Azure 原則模式:效果
Azure 原則有許多效果,可決定服務如何回應不符合規範的資源。 有些效果很簡單,不需要原則定義中的其他屬性,而有些則需要數個屬性。
範例 1:簡單效果
此原則定義會檢查 tagName 參數中定義的標記是否存在於已評估的資源上。 如果標記尚不存在,則會觸發 modify 效果,使用 tagValue 參數中的值新增標記。
{
"properties": {
"displayName": "Add a tag to resource groups",
"policyType": "BuiltIn",
"mode": "All",
"description": "Adds the specified tag and value when any resource group missing this tag is created or updated. Existing resource groups can be remediated by triggering a remediation task. If the tag exists with a different value it will not be changed.",
"metadata": {
"version": "1.0.0",
"category": "Tags"
},
"parameters": {
"tagName": {
"type": "String",
"metadata": {
"displayName": "Tag Name",
"description": "Name of the tag, such as 'environment'"
}
},
"tagValue": {
"type": "String",
"metadata": {
"displayName": "Tag Value",
"description": "Value of the tag, such as 'production'"
}
}
},
"policyRule": {
"if": {
"allOf": [{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"field": "[concat('tags[', parameters('tagName'), ']')]",
"exists": "false"
}
]
},
"then": {
"effect": "modify",
"details": {
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"operations": [{
"operation": "add",
"field": "[concat('tags[', parameters('tagName'), ']')]",
"value": "[parameters('tagValue')]"
}]
}
}
}
}
}
範例 1:說明
"effect": "modify",
"details": {
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"operations": [{
"operation": "add",
"field": "[concat('tags[', parameters('tagName'), ']')]",
"value": "[parameters('tagValue')]"
}]
}
modify 效果需要 policyRule.then.details 區塊,以定義 roleDefinitionIds 和 operations。 這些參數會告知 Azure 原則需要哪些角色才能新增標籤並補救資源,以及要執行哪個 modify 作業。 在此範例中,會使用新增作業和參數來設定標籤和其值。
範例 2:複雜效果
此原則定義會在延伸模組不存在時稽核每個虛擬機器,延伸模組會在 publisher 和 type 參數中定義。 其使用 auditIfNotExists 來檢查與虛擬機器相關的資源,以查看是否有執行個體符合定義的參數。 此範例會檢查延伸模組類型。
{
"type": "Microsoft.Authorization/policyDefinitions",
"name": "audit-vm-extension",
"properties": {
"displayName": "Audit if extension does not exist",
"description": "This policy audits if a required extension doesn't exist.",
"parameters": {
"publisher": {
"type": "String",
"metadata": {
"description": "The publisher of the extension",
"displayName": "Extension Publisher"
}
},
"type": {
"type": "String",
"metadata": {
"description": "The type of the extension",
"displayName": "Extension Type"
}
}
},
"policyRule": {
"if": {
"allOf": [{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"field": "Microsoft.Compute/imagePublisher",
"in": [
"MicrosoftWindowsServer"
]
},
{
"field": "Microsoft.Compute/imageOffer",
"in": [
"WindowsServer"
]
}
]
},
"then": {
"effect": "auditIfNotExists",
"details": {
"type": "Microsoft.Compute/virtualMachines/extensions",
"existenceCondition": {
"allOf": [{
"field": "Microsoft.Compute/virtualMachines/extensions/publisher",
"equals": "[parameters('publisher')]"
},
{
"field": "Microsoft.Compute/virtualMachines/extensions/type",
"equals": "[parameters('type')]"
}
]
}
}
}
}
}
}
範例 2:說明
"details": {
"type": "Microsoft.Compute/virtualMachines/extensions",
"existenceCondition": {
"allOf": [{
"field": "Microsoft.Compute/virtualMachines/extensions/publisher",
"equals": "[parameters('publisher')]"
},
{
"field": "Microsoft.Compute/virtualMachines/extensions/type",
"equals": "[parameters('type')]"
}
]
}
}
auditIfNotExists 效果需要 policyRule.then.details 區塊,以定義要尋找的 type 和 existenceCondition。 existenceCondition 會使用原則語言元素 (例如邏輯運算子) 來判斷相符的相關資源是否存在。 在此範例中,針對每個別名檢查的值會定義在參數中。
下一步
- 檢閱其他模式和內建定義。
- 檢閱 Azure 原則定義結構。
- 檢閱了解原則效果。