Azure 策略存储帐户诊断日志记录

Question

我一直在努力让此策略完全检查 blob、文件、队列和表服务是否正确配置了诊断设置。最终结果是确保每个存储服务都将诊断日志发送到 StorageRead、StorageWrite 和 StorageDelete 类别的日志分析工作区。

请注意，这是使用 https://docs.microsoft.com/en-us/azure/storage/blobs/monitor-blob-storage?tabs=azure-portal

中描述的较新方法

我一直试图解决的主要问题是在所有 blob 服务中检测这一点的逻辑。部署逻辑工作正常，它只是确保启用 blob、文件、队列和表服务的合规性检查部分。目前以下回报

No related resources match the effect details in the policy definition. (Error code: Not Found)

  "policyRule": {
    "if": {
      "field": "type",
      "equals": "Microsoft.Storage/storageAccounts"
    },
    "then": {
      "effect": "[parameters('effect')]",
      "details": {
        "type": "Microsoft.Insights/diagnosticSettings",
        "existenceCondition": {
            "allOf": [
                {
                "count": {
                  "field": "Microsoft.Insights/diagnosticSettings/logs[*]",
                  "where": {
                    "allOf": [
                      {
                        "field": "Microsoft.Insights/diagnosticSettings/logs[*].category",
                        "in": [
                            "StorageRead",
                            "StorageWrite",
                            "StorageDelete"
                        ]
                      },
                      {
                        "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled",
                        "equals": "[parameters('logsEnabled')]"
                      }
                    ]
                  }
                },
                "greater": 0
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                "equals": "[parameters('logAnalytics')]"
              }
            ]
        },