修正 Azure Policy 中的不符合资源Remediate non-compliant resources with Azure Policy

不符合 deployIfNotExists 或 modify 策略的资源可以通过修正置于符合状态。 Resources that are non-compliant to a deployIfNotExists or modify policy can be put into a compliant state through Remediation. 可以通过指示 Azure Policy 在现有资源上运行已分配策略的 deployIfNotExists 效果或 operations 标记来完成修正。Remediation is accomplished by instructing Azure Policy to run the deployIfNotExists effect or the tag operations of the assigned policy on your existing resources. 本文介绍了使用 Azure Policy 了解并完成修正需要执行的步骤。This article shows the steps needed to understand and accomplish remediation with Azure Policy.

修正安全的工作原理How remediation security works

当 Azure Policy 在 deployIfNotExists 策略定义中运行模板时,它使用托管标识来执行此操作。When Azure Policy runs the template in the deployIfNotExists policy definition, it does so using a managed identity. Azure Policy 为每个分配创建一个托管标识,但必须具有有关授予托管标识哪些角色的详细信息。Azure Policy creates a managed identity for each assignment, but must have details about what roles to grant the managed identity. 如果托管标识缺少角色,则在分配策略或计划期间会显示此错误。If the managed identity is missing roles, this error is displayed during the assignment of the policy or an initiative. 使用门户时,启动分配后,Azure Policy 将自动授予托管标识所列的角色。When using the portal, Azure Policy will automatically grant the managed identity the listed roles once assignment is started.

托管标识 - 缺少角色

Important

如果通过 deployIfNotExists 或 modify 修改的资源在策略分配范围之外,或者模板访问策略分配范围之外的资源上的属性,则分配的托管标识必须是手动授予的访问权限,否则修正部署将失败。If a resource modified by deployIfNotExists or modify is outside the scope of the policy assignment or the template accesses properties on resources outside the scope of the policy assignment, the assignment's managed identity must be manually granted access or the remediation deployment will fail.

配置策略定义Configure policy definition

第一步是定义 deployIfNotExists 和 modify 在策略定义中需要的角色,以成功部署所包含模板的内容。The first step is to define the roles that deployIfNotExists and modify needs in the policy definition to successfully deploy the content of your included template. 在“details” 属性下,添加“roleDefinitionIds” 属性。Under the details property, add a roleDefinitionIds property. 此属性是与环境中的角色相匹配的一组字符串。This property is an array of strings that match roles in your environment. 有关完整示例,请参阅 deployIfNotExists 示例modify 示例For a full example, see the deployIfNotExists example or the modify examples.

"details": {
    ...
    "roleDefinitionIds": [
        "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/{roleGUID}",
        "/providers/Microsoft.Authorization/roleDefinitions/{builtinroleGUID}"
    ]
}

roleDefinitionIds 属性使用完整的资源标识符,并且不会使用角色的短 roleName 。The roleDefinitionIds property uses the full resource identifier and doesn't take the short roleName of the role. 若要获取环境中“参与者”角色的 ID,请使用以下代码:To get the ID for the 'Contributor' role in your environment, use the following code:

az role definition list --name 'Contributor'

手动配置托管标识Manually configure the managed identity

使用门户创建分配时,Azure Policy 会生成托管标识并向它授予 roleDefinitionIds 中定义的角色。When creating an assignment using the portal, Azure Policy both generates the managed identity and grants it the roles defined in roleDefinitionIds. 在以下情况下,必须手动执行步骤以创建托管标识,并向其分配权限:In the following conditions, steps to create the managed identity and assign it permissions must be done manually:

  • 在使用 SDK 时(如 Azure PowerShell)While using the SDK (such as Azure PowerShell)
  • 当模板修改分配范围以外的资源When a resource outside the assignment scope is modified by the template
  • 当模板读取分配范围以外的资源When a resource outside the assignment scope is read by the template

Note

Azure PowerShell 和 .NET 是当前支持此功能的唯一 SDK。Azure PowerShell and .NET are the only SDKs that currently support this capability.

使用 PowerShell 创建托管标识Create managed identity with PowerShell

若要在策略分配期间创建托管标识,必须定义 Location 并使用 AssignIdentity 。To create a managed identity during the assignment of the policy, Location must be defined and AssignIdentity used. 下面的示例获取内置策略“部署 SQL DB 透明数据加密” 的定义,设置目标资源组,然后创建分配。The following example gets the definition of the built-in policy Deploy SQL DB transparent data encryption, sets the target resource group, and then creates the assignment.

