azure - 奇怪的结果,根据现有的内置策略创建 Azure KeyVault 策略时出错-“字段”属性引用的提供程序不存在
问题描述
所以...我在将其中一个内置插件转换为自定义插件时遇到了一些困难。(我为什么要这样做?内部事务,我是否同意都无关紧要,所以请不要拒绝我的决定。:-))
现有的内置策略:
问题出现在 json 文件的第 40/43 行。
main.tf 文件包括:
# policy
locals {
json_keyvault_certmaxvalidityperiod = jsondecode(file("${path.module}/resourceprovider/KeyVault/Certificates should have the specified maximum validity period.json"))
}
resource "azurerm_policy_definition" "CertificatesShouldHaveSpecifiedMaximumValidityPeriod" {
name = "CertificatesShouldHaveSpecifiedMaximumValidityPeriod" # must match output.tf and ad ID to main
policy_type = "Custom" #Must always be Custom
mode = "All"
display_name = "CertificatesShouldHaveSpecifiedMaximumValidityPeriod" #add Custom to display name
description = "Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault."
metadata = jsonencode(local.json_keyvault_certmaxvalidityperiod.properties.metadata)
policy_rule = jsonencode(local.json_keyvault_certmaxvalidityperiod.properties.policyRule)
parameters = <<PARAMETERS
{
"effect" : {
"type": "string",
"metadata": {
"description": "Enable or disable the execution of the policy",
"displayName": "Effect"
}
},
"maximumValidityInMonths": {
"type": "integer",
"metadata": {
"description": "The limit to how long a certificate may be valid for. Certificates with lengthy validity periods aren\u0027t best practice.",
"displayName": "The maximum validity in months"
}
}
}
PARAMETERS
}
按原样使用 json 内容,执行terraform apply返回:
│ Error: creating/updating Policy Definition "CertificatesShouldHaveSpecifiedMaximumValidityPeriod": policy.DefinitionsClient#CreateOrUpdate: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="InvalidProviderNameInPolicyAlias" Message="The policy definition 'CertificatesShouldHaveSpecifiedMaximumValidityPeriod' rule is invalid. The provider 'Microsoft.KeyVault.Data' referenced by the 'field' property 'Microsoft.KeyVault.Data/vaults/certificates/properties.validityInMonths' of the policy rule doesn't exist."
因此,我查看了 Microsoft.KeyVault.Data 提供程序的定义,从以下内容来看,似乎不应该有“证书”,而应该是“秘密”:
但是...如果我更新第 40/43 行以反映 Microsoft.KeyVault.Data/vaults/secrets,则terraform apply返回:
│ Error: creating/updating Policy Definition "CertificatesShouldHaveSpecifiedMaximumValidityPeriod": policy.DefinitionsClient#CreateOrUpdate: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="InvalidProviderNameInPolicyAlias" Message="The policy definition 'CertificatesShouldHaveSpecifiedMaximumValidityPeriod' rule is invalid. The provider 'Microsoft.KeyVault.Data' referenced by the 'field' property 'Microsoft.KeyVault.Data/vaults/secrets/properties.validityInMonths' of the policy rule doesn't exist."
以前有没有人处理过这样的事情?关于如何定义策略规则以适应数据提供者的建议?
解决方案
无法使用自定义策略类型创建 keyvault 策略,因为"Microsoft.Keyvault.Data"仅支持内置策略类型,如参考中给出的Microsoft 文档中所述。
如果您在其中看到,Azure Policy Extension in Visual Studio Code您可以找到 azure 中存在的资源提供程序的所有属性,但对于 keyvault 它不存在,它们是空的。
参考:
推荐阅读
- php - 打开和关闭单个博客文章页面时执行功能(Wordpress)
- javascript - 用零初始化对象或递增对象有什么更好的方法?
- ionic-framework - 哪个版本适合用于 ionic CLI 和 Ionic 框架的生产应用程序?
- python - 有没有办法将 Google colab 环境保存到某个地方并重用它?
- java - 如何从 Mule ESB 3.8 中的 JAVA Transformer 内部引发自定义异常?
- powershell - 使用-File参数调用powershell.exe时如何重定向错误流
- solr - 从 mongodb 在 solr 中导入数据的问题
- android - 相当于Xcode中android的styles.xml
- javascript - Express js 使用 cookie 重定向,cookie 不存在
- node.js - 在尝试测试我的 hapijs 应用程序“注册”[1] 时:- 缺少-