup of VMs with 'decomissioned' tag"
    },
    "resources": [
        {
            "type": "Microsoft.Authorization/policyDefinitions",
            "name": "[variables('policyName')]",
            "apiVersion": "2019-09-01",
            "properties": {
                "displayName": "[variables('policyDisplayName')]",
                "policyType": "Custom",
                "description": "[variables('policyDescription')]",
                "metadata": {
                    "category": "General"
                },
                "mode": "All",
                "policyRule": {
                    "if": {
                        "allOf": [{
                                "field": "type",
                                "equals": "Microsoft.Compute/virtualMachines"
                            },
                            {
                                "field": "Microsoft.Compute/virtualMachines/instanceView.statuses[*].code",
                                "contains": "PowerState/running"
                            },
                            {
                                "field": "tags[decomissioned]",
                                "exists": "true"
                            }
                        ]
                    },
                    "then": {
                        "effect": "audit"
                    }
                }
            }
        }
    ]
}

策略的创建和分配有效,但运行带有 decomissioned 标签的机器不会被标记为不合规。

有人知道如何正确使用 Microsoft.Compute/virtualMachines/instanceView.statuses[*].code 字段吗?

【问题讨论】:

    标签: azure azure-policy


    【解决方案1】:

    我们无法使用别名:Microsoft.Compute/virtualMachines/instanceView.statuses[*].code,因为当策略向 VM 发送 GET 调用时不会返回该属性。

    这里有更多详细信息:https://github.com/Azure/azure-policy#resource-type-query-results-incomplete-missing-or-non-standard-format

    "Microsoft.Compute/virtualMachines/instanceView 这种类型的集合查询缺少许多属性,这意味着合规性检查可能不起作用。”

    【讨论】:

      猜你喜欢
      • 2019-05-31
      • 1970-01-01
      • 2020-08-04
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 2022-10-17
      • 1970-01-01
      相关资源
      最近更新 更多
      热门标签
      Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode