補救不符合 Azure 原則規範的資源Remediate non-compliant resources with Azure Policy

您可以透過補救讓不符合 deployIfNotExistsmodify 原則規範的資源變成符合規範狀態。Resources that are non-compliant to a deployIfNotExists or modify policy can be put into a compliant state through Remediation. 藉由指示「Azure 原則」在現有資源上執行所指派原則的 deployIfNotExists 效果或標籤作業 (不論該指派屬於管理群組、訂用帳戶、資源群組或個別資源),即可完成補救。Remediation is accomplished by instructing Azure Policy to run the deployIfNotExists effect or the tag operations of the assigned policy on your existing resources, whether that assignment is to a management group, a subscription, a resource group, or an individual resource. 本文說明了解和完成使用「Azure 原則」來進行補救所需的步驟。This article shows the steps needed to understand and accomplish remediation with Azure Policy.

補救安全性的運作方式How remediation security works

當「Azure 原則」執行 deployIfNotExists 原則定義中的範本時,會使用受控識別來執行。When Azure Policy runs the template in the deployIfNotExists policy definition, it does so using a managed identity. 「Azure 原則」會為每個指派項目建立受控識別,但您必須提供有關要將哪些角色授與受控識別的詳細資料。Azure Policy creates a managed identity for each assignment, but must have details about what roles to grant the managed identity. 如果受控識別缺少角色,在指派原則或方案時,就會顯示此錯誤。If the managed identity is missing roles, this error is displayed during the assignment of the policy or an initiative. 使用入口網站時,在開始指派之後,「Azure 原則」會自動將所列出的角色授與受控識別。When using the portal, Azure Policy automatically grants the managed identity the listed roles once assignment starts. 受控識別的_位置_不會影響其對 Azure 原則的操作。The location of the managed identity doesn't impact its operation with Azure Policy.

受控識別 - 遺漏角色

重要

如果 deployIfNotExistsmodify 所修改的資源在原則指派的範圍外,或範本會存取在原則指派範圍外資源的屬性,您就必須對該指派項目的受控識別手動授與存取權,否則補救部署將會失敗。If a resource modified by deployIfNotExists or modify is outside the scope of the policy assignment or the template accesses properties on resources outside the scope of the policy assignment, the assignment's managed identity must be manually granted access or the remediation deployment will fail.

設定原則定義Configure policy definition

第一步是在原則定義中定義 deployIfNotExistsmodify,以成功部署所含範本內容所需的角色。The first step is to define the roles that deployIfNotExists and modify needs in the policy definition to successfully deploy the content of your included template. 請在 details 屬性底下,新增 roleDefinitionIds 屬性。Under the details property, add a roleDefinitionIds property. 此屬性是一個與您環境中角色相符的字串陣列。This property is an array of strings that match roles in your environment. 如需完整範例,請參閱 deployIfNotExists 範例modify 範例For a full example, see the deployIfNotExists example or the modify examples.

"details": {
    ...
    "roleDefinitionIds": [
        "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/{roleGUID}",
        "/providers/Microsoft.Authorization/roleDefinitions/{builtinroleGUID}"
    ]
}

roleDefinitionIds 屬性會使用完整資源識別碼,而不會採用角色的簡短 roleNameThe roleDefinitionIds property uses the full resource identifier and doesn't take the short roleName of the role. 若要取得您環境中 'Contributor' 角色的識別碼,請使用下列程式碼:To get the ID for the 'Contributor' role in your environment, use the following code:

az role definition list --name 'Contributor'

手動設定受控識別Manually configure the managed identity

使用入口網站來建立指派時,「Azure 原則」會產生受控識別並授與其 roleDefinitionIds 中所定義的角色。When creating an assignment using the portal, Azure Policy both generates the managed identity and grants it the roles defined in roleDefinitionIds. 在下列情況下,必須手動執行建立受控識別並為它指派權限的步驟:In the following conditions, steps to create the managed identity and assign it permissions must be done manually:

