使用 ARM 範本進行訂用帳戶部署
若要簡化資源的管理,您可以使用 Azure Resource Manager 範本 (ARM 範本),在您的 Azure 訂用帳戶層級部署資源。 例如,您可以將原則和 Azure 角色型存取控制 (Azure RBAC) 部署至您的訂閱,如此系統便會在整個訂閱中套用這些原則和存取控制。 您也可以在訂閱內建立資源群組,並將資源部署至訂閱中的資源群組。
注意
您可以在訂用帳戶層級部署中部署最多 800 個不同的資源群組。
若要在訂用帳戶層級部署範本,請使用 Azure CLI、PowerShell、REST API 或入口網站。
支援的資源
並非所有的資源類型都可部署至訂閱層級。 本節將列出支援的資源類型。
針對 Azure 藍圖,請使用:
針對 Azure 原則,請使用:
針對存取控制,請使用:
- accessReviewScheduleDefinitions
- accessReviewScheduleSettings
- roleAssignments
- roleAssignmentScheduleRequests (英文)
- roleDefinitions
- roleEligibilityScheduleRequests (英文)
- roleManagementPolicyAssignments (英文)
若要部署至資源群組的巢狀範本,請使用:
若要建立新的資源群組,請使用:
若要管理您的訂閱,請使用:
針對監視,請使用:
針對安全性,請使用:
- advancedThreatProtectionSettings
- alertsSuppressionRules
- assessmentMetadata
- assessments
- autoProvisioningSettings
- connectors
- deviceSecurityGroups
- ingestionSettings
- pricings
- securityContacts
- 設定
- workspaceSettings
其他支援的類型包括:
結構描述
您用於訂用帳戶層級部署的結構描述與用於資源群組部署的結構描述不同。
針對範本,請使用:
{
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
...
}
所有部署範圍的參數檔案結構描述都相同。 針對參數檔案,請使用:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
...
}
部署命令
若要部署至訂閱,請使用訂閱層級部署命令。
針對 Azure CLI,請使用 az deployment sub create。 下列範例會部署範本來建立資源群組:
az deployment sub create \
--name demoSubDeployment \
--location centralus \
--template-uri "https://raw.githubusercontent.com/Azure/azure-docs-json-samples/master/azure-resource-manager/emptyrg.json" \
--parameters rgName=demoResourceGroup rgLocation=centralus
有關用於部署 ARM 範本的部署命令和選項,如需詳細資訊,請參閱:
- 使用 ARM 範本和 Azure 入口網站部署資源
- 使用 ARM 範本與 Azure CLI 來部署資源
- 使用 ARM 範本與 Azure PowerShell 來部署資源
- 使用 ARM 範本和 Azure Resource Manager REST API 部署資源
- 使用部署按鈕從 GitHub 存放庫部署範本
- 部署來自 Cloud Shell 的 ARM 範本
部署位置和名稱
針對訂用帳戶層級部署,您必須提供部署的位置。 部署的位置與您部署的資源位置不同。 部署位置會指定部署資料的儲存位置。 管理群組和租用戶部署也需要位置。 針對資源群組 (部分機器翻譯) 部署,資源群組的位置會用來儲存部署資料。
您可以提供部署的名稱,或使用預設的部署名稱。 預設名稱是範本檔案的名稱。 例如,部署名為 azuredeploy.json 的範本會建立預設的部署名稱 azuredeploy。
對於每個部署名稱而言,此位置是不可變的。 當某個位置已經有名稱相同的現有部署時,您無法在其他位置建立部署。 例如,如果您在 centralus 中建立名稱為 deployment1 的訂閱部署,稍後就無法再使用名稱 deployment1 建立另一個部署,只能在 westus 的位置建立另一個部署。 如果您收到錯誤代碼 InvalidDeploymentLocation
,請使用不同的名稱或與先前該名稱部署相同的位置。
部署範圍
部署至訂閱時,您可以將資源部署至:
- 來自作業的目標訂閱
- 租用戶中的任何訂閱
- 訂閱或其他訂閱內的資源群組
- 訂閱的租用戶
唯一禁止的範圍轉換會從資源群組轉換為管理群組,或從訂用帳戶轉換至管理群組。
延伸模組的範圍可以設為與部署目標不同的目標。
部署範本的使用者必須能夠存取指定的範圍。
本節說明如何指定不同的範圍。 您可以將這些不同範圍結合在單一範本中。
將範圍設為目標訂用帳戶
若要將資源部署至目標訂用帳戶,請將這些資源新增至範本的資源區段。
{
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
subscription-level-resources
],
"outputs": {}
}
將範圍設為其他訂用帳戶
若要將資源部署至與作業中的訂用帳戶不同的訂用帳戶,請新增巢狀部署。 將 subscriptionId
屬性設定為您要部署的訂用帳戶識別碼。 為巢狀部署設定 location
屬性。
{
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2021-04-01",
"name": "nestedDeployment",
"subscriptionId": "00000000-0000-0000-0000-000000000000",
"location": "westus",
"properties": {
"mode": "Incremental",
"template": {
subscription-resources
}
}
}
],
"outputs": {}
}
將範圍設為資源群組
若要將資源部署至訂用帳戶中的資源群組,請新增巢狀部署並納入 resourceGroup
屬性。 在下列範例中,巢狀部署會以名為 demoResourceGroup
的資源群組作為目標。
{
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2021-04-01",
"name": "nestedDeployment",
"resourceGroup": "demoResourceGroup",
"properties": {
"mode": "Incremental",
"template": {
resource-group-resources
}
}
}
],
"outputs": {}
}
如需部署至資源群組的範例,請參閱建立資源群組和資源。