# Login first with Connect-AzAccount -Environmentname AzureChinaCloud command

# Get the built-in "Deploy SQL DB transparent data encryption" policy definition
$policyDef = Get-AzPolicyDefinition -Id '/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f'

# Get the reference to the resource group
$resourceGroup = Get-AzResourceGroup -Name 'MyResourceGroup'

# Create the assignment using the -Location and -AssignIdentity properties
$assignment = New-AzPolicyAssignment -Name 'sqlDbTDE' -DisplayName 'Deploy SQL DB transparent data encryption' -Scope $resourceGroup.ResourceId -PolicyDefinition $policyDef -Location 'chinaeast2' -AssignIdentity

$assignment 变量现包含托管标识的主体 ID,以及创建策略分配时返回的标准值。The $assignment variable now contains the principal ID of the managed identity along with the standard values returned when creating a policy assignment. 可以通过 $assignment.Identity.PrincipalId 访问它。It can be accessed through $assignment.Identity.PrincipalId.

使用 PowerShell 授予定义的角色Grant defined roles with PowerShell

新的托管标识必须通过 Azure Active Directory 完成复制,然后才会向其授予所需的角色。The new managed identity must complete replication through Azure Active Directory before it can be granted the needed roles. 复制完成后,下面的示例将循环访问 $policyDef 中有关 roleDefinitionIds 的策略定义,并使用 New-AzRoleAssignment 授予新托管标识角色。Once replication is complete, the following example iterates the policy definition in $policyDef for the roleDefinitionIds and uses New-AzRoleAssignment to grant the new managed identity the roles.

# Use the $policyDef to get to the roleDefinitionIds array
$roleDefinitionIds = $policyDef.Properties.policyRule.then.details.roleDefinitionIds

if ($roleDefinitionIds.Count -gt 0)
{
    $roleDefinitionIds | ForEach-Object {
        $roleDefId = $_.Split("/") | Select-Object -Last 1
        New-AzRoleAssignment -Scope $resourceGroup.ResourceId -ObjectId $assignment.Identity.PrincipalId -RoleDefinitionId $roleDefId
    }
}

通过门户授予定义的角色Grant defined roles through portal

可以通过以下两种方法使用门户向分配的托管标识授予定义的角色:使用访问控制 (IAM) ,或通过编辑策略或计划分配并单击“保存” 。There are two ways to grant an assignment's managed identity the defined roles using the portal, by using Access control (IAM) or by editing the policy or initiative assignment and clicking Save.

若要将角色添加到分配的托管标识,请按照下列步骤操作:To add a role to the assignment's managed identity, follow these steps:

  1. 在 Azure 门户中单击“所有服务”,然后搜索并选择“策略”,启动 Azure Policy 服务。 Launch the Azure Policy service in the Azure portal by clicking All services, then searching for and selecting Policy.

  2. 选择“Azure Policy”页左侧的“分配” 。Select Assignments on the left side of the Azure Policy page.

  3. 找到具有托管标识的分配,并单击名称。Locate the assignment that has a managed identity and click on the name.

  4. 在编辑页上查找“Assignment ID” 属性。Find the Assignment ID property on the edit page. 分配 ID 将类似于:The assignment ID will be something like:

    /subscriptions/{subscriptionId}/resourceGroups/PolicyTarget/providers/Microsoft.Authorization/policyAssignments/2802056bfc094dfb95d4d7a5
    

    托管标识的名称是分配资源 ID 的最后一部分,本例为 2802056bfc094dfb95d4d7a5The name of the managed identity is the last portion of the assignment resource ID, which is 2802056bfc094dfb95d4d7a5 in this example. 复制分配资源 ID 的这一部分。Copy this portion of the assignment resource ID.

  5. 导航到需要手动添加角色定义的资源或资源父容器(资源组、订阅、管理组)。Navigate to the resource or the resources parent container (resource group, subscription, management group) that needs the role definition manually added.

  6. 单击资源页中的“访问控制 (IAM)” 链接,然后单击访问控制页顶部的“+ 添加角色分配” 。Click the Access control (IAM) link in the resources page and click + Add role assignment at the top of the access control page.

  7. 从策略定义中选择匹配 roleDefinitionIds 的合适角色。Select the appropriate role that matches a roleDefinitionIds from the policy definition. 将“分配访问权限至” 设置保留为默认设置“Azure AD 用户、组或应用程序”。Leave Assign access to set to the default of 'Azure AD user, group, or application'. 在“选择” 框中,粘贴或键入先前找到的分配资源 ID 部分。In the Select box, paste or type the portion of the assignment resource ID located earlier. 完成搜索后,单击具有相同名称的对象来选择 ID,然后单击“保存” 。Once the search completes, click the object with the same name to select ID and click Save.

创建修正任务Create a remediation task

通过门户创建修正任务Create a remediation task through portal

在评估期间,带 deployIfNotExists 或 modify 效果的策略分配确定是否存在不符合资源。During evaluation, the policy assignment with deployIfNotExists or modify effects determines if there are non-compliant resources. 当发现不符合资源时,将在“修正” 页上提供详细信息。When non-compliant resources are found, the details are provided on the Remediation page. 具有不符合资源的策略列表也可以用来触发修正任务 。Along with the list of policies that have non-compliant resources is the option to trigger a remediation task. 此选项用于基于 deployIfNotExists 模板或 modify 操作创建部署。This option is what creates a deployment from the deployIfNotExists template or the modify operations.

