我试图验证是否在VM上安装了一组扩展,我已经编写了以下策略,但我认为它只是评估第一个扩展或策略未按预期运行。你能帮忙解决这个问题吗?
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
"equals": "Windows"
}
]
},
"then": {
"effect": "auditIfNotExists",
"details": {
"type": "Microsoft.Compute/virtualMachines/extensions",
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Compute/virtualMachines/extensions/type",
"equals": "NetworkWatcherAgentWindows"
},
{
"field": "Microsoft.Compute/virtualMachines/extensions/type",
"equals": "ConfigurationforWindows"
},
{
"field": "Microsoft.Compute/virtualMachines/extensions/type",
"equals": "DependencyAgentWindows"
},
{
"field": "Microsoft.Compute/virtualMachines/extensions/type",
"equals": "VMAccessAgent"
},
{
"field": "Microsoft.Compute/virtualMachines/extensions/type",
"equals": "AzureDiskEncryption"
}
]
}
}
}
}
}扩展名作为类似于以下类型的资源列出:“Microsoft.Compute/VirtualMachines”,以下是安装的扩展在ARM模板中的外观
{
"type": "Microsoft.Compute/virtualMachines/extensions",
"apiVersion": "2023-03-01",
"name": "[concat(parameters('virtualMachines_ironmanjboxsit_name'), '/AzureNetworkWatcherExtension')]",
"location": "eastasia",
"dependsOn": [
"[resourceId('Microsoft.Compute/virtualMachines', parameters('virtualMachines_ironmanjboxsit_name'))]"
],
"properties": {
"autoUpgradeMinorVersion": true,
"publisher": "Microsoft.Azure.NetworkWatcher",
"type": "NetworkWatcherAgentWindows",
"typeHandlerVersion": "1.4"
}
}错误/问题行为:
我正在检查的扩展是VM所具有的一小部分。例如,如下所示,VM上还有AzureSecurityCenter扩展沿着我在策略中提到的扩展集。
1条答案
按热度按时间bgibtngc1#
如何通过Azure策略验证VM是否具有一组扩展?
如果
VM上不存在指定的扩展,以下是审核windows virtual machines的更新策略将策略分配给作用域后,它将开始审核
Azure Windows virtual machines,如下所示。注意:策略在分配后将需要一些时间来审核资源,因此请等待一段时间以查看结果。