將範圍設為租用戶
若要在租用戶建立資源,請將 scope
設為 /
。 部署範本的使用者必須擁有在租用戶部署的必要存取權。
若要使用巢狀部署,請設定 scope
和 location
。
{
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2021-04-01",
"name": "nestedDeployment",
"location": "centralus",
"scope": "/",
"properties": {
"mode": "Incremental",
"template": {
tenant-resources
}
}
}
],
"outputs": {}
}
或者,您也可以將範圍 /
設為某些資源類型,例如管理群組。
{
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"mgName": {
"type": "string",
"defaultValue": "[concat('mg-', uniqueString(newGuid()))]"
}
},
"resources": [
{
"type": "Microsoft.Management/managementGroups",
"apiVersion": "2021-04-01",
"name": "[parameters('mgName')]",
"scope": "/",
"location": "eastus",
"properties": {}
}
],
"outputs": {
"output": {
"type": "string",
"value": "[parameters('mgName')]"
}
}
}
如需詳細資訊,請參閱管理群組。
資源群組
建立資源群組
若要在 ARM 範本中建立資源群組,請以資源群組的名稱和位置定義 Microsoft.Resources/resourceGroups 資源。
下列範本會建立空的資源群組。
{
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"rgName": {
"type": "string"
},
"rgLocation": {
"type": "string"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Resources/resourceGroups",
"apiVersion": "2022-09-01",
"name": "[parameters('rgName')]",
"location": "[parameters('rgLocation')]",
"properties": {}
}
],
"outputs": {}
}
搭配資源群組使用 copy 元素來建立一個以上的資源群組。
{
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"rgNamePrefix": {
"type": "string"
},
"rgLocation": {
"type": "string"
},
"instanceCount": {
"type": "int"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Resources/resourceGroups",
"apiVersion": "2022-09-01",
"location": "[parameters('rgLocation')]",
"name": "[concat(parameters('rgNamePrefix'), copyIndex())]",
"copy": {
"name": "rgCopy",
"count": "[parameters('instanceCount')]"
},
"properties": {}
}
],
"outputs": {}
}
如需資源反覆項目的相關資訊,請參閱 ARM 範本中的資源反覆項目和教學課程:使用 ARM 範本建立多個資源執行個體。
建立資源群組和資源
若要建立資源群組並對它部署資源,請使用巢狀範本。 巢狀範本能定義要部署至該資源群組的資源。 將巢狀範本設定為資源群組的相依項目,以確保該資源群組在部署資源之前確實存在。 您最多可以部署 800 個資源群組。
下列範例會建立資源群組,並將儲存體帳戶部署至該資源群組。
{
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"rgName": {
"type": "string"
},
"rgLocation": {
"type": "string"
},
"storagePrefix": {
"type": "string",
"maxLength": 11
}
},
"variables": {
"storageName": "[format('{0}{1}', parameters('storagePrefix'), uniqueString(subscription().id, parameters('rgName')))]"
},
"resources": [
{
"type": "Microsoft.Resources/resourceGroups",
"apiVersion": "2022-09-01",
"name": "[parameters('rgName')]",
"location": "[parameters('rgLocation')]",
"properties": {}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2022-09-01",
"name": "storageDeployment",
"resourceGroup": "[parameters('rgName')]",
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2022-09-01",
"name": "[variables('storageName')]",
"location": "[parameters('rgLocation')]",
"sku": {
"name": "Standard_LRS"
},
"kind": "StorageV2"
}
]
}
},
"dependsOn": [
"[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]"
]
}
]
}
Azure 原則
指派原則定義
下列範例會將現有原則定義指派給訂用帳戶。 如果此原則定義採用參數,請以物件形式提供參數。 如果此原則定義不採用參數,請使用預設空白物件。
{
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"policyDefinitionID": {
"type": "string"
},
"policyName": {
"type": "string"
},
"policyParameters": {
"type": "object",
"defaultValue": {}
