New-AzPolicyAttestation

Módulo:

Az.PolicyInsights

Cria um novo atestado de política para uma atribuição de política.

Syntax

New-AzPolicyAttestation
   -Name <String>
   [-Scope <String>]
   [-ResourceGroupName <String>]
   -PolicyAssignmentId <String>
   [-ComplianceState <String>]
   [-PolicyDefinitionReferenceId <String>]
   [-ExpiresOn <DateTime>]
   [-Owner <String>]
   [-Comment <String>]
   [-Evidence <PSAttestationEvidence[]>]
   [-AssessmentDate <DateTime>]
   [-Metadata <String>]
   [-DefaultProfile <IAzureContextContainer>]
   [-WhatIf]
   [-Confirm]
   [<CommonParameters>]

New-AzPolicyAttestation
   -ResourceId <String>
   -PolicyAssignmentId <String>
   [-ComplianceState <String>]
   [-PolicyDefinitionReferenceId <String>]
   [-ExpiresOn <DateTime>]
   [-Owner <String>]
   [-Comment <String>]
   [-Evidence <PSAttestationEvidence[]>]
   [-AssessmentDate <DateTime>]
   [-Metadata <String>]
   [-DefaultProfile <IAzureContextContainer>]
   [-WhatIf]
   [-Confirm]
   [<CommonParameters>]

Description

O cmdlet New-AzPolicyAttestation cria um atestado de política para uma atribuição de política específica. Os atestados são usados pelo Azure Policy para definir estados de conformidade de recursos ou escopos direcionados pelas políticas manuais. Eles também permitem que os usuários forneçam metadados adicionais ou link para evidência que acompanha o estado de conformidade atestado.

Exemplos

Exemplo 1: Criar um atestado no escopo da assinatura

Set-AzContext -Subscription "d1acb22b-c876-44f7-b08e-3fcf9f6767f4"
$policyAssignmentId = "/subscriptions/d1acb22b-c876-44f7-b08e-3fcf9f6767f4/providers/microsoft.authorization/policyassignments/psattestationsubassignment"
$attestationName = "attestation-subscription"
New-AzPolicyAttestation -PolicyAssignmentId $policyAssignmentId -Name $attestationName -ComplianceState "Compliant"

Id                          : /subscriptions/d1acb22b-c876-44f7-b08e-3fcf9f6767f4/providers/microsoft.policyinsights
                              /attestations/attestation-subscription
Name                        : attestation-subscription
Type                        : Microsoft.PolicyInsights/attestations
PolicyAssignmentId          : /subscriptions/d1acb22b-c876-44f7-b08e-3fcf9f6767f4/providers/microsoft.authorization/
                              policyassignments/psattestationsubassignment
PolicyDefinitionReferenceId :
ComplianceState             : Compliant
ExpiresOn                   :
Owner                       :
Comment                     :
Evidence                    :
ProvisioningState           : Succeeded
LastComplianceStateChangeAt : 1/27/2023 2:26:24 AM
AssessmentDate              :
Metadata                    :
SystemData                  :

Esse comando cria um novo atestado de política na assinatura 'd1acb22b-c876-44f7-b08e-3fcf9f6767f4' para a atribuição de política fornecida.

Nota: Este comando cria um atestado para a assinatura e não os recursos abaixo dela. Para facilitar o gerenciamento, as políticas manuais devem ser projetadas para direcionar o escopo que define o limite de recursos cujo estado de conformidade precisa ser atestado. Nesse caso, a política manual deve ser direcionada Microsoft.Resources/subscriptionsao . Para obter mais informações, acesse https://learn.microsoft.com/en-us/azure/governance/policy/concepts/attestation-structure para entender as melhores práticas para criar atestados.

Exemplo 2: Criar um atestado no grupo de recursos

$policyAssignmentId = "/subscriptions/d1acb22b-c876-44f7-b08e-3fcf9f6767f4/providers/microsoft.authorization/policyassignments/psattestationrgassignment"
$attestationName = "attestation-RG"
$rgName = "ps-attestation-test-rg"
New-AzPolicyAttestation -ResourceGroupName $RGName -PolicyAssignmentId $policyAssignmentId -Name $attestationName -ComplianceState "Compliant"

Id                          : /subscriptions/d1acb22b-c876-44f7-b08e-3fcf9f6767f4/resourcegroups/ps-attestation-test
                              -rg/providers/microsoft.policyinsights/attestations/attestation-rg
Name                        : attestation-RG
Type                        : Microsoft.PolicyInsights/attestations
PolicyAssignmentId          : /subscriptions/d1acb22b-c876-44f7-b08e-3fcf9f6767f4/providers/microsoft.authorization/
                              policyassignments/psattestationrgassignment
PolicyDefinitionReferenceId :
ComplianceState             : Compliant
ExpiresOn                   :
Owner                       :
Comment                     :
Evidence                    :
ProvisioningState           : Succeeded
LastComplianceStateChangeAt : 1/27/2023 2:35:28 AM
AssessmentDate              :
Metadata                    :
SystemData                  :

Esse comando cria um novo atestado de política no grupo de recursos 'ps-attestation-test-rg' para a atribuição de política especificada.

