Azure Policy 模式:count 运算符Azure Policy pattern: the count operator

count 运算符评估 [*] 别名的成员。The count operator evaluates members of a [*] alias.

示例策略定义Sample policy definition

此策略定义审核配置为允许入站远程桌面协议 (RDP) 流量的网络安全组。This policy definition audits Network Security Groups configured to allow inbound Remote Desktop Protocol (RDP) traffic.

{
   "properties": {
       "mode": "all",
       "displayName": "Audit Network Security Groups for RDP",
       "description": "This policy audits NSGs with RDP ports enabled",
       "policyRule": {
           "if": {
               "allOf": [{
                       "field": "type",
                       "equals": "Microsoft.Network/networkSecurityGroups"
                   },
                   {
                       "count": {
                           "field": "Microsoft.Network/networkSecurityGroups/securityRules[*]",
                           "where": {
                               "allOf": [{
                                       "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].direction",
                                       "equals": "Inbound"
                                   },
                                   {
                                       "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].access",
                                       "equals": "Allow"
                                   },
                                   {
                                       "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange",
                                       "equals": "3389"
                                   }
                               ]
                           }
                       },
                       "greater": 0
                   }
               ]
           },
           "then": {
               "effect": "audit"
           }
       }
   }
}

说明Explanation

count 运算符的核心组件是 fieldwhere 和条件。The core components of the count operator are field, where, and the condition. 下面的代码片段中突出显示了每个组件。Each is highlighted in the snippet below.

  • field 告诉 count 要评估哪个别名的成员。field tells count which alias to evaluate members of. 下面,让我们看一下网络安全组的 securityRules[*] 别名数组 。Here, we're looking at the securityRules[*] alias array of the network security group.
  • where 使用策略语言来定义哪些数组 成员满足条件。where uses the policy language to define which array members meet the criteria. 在此示例中,allOf 逻辑运算符将别名数组 属性的以下三个不同条件评估分组到一起:directionaccessdestinationPortRangeIn this example, an allOf logical operator groups three different condition evaluations of alias array properties: direction, access, and destinationPortRange.
  • 此示例中的 count 条件为 greaterThe count condition in this example is greater. 当别名数组 的一个或多个成员与 where 子句匹配时,Count 的评估结果为 true。Count evaluates as true when one or more members of the alias array matches the where clause.
{
   "count": {
       "field": "Microsoft.Network/networkSecurityGroups/securityRules[*]",
       "where": {
           "allOf": [{
                   "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].direction",
                   "equals": "Inbound"
               },
               {
                   "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].access",
                   "equals": "Allow"
               },
               {
                   "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange",
                   "equals": "3389"
               }
           ]
       }
   },
   "greater": 0
}

后续步骤Next steps