  • 使用 SDK (例如 Azure PowerShell) 時While using the SDK (such as Azure PowerShell)
  • 當範本修改指派範圍外的資源時When a resource outside the assignment scope is modified by the template
  • 當範本讀取指派範圍外的資源時When a resource outside the assignment scope is read by the template

使用 PowerShell 來建立受控識別Create managed identity with PowerShell

若要在指派原則的期間建立受控識別,必須定義 Location 並使用 AssignIdentityTo create a managed identity during the assignment of the policy, Location must be defined and AssignIdentity used. 下列範例會取得 [部署 SQL DB 透明資料加密] 內建原則的定義、設定目標資源群組,然後建立指派。The following example gets the definition of the built-in policy Deploy SQL DB transparent data encryption, sets the target resource group, and then creates the assignment.

# Login first with Connect-AzAccount if not using Cloud Shell

# Get the built-in "Deploy SQL DB transparent data encryption" policy definition
$policyDef = Get-AzPolicyDefinition -Id '/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f'

# Get the reference to the resource group
$resourceGroup = Get-AzResourceGroup -Name 'MyResourceGroup'

# Create the assignment using the -Location and -AssignIdentity properties
$assignment = New-AzPolicyAssignment -Name 'sqlDbTDE' -DisplayName 'Deploy SQL DB transparent data encryption' -Scope $resourceGroup.ResourceId -PolicyDefinition $policyDef -Location 'westus' -AssignIdentity

$assignment 變數現在包含受控識別的主體識別碼,以及建立原則指派時所傳回的標準值。The $assignment variable now contains the principal ID of the managed identity along with the standard values returned when creating a policy assignment. 透過 $assignment.Identity.PrincipalId 即可存取它。It can be accessed through $assignment.Identity.PrincipalId.

使用 PowerShell 來授與已定義的角色Grant defined roles with PowerShell

您必須先透過 Azure Active Directory 完成新受控識別的複寫,才能將所需的角色授與它。The new managed identity must complete replication through Azure Active Directory before it can be granted the needed roles. 完成複寫之後,下列範例會逐一查看 $policyDef 中的原則定義來尋找 roleDefinitionIds,然後使用 New-AzRoleAssignment 將角色授與新的受控識別。Once replication is complete, the following example iterates the policy definition in $policyDef for the roleDefinitionIds and uses New-AzRoleAssignment to grant the new managed identity the roles.

# Use the $policyDef to get to the roleDefinitionIds array
$roleDefinitionIds = $policyDef.Properties.policyRule.then.details.roleDefinitionIds

if ($roleDefinitionIds.Count -gt 0)
{
    $roleDefinitionIds | ForEach-Object {
        $roleDefId = $_.Split("/") | Select-Object -Last 1
        New-AzRoleAssignment -Scope $resourceGroup.ResourceId -ObjectId $assignment.Identity.PrincipalId -RoleDefinitionId $roleDefId
    }
}

透過入口網站授與已定義的角色Grant defined roles through portal

使用入口網站將已定義的角色授與指派項目的受控識別時,有兩種方法:使用存取控制 (IAM) ,或是編輯原則或方案指派,然後按一下 [儲存]。There are two ways to grant an assignment's managed identity the defined roles using the portal, by using Access control (IAM) or by editing the policy or initiative assignment and clicking Save.

若要將角色新增至指派項目的受控識別,請依照下列步驟進行操作:To add a role to the assignment's managed identity, follow these steps:

  1. 藉由按一下 [所有服務] 然後搜尋並選取 [原則],在 Azure 入口網站中啟動 Azure 原則服務。Launch the Azure Policy service in the Azure portal by clicking All services, then searching for and selecting Policy.

  2. 選取 Azure 原則分頁左側的 [指派]。Select Assignments on the left side of the Azure Policy page.

  3. 找出具有受控識別的指派項目,然後按一下其名稱。Locate the assignment that has a managed identity and click on the name.