Nota: Este comando cria um atestado para o grupo de recursos e não para os recursos abaixo dele. Para facilitar o gerenciamento, as políticas manuais devem ser projetadas para direcionar o escopo que define o limite de recursos cujo estado de conformidade precisa ser atestado. Nesse caso, a política manual deve ser direcionada Microsoft.Resources/subscriptions/resourceGroupsao . Para obter mais informações, acesse https://learn.microsoft.com/en-us/azure/governance/policy/concepts/attestation-structure para entender as melhores práticas para criar atestados.

Exemplo 3: Criar um atestado no recurso

$policyAssignmentId = "/subscriptions/d1acb22b-c876-44f7-b08e-3fcf9f6767f4/providers/microsoft.authorization/policyassignments/psattestationresourceassignment"
$attestationName = "attestation-resource"
$scope = "/subscriptions/d1acb22b-c876-44f7-b08e-3fcf9f6767f4/resourceGroups/ps-attestation-test-rg/providers/Microsoft.Network/networkSecurityGroups/pstests0"
New-AzPolicyAttestation `
    -PolicyAssignmentId $policyAssignmentId `
    -Name $attestationName `
    -Scope $scope `
    -ComplianceState "NonCompliant"

Id                          : /subscriptions/d1acb22b-c876-44f7-b08e-3fcf9f6767f4/resourcegroups/ps-attestation-test
                              -rg/providers/microsoft.network/networksecuritygroups/pstests0/providers/microsoft.pol
                              icyinsights/attestations/attestation-resource
Name                        : attestation-resource
Type                        : Microsoft.PolicyInsights/attestations
PolicyAssignmentId          : /subscriptions/d1acb22b-c876-44f7-b08e-3fcf9f6767f4/providers/microsoft.authorization/
                              policyassignments/psattestationresourceassignment
PolicyDefinitionReferenceId :
ComplianceState             : NonCompliant
ExpiresOn                   :
Owner                       :
Comment                     :
Evidence                    :
ProvisioningState           : Succeeded
LastComplianceStateChangeAt : 1/27/2023 2:38:17 AM
AssessmentDate              :
Metadata                    :
SystemData                  :

Esse comando cria um atestado para o recurso 'pstests0' para a atribuição de política especificada.

Exemplo 4: Criar um atestado com todas as propriedades no grupo de recursos

$attestationName = "attestationRGAllProps"
$policyInitiativeAssignmentId = "/subscriptions/d1acb22b-c876-44f7-b08e-3fcf9f6767f4/providers/microsoft.authorization/policyassignments/psattestationinitiativergassignment"

$policyDefinitionReferenceId = "PSTestAttestationRG_1"
$RGName = "ps-attestation-test-rg"
$description = "This is a test description"
$sourceURI = "https://contoso.org/test.pdf"
$evidence = @{
    "Description"=$description
    "SourceUri"=$sourceURI
}
$policyEvidence = @($evidence)
$owner = "Test Owner"
$expiresOn = [datetime]::UtcNow.AddYears(1)
$metadata = '{"TestKey":"TestValue"}'

New-AzPolicyAttestation `
    -Name $attestationName `
    -ResourceGroupName $RGName `
    -PolicyAssignmentId $policyInitiativeAssignmentId `
    -PolicyDefinitionReferenceId $policyDefinitionReferenceId `
    -ComplianceState $Compliant `
    -Comment $comment `
    -Evidence $policyEvidence `
    -ExpiresOn $expiresOn `
    -AssessmentDate $expiresOn.AddDays(-2) `
    -Owner $owner `
    -Metadata $metadata

Id                          : /subscriptions/d1acb22b-c876-44f7-b08e-3fcf9f6767f4/resourcegroups/ps-attestation-test
                              -rg/providers/microsoft.policyinsights/attestations/attestationrgallprops
Name                        : attestationRGAllProps
Type                        : Microsoft.PolicyInsights/attestations
PolicyAssignmentId          : /subscriptions/d1acb22b-c876-44f7-b08e-3fcf9f6767f4/providers/microsoft.authorization/
                              policyassignments/psattestationinitiativergassignment
PolicyDefinitionReferenceId : pstestattestationrg_1
ComplianceState             :
ExpiresOn                   : 1/27/2024 2:51:54 AM
Owner                       : Test Owner
Comment                     :
Evidence                    : {Microsoft.Azure.Commands.PolicyInsights.Models.Attestations.PSAttestationEvidence}
ProvisioningState           : Succeeded
LastComplianceStateChangeAt : 1/27/2023 2:51:57 AM
AssessmentDate              : 1/25/2024 2:51:54 AM
Metadata                    : {
                                "TestKey": "TestValue"
                              }
SystemData                  :

Parâmetros

-AssessmentDate

O momento em que a prova de um atestado foi avaliada.

