json 是否可以从Azure策略设置VM加密?

vsnjm48y  于 5个月前  发布在  其他
关注(0)|答案(1)|浏览(80)

我想尝试从azure中的策略启用vm加密。
我目前得到这个错误下面,我有一个问题,我的政策规则.我不知道如何更改“细节”设置虚拟机加密.任何想法??
第400章:你是谁错误代码:InvalidPolicyRule错误--"在类型为“ModifyCompute DetailsHost”的对象上找不到成员“Microsoft.Compute/virtualMachines/securityProfile. securityAtHost”。路径为“[Microsoft.Compute/virtualMachines/securityProfile. securityAtHost”]”。“请选择”。
这是我的原则

{
    "type": "Microsoft.Authorization/policyDefinitions",
    "apiVersion": "2021-06-01",
    "name": "Enable VM Encryption at host",
    "properties": {
      "displayName": "Enable VM encryption at host",
      "mode": "Indexed",
      "description": "This policy enables VM encryption at host.",
      "metadata": {
          "category": "Compute"
      },
      "parameters": {},
      "policyRule": {
          "if": {
              "allOf": [
                  {
                      "field": "type",
                      "equals": "Microsoft.Compute/virtualMachines"
                  },
                  {
                      "field": "Microsoft.Compute/virtualMachines/securityProfile.encryptionAtHost",
                      "notEquals": "true"
                  }
              ]
          },
          "then": {
              "effect": "[parameters('effect')]",
              "details": {
                  "Microsoft.Compute/virtualMachines/securityProfile.encryptionAtHost": "true"
              }
          }
      },
      "policyType": "Custom"
    }
  }

字符串

1l5u6lss

1l5u6lss1#

我想尝试从azure中的策略启用vm加密。

"Microsoft.Compute/virtualMachines/securityProfile.encryptionAtHost": "true"

字符串
对于使用Policy在VM上启用securityProfile,不接受上述参数
下面是Azure策略,用于在主机上为处于停止状态的所有VM启用VM加密,使用效果:append。
注意:要更新RevertionatHost属性,虚拟机应处于停止状态。


的数据

Azure策略:

{
  "mode": "All",
  "policyRule": {
    "if": {
      "anyOf": [
        {
          "allOf": [
            {
              "field": "type",
              "equals": "Microsoft.Compute/virtualMachines"
            },
            {
              "field": "Microsoft.Compute/virtualMachines/securityProfile.encryptionAtHost",
              "notEquals": "true"
            }
          ]
        }
      ]
    },
    "then": {
      "effect": "[parameters('effect')]",
      "details": [
        {
          "field": "Microsoft.Compute/virtualMachines/securityProfile.encryptionAtHost",
          "value": {
            "value": "true",
            "action": "Allow"
          }
        }
      ]
    }
  },
  "parameters": {
    "effect": {
      "type": "String",
      "metadata": {
        "displayName": "Effect",
        "description": "Enable or disable the execution of the policy"
      },
      "allowedValues": [
        "Audit",
        "Deny",
        "Disabled",
        "Append"
      ],
      "defaultValue": "Append"
    }
  }
}

回复:



或者,您可以使用PowerShell脚本来更新所有尚未更新的VMs上的encryptionAtHost设置。

#Fetching all VM's in Subscription
         
         $vm = Get-AzVM
    
          foreach($Vms in $vm){
    
          $vmname= $vms.name 
    
          $vmrg = $Vms.ResourceGroupName
    
         if($Vms.SecurityProfile.EncryptionAtHost -ne $true){
    
        Write-Host "Stopping VM:$vmname for enabling EncryptionAtHost"
    
        Stop-AzVM -ResourceGroupName $vmrg -Name $vmname -Force
    
        Update-AzVM -VM $vm -ResourceGroupName $vmrg -EncryptionAtHost $true
    
        Write-Host "Enabled EncryptionAtHost on VM: $vmname"
    
        Write-Host "Starting VM name:$vmname after enabling EncryptionAtHost"
    
        Start-AzVM -ResourceGroupName $vmrg -Name $vmname
    }
    }

回复:



参考:修改操作
更新虚拟机以在主机上启用加密。

相关问题