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2020-03-01",
"name": "[parameters('policyName')]",
"properties": {
"scope": "[subscription().id]",
"policyDefinitionId": "[parameters('policyDefinitionID')]",
"parameters": "[parameters('policyParameters')]"
}
}
]
}
若要使用 Azure CLI 部署此範本,請使用:
# Built-in policy definition that accepts parameters
definition=$(az policy definition list --query "[?displayName=='Allowed locations'].id" --output tsv)
az deployment sub create \
--name demoDeployment \
--location centralus \
--template-uri "https://raw.githubusercontent.com/Azure/azure-docs-json-samples/master/azure-resource-manager/policyassign.json" \
--parameters policyDefinitionID=$definition policyName=setLocation policyParameters="{'listOfAllowedLocations': {'value': ['westus']} }"
若要使用 PowerShell 部署此範本,請使用:
$definition = Get-AzPolicyDefinition | Where-Object { $_.Properties.DisplayName -eq 'Allowed locations' }
$locations = @("westus", "westus2")
$policyParams =@{listOfAllowedLocations = @{ value = $locations}}
New-AzSubscriptionDeployment `
-Name policyassign `
-Location centralus `
-TemplateUri "https://raw.githubusercontent.com/Azure/azure-docs-json-samples/master/azure-resource-manager/policyassign.json" `
-policyDefinitionID $definition.PolicyDefinitionId `
-policyName setLocation `
-policyParameters $policyParams
建立及指派原則定義
您可以在相同的範本中定義和指派原則定義。
{
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.Authorization/policyDefinitions",
"apiVersion": "2020-03-01",
"name": "locationpolicy",
"properties": {
"policyType": "Custom",
"parameters": {},
"policyRule": {
"if": {
"field": "location",
"equals": "northeurope"
},
"then": {
"effect": "deny"
}
}
}
},
{
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2020-03-01",
"name": "location-lock",
"dependsOn": [
"locationpolicy"
],
"properties": {
"scope": "[subscription().id]",
"policyDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/policyDefinitions', 'locationpolicy')]"
}
}
]
}
若要在訂用帳戶中建立原則定義,並將其指派至訂用帳戶,請使用下列 CLI 命令:
az deployment sub create \
--name demoDeployment \
--location centralus \
--template-uri "https://raw.githubusercontent.com/Azure/azure-docs-json-samples/master/azure-resource-manager/policydefineandassign.json"
若要使用 PowerShell 部署此範本,請使用:
New-AzSubscriptionDeployment `
-Name definePolicy `
-Location centralus `
-TemplateUri "https://raw.githubusercontent.com/Azure/azure-docs-json-samples/master/azure-resource-manager/policydefineandassign.json"
Azure 藍圖
建立藍圖定義
您可以從範本建立藍圖定義。
{
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"blueprintName": {
"defaultValue": "sample-blueprint",
"type": "String",
"metadata": {
"description": "The name of the blueprint definition."
}
}
},
"resources": [
{
"type": "Microsoft.Blueprint/blueprints",
"apiVersion": "2018-11-01-preview",
"name": "[parameters('blueprintName')]",
"properties": {
"targetScope": "subscription",
"description": "Blueprint with a policy assignment artifact.",
"resourceGroups": {
"sampleRg": {
"description": "Resource group to add the assignment to."
}
},
"parameters": {
"listOfResourceTypesNotAllowed": {
"type": "array",
"metadata": {
"displayName": "Resource types to pass to the policy assignment artifact."
