当前位置: 文江博客话题详情

用于检查应用程序服务的iPaddresses的Azure策略

发布于 2025-01-31 08:23:15 字数 2053 浏览 6 评论 0原文

我正在尝试在Azure中创建一个策略,该策略是否在App Services包含的情况下审核允许从某个IP地址访问。

部署没有问题,但目前说我所有的资源都不合规,我不明白为什么,我确定有些人是投诉。

我正在尝试检查IP 12.23.456.789/32是否访问 这就是我尝试的(我正在使用二头肌作为IAC:

 resource ApimPRDPolicyDefinition 'Microsoft.Authorization/policyDefinitions@2020-09-01' = {
  name: 'allow-apim'
  properties: {
    displayName: 'Check if api allow apim'
    policyType: 'Custom'
    
    policyRule: {
      if: {
        allOf: [
          {
            field: 'type'
            equals: 'Microsoft.Web/sites'
          }
          {
            field: 'name'
            contains: 'api'
          }
          {
            field: 'name'
            contains: 'prd'
          }
        ]
      }
      then: {
        effect: 'auditIfNotExists'
        details: {         
          type: 'Microsoft.Web/sites/config'
          existenceCondition: {            
            field: 'Microsoft.Web/sites/config/web.ipSecurityRestrictions[*].ipAddress'
            equals: '12.23.456.789/32'           
          }
        }

      }
    }
  }
}

这是我查看Azure Portal

{
  "properties": {
    "displayName": "Check if api allow apim",
    "policyType": "Custom",
    "mode": "Indexed",
    "metadata": {

    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Web/sites"
          },
          {
            "field": "name",
            "contains": "api"
          },
          {
            "field": "name",
            "contains": "prd"
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.Web/sites/config",
          "existenceCondition": {
            "field": "Microsoft.Web/sites/config/web.ipSecurityRestrictions[*].ipAddress",
            "equals": "12.23.456.789/32"
          }
        }
      }
    }
  },
  "id": "",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "allow-apim",
  "systemData": {
  }
}

类型的定义时的代码

原文

I am trying to create a policy in azure which audits if app services contain allow access from a certain ip address.

Deploying is no problem but currently it says that all my resources are not compliant and I do not understand why, I know for sure that some are complaint.

I am trying to check if access from ip 12.23.456.789/32 is allowed
This is what i tried (I am using bicep for my IaC:

 resource ApimPRDPolicyDefinition 'Microsoft.Authorization/policyDefinitions@2020-09-01' = {
  name: 'allow-apim'
  properties: {
    displayName: 'Check if api allow apim'
    policyType: 'Custom'
    
    policyRule: {
      if: {
        allOf: [
          {
            field: 'type'
            equals: 'Microsoft.Web/sites'
          }
          {
            field: 'name'
            contains: 'api'
          }
          {
            field: 'name'
            contains: 'prd'
          }
        ]
      }
      then: {
        effect: 'auditIfNotExists'
        details: {         
          type: 'Microsoft.Web/sites/config'
          existenceCondition: {            
            field: 'Microsoft.Web/sites/config/web.ipSecurityRestrictions[*].ipAddress'
            equals: '12.23.456.789/32'           
          }
        }

      }
    }
  }
}

This is the code when I check out the definition in the azure portal

{
  "properties": {
    "displayName": "Check if api allow apim",
    "policyType": "Custom",
    "mode": "Indexed",
    "metadata": {

    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Web/sites"
          },
          {
            "field": "name",
            "contains": "api"
          },
          {
            "field": "name",
            "contains": "prd"
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.Web/sites/config",
          "existenceCondition": {
            "field": "Microsoft.Web/sites/config/web.ipSecurityRestrictions[*].ipAddress",
            "equals": "12.23.456.789/32"
          }
        }
      }
    }
  },
  "id": "",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "allow-apim",
  "systemData": {
  }
}

Kind regards

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

山有枢 2025-02-07 08:23:15

我创建并测试了此策略,并且按照预期的方式工作:

{
  "mode": "Indexed",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Web/sites"
        },
        {
          "field": "name",
          "contains": "api"
        },
        {
          "field": "name",
          "contains": "prd"
        }
      ]
    },
    "then": {
      "effect": "auditIfNotExists",
      "details": {
        "type": "Microsoft.Web/sites/config",
        "existenceCondition": {
            "count": {
                "field": "Microsoft.Web/sites/config/web.ipSecurityRestrictions[*]",
                "where": {
                    "field": "Microsoft.Web/sites/config/web.ipSecurityRestrictions[*].ipAddress",
                    "equals": "12.23.123.123/32"
                }
            },
            "greater": 0
        }
      }
    }
  }
}

有用的文档:
https:https:https:// learch。 microsoft.com/en-us/azure/governance/policy/how-to/author-policies-for-arrays

I created and tested this policy, and it works as intended:

{
  "mode": "Indexed",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Web/sites"
        },
        {
          "field": "name",
          "contains": "api"
        },
        {
          "field": "name",
          "contains": "prd"
        }
      ]
    },
    "then": {
      "effect": "auditIfNotExists",
      "details": {
        "type": "Microsoft.Web/sites/config",
        "existenceCondition": {
            "count": {
                "field": "Microsoft.Web/sites/config/web.ipSecurityRestrictions[*]",
                "where": {
                    "field": "Microsoft.Web/sites/config/web.ipSecurityRestrictions[*].ipAddress",
                    "equals": "12.23.123.123/32"
                }
            },
            "greater": 0
        }
      }
    }
  }
}

Useful documentation:
https://learn.microsoft.com/en-us/azure/governance/policy/how-to/author-policies-for-arrays

回复 原文
~没有更多了~

关于作者

小霸王臭丫头

暂无简介

文章
评论
27 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

十二

文章 0 评论 0

飞烟轻若梦

文章 0 评论 0

OPleyuhuo

文章 0 评论 0

wxb0109

文章 0 评论 0

旧城空念

文章 0 评论 0

-小熊_

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文