แก้ไข

แชร์ผ่าน


Azure Policy pattern: the value operator

The value operator evaluates parameters, supported template functions, or literals to a provided value for a given condition.

Warning

If the result of a template function is an error, policy evaluation fails. A failed evaluation is an implicit deny. For more information, see avoiding template failures.

Sample policy definition

This policy definition adds or replaces the tag specified in the parameter tagName (string) on resources and inherits the value for tagName from the resource group the resource is in. This evaluation happens when the resource is created or updated. As a modify effect, the remediation may be run on existing resources through a remediation task.

{
    "properties": {
        "displayName": "Inherit a tag from the resource group",
        "policyType": "BuiltIn",
        "mode": "Indexed",
        "description": "Adds or replaces the specified tag and value from the parent resource group when any resource is created or updated. Existing resources can be remediated by triggering a remediation task.",
        "metadata": {
            "category": "Tags"
        },
        "parameters": {
            "tagName": {
                "type": "String",
                "metadata": {
                    "displayName": "Tag Name",
                    "description": "Name of the tag, such as 'environment'"
                }
            }
        },
        "policyRule": {
            "if": {
                "allOf": [{
                        "field": "[concat('tags[', parameters('tagName'), ']')]",
                        "notEquals": "[resourceGroup().tags[parameters('tagName')]]"
                    },
                    {
                        "value": "[resourceGroup().tags[parameters('tagName')]]",
                        "notEquals": ""
                    }
                ]
            },
            "then": {
                "effect": "modify",
                "details": {
                    "roleDefinitionIds": [
                        "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
                    ],
                    "operations": [{
                        "operation": "addOrReplace",
                        "field": "[concat('tags[', parameters('tagName'), ']')]",
                        "value": "[resourceGroup().tags[parameters('tagName')]]"
                    }]
                }
            }
        }
    }
}

Explanation

"if": {
    "allOf": [{
            "field": "[concat('tags[', parameters('tagName'), ']')]",
            "notEquals": "[resourceGroup().tags[parameters('tagName')]]"
        },
        {
            "value": "[resourceGroup().tags[parameters('tagName')]]",
            "notEquals": ""
        }
    ]
},

The value operator is used within the policyRule.if block within properties. In this example, the logical operator allOf is used to state that both conditional statements must be true for the effect, modify, to take place.

value evaluates the result of the template function resourceGroup() to the condition notEquals of a blank value. If the tag name provided in tagName on the parent resource group exists, the conditional evaluates to true.

Next steps