  4. 在編輯頁面上尋找 [指派識別碼] 屬性。Find the Assignment ID property on the edit page. 指派識別碼會類似於:The assignment ID will be something like:

    /subscriptions/{subscriptionId}/resourceGroups/PolicyTarget/providers/Microsoft.Authorization/policyAssignments/2802056bfc094dfb95d4d7a5
    

    受控識別的名稱是指派資源識別碼中的最後一個部分,在此範例中為 2802056bfc094dfb95d4d7a5The name of the managed identity is the last portion of the assignment resource ID, which is 2802056bfc094dfb95d4d7a5 in this example. 請複製指派資源識別碼的這個部分。Copy this portion of the assignment resource ID.

  5. 瀏覽至需要手動新增角色定義的資源或資源父容器 (資源群組、訂用帳戶、管理群組)。Navigate to the resource or the resources parent container (resource group, subscription, management group) that needs the role definition manually added.

  6. 按一下資源頁面中的 [存取控制 (IAM)] 連結,然後按一下存取控制頁面頂端的 [+ 新增角色指派]。Click the Access control (IAM) link in the resources page and click + Add role assignment at the top of the access control page.

  7. 從原則定義中選取符合 roleDefinitionIds 的適當角色。Select the appropriate role that matches a roleDefinitionIds from the policy definition. 將 [存取權指派對象為] 保留設定為預設的 [Azure AD 使用者、群組或應用程式]。Leave Assign access to set to the default of 'Azure AD user, group, or application'. 在 [選取] 方塊中,貼上或輸入稍早找到的指派資源識別碼部分。In the Select box, paste or type the portion of the assignment resource ID located earlier. 在搜尋完成之後,按一下具有相同名稱的物件以選取識別碼,然後按一下 [儲存]。Once the search completes, click the object with the same name to select ID and click Save.

建立補救工作Create a remediation task

透過入口網站建立補救工作Create a remediation task through portal

在評估期間,具有 deployIfNotExistsmodify 效果的原則指派會判斷是否有不符合規範的資源。During evaluation, the policy assignment with deployIfNotExists or modify effects determines if there are non-compliant resources. 當找到不符合規範的資源時,會在 [補救] 頁面上提供詳細資料。When non-compliant resources are found, the details are provided on the Remediation page. 具有不符合規範之資源的原則清單會隨附一個可觸發補救工作的選項。Along with the list of policies that have non-compliant resources is the option to trigger a remediation task. 此選項會從 deployIfNotExists 範本或 modify 作業建立部署。This option is what creates a deployment from the deployIfNotExists template or the modify operations.

若要建立補救工作,請依照下列步驟進行操作:To create a remediation task, follow these steps:

  1. 藉由按一下 [所有服務] 然後搜尋並選取 [原則],在 Azure 入口網站中啟動 Azure 原則服務。Launch the Azure Policy service in the Azure portal by clicking All services, then searching for and selecting Policy.

    搜尋所有服務中的原則

  2. 選取「Azure 原則」頁面左側的 [補救]。Select Remediation on the left side of the Azure Policy page.

    在 [原則] 頁面上選取 [補救]

  3. [用以補救的原則] 索引標籤和資料表格上會包含所有具有不符合規範資源的 deployIfNotExistsmodify 原則指派。All deployIfNotExists and modify policy assignments with non-compliant resources are included on the Policies to remediate tab and data table. 按一下具有不符合規範之資源的原則。Click on a policy with resources that are non-compliant. [新的補救工作] 頁面隨即開啟。The New remediation task page opens.

    注意

    有一個開啟 [補救工作] 頁面的替代方式,就是從 [合規性] 頁面尋找並按一下原則,然後按一下 [建立補救工作] 按鈕。An alternate way to open the remediation task page is to find and click on the policy from the Compliance page, then click the Create Remediation Task button.

  4. 在 [新的補救工作] 頁面上,使用 [範圍] 的省略符號,從已被指派該原則的資源中挑選子資源 (包括一直到個別資源物件),以篩選要補救的資源。On the New remediation task page, filter the resources to remediate by using the Scope ellipses to pick child resources from where the policy is assigned (including down to the individual resource objects). 此外,請使用 [位置] 下拉式清單來進一步篩選資源。Additionally, use the Locations drop-down to further filter the resources. 將只會補救表格中所列出的資源。Only resources listed in the table will be remediated.

