具有Terraform的Azure策略自定义模板

Question

我正在尝试使用Terraform为Azure Policy构建一个自定义的seccomp模板，并且在添加多个类似于模板构建方式的参数时总是遇到错误。如果我手动将这些构建到Azure中，我没有任何问题。

下面是我的Terraform，我在这个例子中不断得到的错误是

╷
│ Error: creating/updating Policy Definition "k8s_seccomp_governance": policy.DefinitionsClient#CreateOrUpdate: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="InvalidPolicyRuleEffectDetails" Message="The policy definition 'k8s_seccomp_governance' rule is invalid. The policy effect 'details' property could not be parsed."
│ 
│   with azurerm_policy_definition.k8s_seccomp_governance,
│   on policy_definitions.tf line 1, in resource "azurerm_policy_definition" "k8s_seccomp_governance":
│    1: resource "azurerm_policy_definition" "k8s_seccomp_governance" {
│ 
╵

代码：

resource "azurerm_policy_definition" "k8s_seccomp_governance" {
  name         = "k8s_seccomp_governance"
  description  = "Kubernetes cluster containers should only use allowed seccomp profiles"
  policy_type  = "Custom"
  mode         = "All"
  display_name = "AMPS K8s Seccomp Governance"

  metadata = <<METADATA
    {
    "category": "Kubernetes",
    "version": "1.0.0"
    }

METADATA

  policy_rule = <<POLICY_RULE
    {
      "if": {
        "field": "type",
        "in": [
          "AKS Engine",
          "Microsoft.Kubernetes/connectedClusters",
          "Microsoft.ContainerService/managedClusters"
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "constraintTemplate": "https://store.policy.core.windows.net/kubernetes/allowed-seccomp-profiles/v2/template.yaml",
          "constraint": "https://store.policy.core.windows.net/kubernetes/allowed-seccomp-profiles/v2/constraint.yaml",
          "excludedNamespaces": "[parameters('excludedNamespaces')]"
        }
      }
    }

POLICY_RULE

  parameters = <<PARAMETERS
  {
    "effect": {
      "type": "String",
      "metadata": {
        "displayName": "Effect",
        "description": "'audit' allows a non-compliant resource to be created or updated, but flags it as non-compliant. 'deny' blocks the non-compliant resource creation or update. 'disabled' turns off the policy."
      },
      "allowedValues": ["audit", "deny","disabled"],
      "defaultValue": "audit"
    },
    "excludedNamespaces": {
      "type": "Array",
      "metadata": {
        "displayName": "Namespace exclusions",
        "description": "List of Kubernetes namespaces to exclude from policy evaluation."
      },
      "defaultValue": ["kube-system", "gatekeeper-system", "azure-arc"]
    }
  }
PARAMETERS

}

补充一句：

如果我不包括描述，那么我会得到这个错误：

╷
│ Error: creating/updating Policy Definition "k8s_seccomp_governance": policy.DefinitionsClient#CreateOrUpdate: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="UnusedPolicyParameters" Message="The policy 'k8s_seccomp_governance' has defined parameters 'excludedNamespaces' which are not used in the policy rule. Please either remove these parameters from the definition or ensure that they are used in the policy rule."
│ 
│   with azurerm_policy_definition.k8s_seccomp_governance,
│   on policy_definitions.tf line 1, in resource "azurerm_policy_definition" "k8s_seccomp_governance":
│    1: resource "azurerm_policy_definition" "k8s_seccomp_governance" {
│ 
╵

Answer 1

我能够解决这个问题，问题是我使用的是模式："All“，需要将其更改为mode = "Microsoft.Kubernetes.Data"才能正常工作