若要创建修正任务 ,请执行以下步骤:To create a remediation task, follow these steps:

  1. 在 Azure 门户中单击“所有服务”,然后搜索并选择“策略”,启动 Azure Policy 服务。 Launch the Azure Policy service in the Azure portal by clicking All services, then searching for and selecting Policy.

    在所有服务中搜索策略

  2. 选择“Azure Policy”页左侧的“修正” 。Select Remediation on the left side of the Azure Policy page.

    在“策略”页上选择“修正”

  3. 所有带不符合资源的 deployIfNotExists 和 modify 策略分配均包含在“要修正的策略”选项卡和一个数据表上。 All deployIfNotExists and modify policy assignments with non-compliant resources are included on the Policies to remediate tab and data table. 单击其中一个具有不符合资源的策略。Click on a policy with resources that are non-compliant. “新修正任务” 页随即打开。The New remediation task page opens.

    Note

    打开“修正任务” 页的另一种方法是查找并单击“符合性” 页上的策略,然后单击“创建修正任务” 按钮。An alternate way to open the remediation task page is to find and click on the policy from the Compliance page, then click the Create Remediation Task button.

  4. 在“新修正任务” 页上,通过使用“范围” 省略号从分配策略的位置选取子资源(包括下面的单个资源对象)来筛选要修正的资源。On the New remediation task page, filter the resources to remediate by using the Scope ellipses to pick child resources from where the policy is assigned (including down to the individual resource objects). 此外,使用“位置” 下拉列表来进一步筛选资源。Additionally, use the Locations drop-down to further filter the resources. 仅对表中列出的资源进行修正。Only resources listed in the table will be remediated.

    修正 - 选择要修正的资源

  5. 筛选资源后,通过单击“修正” 来启动修正任务。Begin the remediation task once the resources have been filtered by clicking Remediate. “策略符合性”页将打开到“修正任务” 选项卡,以显示任务进度的状态。The policy compliance page will open to the Remediation tasks tab to show the state of the tasks progress.

    修正 - 修正任务的进度

  6. 单击“策略符合性”页中的“修正任务” 以获取有关进度的详细信息。Click on the remediation task from the policy compliance page to get details about the progress. 任务所使用的筛选与正在修正的资源列表一同显示。The filtering used for the task is shown along with a list of the resources being remediated.

  7. 从“修正任务” 页中,右键单击资源以查看修正任务的部署或资源。From the remediation task page, right-click on a resource to view either the remediation task's deployment or the resource. 在行末尾,单击“相关事件” 以查看诸如错误消息之类的详细信息。At the end of the row, click on Related events to see details such as an error message.

    修正 - 资源任务上下文菜单

通过“修正任务” 部署的资源将添加到“策略符合性”页上的“部署的资源” 选项卡。Resources deployed through a remediation task are added to the Deployed Resources tab on the policy compliance page.

通过 Azure CLI 创建修正任务Create a remediation task through Azure CLI

若要使用 Azure CLI 创建修正任务,请使用 az policy remediation 命令。To create a remediation task with Azure CLI, use the az policy remediation commands. {subscriptionId} 替换为订阅 ID,并将 {myAssignmentId} 替换为“deployIfNotExists” ,或者修改策略分配 ID。Replace {subscriptionId} with your subscription ID and {myAssignmentId} with your deployIfNotExists or modify policy assignment ID.

# Login first with below commands
az cloud set -n AzureChinaCloud
az login

# Create a remediation for a specific assignment
az policy remediation create --name myRemediation --policy-assignment '/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/policyAssignments/{myAssignmentId}'

有关其他修正命令和示例,请参阅 az policy remediation 命令。For other remediation commands and examples, see the az policy remediation commands.

通过 Azure PowerShell 创建修正任务Create a remediation task through Azure PowerShell

若要使用 Azure PowerShell 创建修正任务,请使用 Start-AzPolicyRemediation 命令。To create a remediation task with Azure PowerShell, use the Start-AzPolicyRemediation commands. {subscriptionId} 替换为订阅 ID,并将 {myAssignmentId} 替换为“deployIfNotExists” ,或者修改策略分配 ID。Replace {subscriptionId} with your subscription ID and {myAssignmentId} with your deployIfNotExists or modify policy assignment ID.

# Login first with Connect-AzAccount -Environmentname AzureChinaCloud command

# Create a remediation for a specific assignment
Start-AzPolicyRemediation -Name 'myRemedation' -PolicyAssignmentId '/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/policyAssignments/{myAssignmentId}'

有关其他修正 cmdlet 和示例,请参阅 Az.PolicyInsights 模块。For other remediation cmdlets and examples, see the Az.PolicyInsights module.

后续步骤Next steps