},
"defaultValue": [
"Citrix.Cloud/accounts"
]
}
}
}
},
{
"type": "Microsoft.Blueprint/blueprints/artifacts",
"apiVersion": "2018-11-01-preview",
"name": "[concat(parameters('blueprintName'), '/policyArtifact')]",
"kind": "policyAssignment",
"dependsOn": [
"[parameters('blueprintName')]"
],
"properties": {
"displayName": "Blocked Resource Types policy definition",
"description": "Block certain resource types",
"policyDefinitionId": "[tenantResourceId('Microsoft.Authorization/policyDefinitions', '6c112d4e-5bc7-47ae-a041-ea2d9dccd749')]",
"resourceGroup": "sampleRg",
"parameters": {
"listOfResourceTypesNotAllowed": {
"value": "[[parameters('listOfResourceTypesNotAllowed')]"
}
}
}
}
]
}
若要在您的訂用帳戶中建立藍圖定義,請使用下列 CLI 命令:
az deployment sub create \
--name demoDeployment \
--location centralus \
--template-uri "https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/subscription-deployments/blueprints-new-blueprint/azuredeploy.json"
若要使用 PowerShell 部署此範本,請使用:
New-AzSubscriptionDeployment `
-Name demoDeployment `
-Location centralus `
-TemplateUri "https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/subscription-deployments/blueprints-new-blueprint/azuredeploy.json"
存取控制
若要了解如何指派角色,請參閱使用 Azure Resource Manager 範本指派 Azure 角色。
下列範例會建立資源群組、對資源群組套用鎖定,並將角色指派給主體。
{
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.5.6.12127",
"templateHash": "16815708176905569328"
}
},
"parameters": {
"rgName": {
"type": "string",
"metadata": {
"description": "Name of the resourceGroup to create"
}
},
"rgLocation": {
"type": "string",
"metadata": {
"description": "Location for the resourceGroup"
}
},
"principalId": {
"type": "string",
"metadata": {
"description": "principalId of the user that will be given contributor access to the resourceGroup"
}
},
"roleDefinitionId": {
"type": "string",
"defaultValue": "b24988ac-6180-42a0-ab88-20f7382dd24c",
"metadata": {
"description": "roleDefinition to apply to the resourceGroup - default is contributor"
}
},
"roleAssignmentName": {
"type": "string",
"defaultValue": "[guid(parameters('principalId'), parameters('roleDefinitionId'), parameters('rgName'))]",
"metadata": {
"description": "Unique name for the roleAssignment in the format of a guid"
}
}
},
"resources": [
{
"type": "Microsoft.Resources/resourceGroups",
"apiVersion": "2019-10-01",
"name": "[parameters('rgName')]",
"location": "[parameters('rgLocation')]",
"tags": {
"Note": "subscription level deployment"
},
"properties": {}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "applyLock",
"resourceGroup": "[parameters('rgName')]",
"properties": {
"expressionEvaluationOptions": {
"scope": "inner"
},
"mode": "Incremental",
"parameters": {
"principalId": {
"value": "[parameters('principalId')]"
},
"roleDefinitionId": {
"value": "[parameters('roleDefinitionId')]"
},
"roleAssignmentName": {
"value": "[parameters('roleAssignmentName')]"
}
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.5.6.12127",
"templateHash": "6034226420560042393"
}
},
"parameters": {
"principalId": {
"type": "string",
"metadata": {
"description": "principalId of the user that will be given contributor access to the resourceGroup"
}
},
"roleDefinitionId": {
"type": "string",
"metadata": {
"description": "roleDefinition to apply to the resourceGroup - default is contributor"
}
},
"roleAssignmentName": {
"type": "string",
"metadata": {
"description": "Unique name for the roleAssignment in the format of a guid"
}
}
},
"resources": [
{
"type": "Microsoft.Authorization/locks",
"apiVersion": "2016-09-01",
"name": "DontDelete",
"properties": {
"level": "CanNotDelete",
"notes": "Prevent deletion of the resourceGroup"
}
},
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2020-04-01-preview",
"name": "[guid(parameters('roleAssignmentName'))]",
"properties": {
"roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', parameters('roleDefinitionId'))]",
"principalId": "[parameters('principalId')]"
}
}
]
}
},
"dependsOn": [
"[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('rgName'))]"
]
}
]
}
下一步
- 如需針對適用於雲端的 Microsoft Defender 部署工作區設定的範例,請參閱 deployASCwithWorkspaceSettings.json。
- 您可於 GitHub 找到範本範例。
- 您也可以在管理群組層級和租用戶層級部署範本。