Azure Policy 模式:count 运算符

count 运算符评估别名的成员。

示例策略定义

此策略定义审核配置为允许入站远程桌面协议 (RDP) 流量的网络安全组。

{
    "properties": {
        "mode": "all",
        "displayName": "Audit Network Security Groups for RDP",
        "description": "This policy audits NSGs with RDP ports enabled",
        "policyRule": {
            "if": {
                "allOf": [{
                        "field": "type",
                        "equals": "Microsoft.Network/networkSecurityGroups"
                    },
                    {
                        "count": {
                            "field": "Microsoft.Network/networkSecurityGroups/securityRules[*]",
                            "where": {
                                "allOf": [{
                                        "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].direction",
                                        "equals": "Inbound"
                                    },
                                    {
                                        "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].access",
                                        "equals": "Allow"
                                    },
                                    {
                                        "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange",
                                        "equals": "3389"
                                    }
                                ]
                            }
                        },
                        "greater": 0
                    }
                ]
            },
            "then": {
                "effect": "audit"
            }
        }
    }
}

说明

count 运算符的核心组件是 fieldwhere 和条件。 下面的代码片段中突出显示了每个核心组件。

  • field 告诉 count 要评估哪个别名的成员。 下面,让我们看一下网络安全组的 securityRules[*] 别名数组。
  • where 使用策略语言来定义哪些数组成员满足条件。 在此示例中,allOf 逻辑运算符将别名数组属性的以下三个不同条件评估分组到一起:directionaccessdestinationPortRange
  • 此示例中的 count 条件为 greater。 当别名数组的一个或多个成员与 where 子句匹配时,Count 的评估结果为 true。
{
    "count": {
        "field": "Microsoft.Network/networkSecurityGroups/securityRules[*]",
        "where": {
            "allOf": [{
                    "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].direction",
                    "equals": "Inbound"
                },
                {
                    "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].access",
                    "equals": "Allow"
                },
                {
                    "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange",
                    "equals": "3389"
                }
            ]
        }
    },
    "greater": 0
}

后续步骤