    補救 - 選取要補救的資源

  5. 篩選資源之後,按一下 [補救] 來開始補救工作。Begin the remediation task once the resources have been filtered by clicking Remediate. 原則合規性頁面會開啟至 [補救工作] 索引標籤,以顯示工作進度的狀態。The policy compliance page opens to the Remediation tasks tab to show the state of the tasks progress. 補救工作所建立的部署會立即開始。Deployments created by the remediation task begin right away.

    補救 - 補救工作的進度

  6. 從原則合規性頁面按一下 [補救工作] 以取得進度的相關詳細資料。Click on the remediation task from the policy compliance page to get details about the progress. 這會顯示針對該工作所使用的篩選,以及所要補救的資源清單。The filtering used for the task is shown along with a list of the resources being remediated.

  7. 從 [補救工作] 頁面中,在資源上按一下滑鼠右鍵,以檢視補救工作的部署或資源。From the remediation task page, right-click on a resource to view either the remediation task's deployment or the resource. 在資料列結尾,按一下 [相關事件] 以查看詳細資料,例如錯誤訊息。At the end of the row, click on Related events to see details such as an error message.

    補救 - 資源工作操作功能表

透過補救工作部署的資源會新增至原則合規性頁面上的 [已部署資源] 索引標籤中。Resources deployed through a remediation task are added to the Deployed Resources tab on the policy compliance page.

透過 Azure CLI 建立補救工作Create a remediation task through Azure CLI

若要使用 Azure CLI 建立補救工作,請使用 az policy remediation 命令。To create a remediation task with Azure CLI, use the az policy remediation commands. {subscriptionId} 取代為您的訂用帳戶識別碼,以及將 {myAssignmentId} 取代為您的 deployIfNotExistsmodify 原則指派識別碼。Replace {subscriptionId} with your subscription ID and {myAssignmentId} with your deployIfNotExists or modify policy assignment ID.

# Login first with az login if not using Cloud Shell

# Create a remediation for a specific assignment
az policy remediation create --name myRemediation --policy-assignment '/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/policyAssignments/{myAssignmentId}'

如需其他補救命令和範例,請參閱 az policy remediation 命令。For other remediation commands and examples, see the az policy remediation commands.

透過 Azure PowerShell 建立補救工作Create a remediation task through Azure PowerShell

若要透過 Azure PowerShell 建立補救工作,請使用 Start-AzPolicyRemediation 命令。To create a remediation task with Azure PowerShell, use the Start-AzPolicyRemediation commands. {subscriptionId} 取代為您的訂用帳戶識別碼,以及將 {myAssignmentId} 取代為您的 deployIfNotExistsmodify 原則指派識別碼。Replace {subscriptionId} with your subscription ID and {myAssignmentId} with your deployIfNotExists or modify policy assignment ID.

# Login first with Connect-AzAccount if not using Cloud Shell

# Create a remediation for a specific assignment
Start-AzPolicyRemediation -Name 'myRemedation' -PolicyAssignmentId '/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/policyAssignments/{myAssignmentId}'

如需其他補救 Cmdlet 和範例,請參閱 Az.PolicyInsights 模組。For other remediation cmdlets and examples, see the Az.PolicyInsights module.

在 Azure 入口網站中於原則指派期間建立補救工作Create a remediation task during policy assignment in the Azure portal

建立補救工作的簡化方式是在原則指派期間從 Azure 入口網站執行此動作。A streamlined way of creating a remediation task is to do so from the Azure portal during policy assignment. 如果要指派的原則定義是deployIfNotExists修改效果,[補救] 索引標籤上的 wizard 會提供 [_建立補救_工作] 選項。If the policy definition to assign is a deployIfNotExists or a Modify effect, the wizard on the Remediation tab offers a Create a remediation task option. 如果選取此選項,則會在原則指派的同時建立補救工作。If this option is selected, a remediation task is created at the same time as the policy assignment.

後續步驟Next steps