Type:	Nullable<T>[DateTime]
Position:	Named
Default value:	None
Required:	False
Accept pipeline input:	True
Accept wildcard characters:	False

-Comment

Comentários descrevendo por que esse atestado foi criado.

Type:	String
Position:	Named
Default value:	None
Required:	False
Accept pipeline input:	True
Accept wildcard characters:	False

-ComplianceState

O Estado de Conformidade do recurso. Por exemplo, 'Conforme', 'Não Conforme', 'Desconhecido'

Type:	String
Position:	Named
Default value:	None
Required:	False
Accept pipeline input:	True
Accept wildcard characters:	False

-Confirm

Solicita sua confirmação antes de executar o cmdlet.

Type:	SwitchParameter
Aliases:	cf
Position:	Named
Default value:	None
Required:	False
Accept pipeline input:	False
Accept wildcard characters:	False

-DefaultProfile

As credenciais, a conta, o locatário e a assinatura usados para a comunicação com o Azure.

Type:	IAzureContextContainer
Aliases:	AzContext, AzureRmContext, AzureCredential
Position:	Named
Default value:	None
Required:	False
Accept pipeline input:	False
Accept wildcard characters:	False

-Evidence

As evidências que sustentam o estado de conformidade estabelecidas neste atestado.

Type:	PSAttestationEvidence[]
Position:	Named
Default value:	None
Required:	False
Accept pipeline input:	True
Accept wildcard characters:	False

-ExpiresOn

O tempo que o estado de conformidade definido no atestado deve expirar.

Type:	Nullable<T>[DateTime]
Position:	Named
Default value:	None
Required:	False
Accept pipeline input:	True
Accept wildcard characters:	False

-Metadata

Metadados adicionais para o atestado.

Type:	String
Position:	Named
Default value:	None
Required:	False
Accept pipeline input:	True
Accept wildcard characters:	False

-Name

Nome do recurso.

Type:	String
Position:	Named
Default value:	None
Required:	True
Accept pipeline input:	True
Accept wildcard characters:	False

-Owner

A pessoa responsável por definir o estado do recurso. Esse valor normalmente é uma ID de objeto do Microsoft Entra.

Type:	String
Position:	Named
Default value:	None
Required:	False
Accept pipeline input:	True
Accept wildcard characters:	False

-PolicyAssignmentId

ID de atribuição de política. Por exemplo, '/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/policyAssignments/{assignmentName}'.

Type:	String
Position:	Named
Default value:	None
Required:	True
Accept pipeline input:	True
Accept wildcard characters:	False

-PolicyDefinitionReferenceId

O ID de referência da definição de política da definição individual. Necessário quando a atribuição de política atribui uma definição de conjunto de políticas.

Type:	String
Position:	Named
Default value:	None
Required:	False
Accept pipeline input:	True
Accept wildcard characters:	False

-ResourceGroupName

Nome do grupo de recursos.

Type:	String
Position:	Named
Default value:	None
Required:	False
Accept pipeline input:	True
Accept wildcard characters:	False

-ResourceId

ID do recurso.

Type:	String
Aliases:	Id
Position:	Named
Default value:	None
Required:	True
Accept pipeline input:	True
Accept wildcard characters:	False

-Scope

Escopo do recurso. Por exemplo, '/subscriptions/{subscriptionId}/resourceGroups/{rgName}'.

Type:	String
Position:	Named
Default value:	None
Required:	False
Accept pipeline input:	True
Accept wildcard characters:	False

-WhatIf

Mostra o que aconteceria se o cmdlet fosse executado. O cmdlet não é executado.

Type:	SwitchParameter
Aliases:	wi
Position:	Named
Default value:	None
Required:	False
Accept pipeline input:	False
Accept wildcard characters:	False

Entradas

String

Nullable<T>[[System.DateTime, System.Private.CoreLib, Version=7.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e]]

PSAttestationEvidence[]

Object

Saídas

PSAttestation

Links Relacionados

• Get-AzPolicyAttestation
• Set-AzPolicyAttestation
• Remove-AzPolicyAttestation