Azure策略：存储帐户Min TLS Deploynot Exisit

发布于 2025-01-25 18:34:32 字数 1006 浏览 7 评论 0原文

当TLS设置不等于TLS 1.2时，尝试更新我所有现有存储帐户的TLS 1.2。

 "if": {
    "allOf": [
      {
        "field": "type",
        "equals": "Microsoft.Storage/storageAccounts"
      },
      {
        "field": "location",
        "in": "[parameters('deploymentLocations')]"
      }    
    ]
  },
  "then": {
    "effect": "deployIfNotExists",
    "details": {
      "type": "Microsoft.Storage/storageAccounts",
      "roleDefinitionIds": [
        "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
      ],
      "existenceCondition": {       
        "allOf": [
          {
            "field": "Microsoft.Storage/storageAccounts/minimumTlsVersion",
            "Equals": "TLS1_2"
          },
          {
            "exists": "true",
            "field": "Microsoft.Storage/storageAccounts/minimumTlsVersion"
          }
        ]
      },

问题是策略还显示了TLS 1.1中的存储帐户的合规性，这也不应该是！

我试图用修改存在的 没有运气仍然存在同一问题。以为我在存在上错过了一些东西

原文

Trying to update the TLS 1.2 for all my existing Storage account when the TLS settings is not equal to TLS 1.2

 "if": {
    "allOf": [
      {
        "field": "type",
        "equals": "Microsoft.Storage/storageAccounts"
      },
      {
        "field": "location",
        "in": "[parameters('deploymentLocations')]"
      }    
    ]
  },
  "then": {
    "effect": "deployIfNotExists",
    "details": {
      "type": "Microsoft.Storage/storageAccounts",
      "roleDefinitionIds": [
        "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
      ],
      "existenceCondition": {       
        "allOf": [
          {
            "field": "Microsoft.Storage/storageAccounts/minimumTlsVersion",
            "Equals": "TLS1_2"
          },
          {
            "exists": "true",
            "field": "Microsoft.Storage/storageAccounts/minimumTlsVersion"
          }
        ]
      },

The Problem is the policy is showing compliance for storage account that are in TLS 1.1 as well, which it should not be !

I tried to modify the existenceCondition with anyOf no luck still the same issue. Thinking i missing something on the existenceCondtion

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

紙鸢 2025-02-01 18:34:32

您可以尝试以下策略：

{
  "mode": "All",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Storage/storageAccounts"
        },
        {
          "anyOf": [
            {
              "field": "Microsoft.Storage/storageAccounts/minimumTlsVersion",
              "exists": "false"
            },
            {
              "field": "Microsoft.Storage/storageAccounts/minimumTlsVersion",
              "notEquals": "TLS1_2"
            }
          ]
        }
      ]
    },
    "then": {
      "effect": "modify",
      "details": {
        "roleDefinitionIds": [
          "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
        ],
        "conflictEffect": "audit",
        "operations": [
          {
            "operation": "addOrReplace",
            "field": "Microsoft.Storage/storageAccounts/minimumTlsVersion",
            "value": "TLS1_2"
          }
        ]
      }
    }
  },
  "parameters": {}
}

将TLS修改为1.2，以获取所有新资源。旧资源将经过审核，可以通过Azure门户的Azure策略页面进行修复任务更改。

You can try the following policy:

{
  "mode": "All",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Storage/storageAccounts"
        },
        {
          "anyOf": [
            {
              "field": "Microsoft.Storage/storageAccounts/minimumTlsVersion",
              "exists": "false"
            },
            {
              "field": "Microsoft.Storage/storageAccounts/minimumTlsVersion",
              "notEquals": "TLS1_2"
            }
          ]
        }
      ]
    },
    "then": {
      "effect": "modify",
      "details": {
        "roleDefinitionIds": [
          "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
        ],
        "conflictEffect": "audit",
        "operations": [
          {
            "operation": "addOrReplace",
            "field": "Microsoft.Storage/storageAccounts/minimumTlsVersion",
            "value": "TLS1_2"
          }
        ]
      }
    }
  },
  "parameters": {}
}

It modifies the TLS to 1.2 for all new resources. Old resource are audited and can be changed through a remediation task from the Azure Policy page in the Azure Portal.

回复收藏 0 原文

~没有更多了~