Policy Restrictions - Check At Resource Group Scope

參考

服務:: Policy

API 版本:: 2023-03-01

檢查 Azure 原則會對資源群組內的資源放置哪些限制。當資源群組中建立資源已已知時，請使用此選項。

POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.PolicyInsights/checkPolicyRestrictions?api-version=2023-03-01

URI 參數

名稱	位於	必要	類型	Description
resourceGroupName	path	True	string minLength: 1 maxLength: 90	資源群組的名稱。名稱不區分大小寫。
subscriptionId	path	True	string minLength: 1	目標訂用帳戶的標識碼。
api-version	query	True	string minLength: 1	要用於這項作業的 API 版本。

要求本文

名稱	必要	類型	Description
resourceDetails	True	CheckRestrictionsResourceDetails	將評估之資源的相關信息。
includeAuditEffect		boolean	是否要在結果中包含具有「稽核」效果的原則。默認值為 false。
pendingFields		PendingField[]	應評估是否有潛在限制的欄位和值清單。

回應

名稱	類型	Description
200 OK	CheckRestrictionsResult	Azure 原則將針對資源的限制。
Other Status Codes	ErrorResponse	描述作業失敗原因的錯誤回應。

安全性

azure_auth

Azure Active Directory OAuth2 Flow

類型: oauth2
Flow: implicit
授權 URL: https://login.microsoftonline.com/common/oauth2/authorize

範圍

名稱	Description
user_impersonation	模擬您的用戶帳戶

範例

Check policy restrictions at resource group scope

Check policy restrictions at resource group scope including audit effect

Check policy restrictions at resource group scope

範例要求

HTTP

POST https://management.azure.com/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/vmRg/providers/Microsoft.PolicyInsights/checkPolicyRestrictions?api-version=2023-03-01

{
  "resourceDetails": {
    "resourceContent": {
      "type": "Microsoft.Compute/virtualMachines",
      "properties": {
        "priority": "Spot"
      }
    },
    "apiVersion": "2019-12-01"
  },
  "pendingFields": [
    {
      "field": "name",
      "values": [
        "myVMName"
      ]
    },
    {
      "field": "location",
      "values": [
        "eastus",
        "westus",
        "westus2",
        "westeurope"
      ]
    },
    {
      "field": "tags"
    }
  ]
}

範例回覆

狀態碼:: 200

{
  "fieldRestrictions": [
    {
      "field": "tags.newtag",
      "restrictions": [
        {
          "result": "Required",
          "defaultValue": "defaultVal",
          "policy": {
            "policyDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyDefinitions/1D0906C3",
            "policyAssignmentId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyAssignments/57DAC8A0",
            "policySetDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policySetDefinitions/05D92080",
            "policyDefinitionReferenceId": "DefRef"
          },
          "policyEffect": "Deny",
          "reason": "tags.newtag is required"
        }
      ]
    },
    {
      "field": "tags.environment",
      "restrictions": [
        {
          "result": "Required",
          "values": [
            "Prod",
            "Int",
            "Test"
          ],
          "policy": {
            "policyDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyDefinitions/30BD79F6",
            "policyAssignmentId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyAssignments/7EB1508A",
            "policySetDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policySetDefinitions/735551F1",
            "policyDefinitionReferenceId": "DefRef"
          },
          "policyEffect": "Deny",
          "reason": "tags.environment is required"
        }
      ]
    },
    {
      "field": "location",
      "restrictions": [
        {
          "result": "Deny",
          "values": [
            "west europe"
          ],
          "policy": {
            "policyDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyDefinitions/0711CCC1",
            "policyAssignmentId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyAssignments/1563EBD3",
            "policySetDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policySetDefinitions/1E17783A",
            "policyDefinitionReferenceId": "DefRef"
          },
          "policyEffect": "Deny",
          "reason": "location must be one of the following: eastus, westus, westus2"
        },
        {
          "result": "Deny",
          "values": [
            "eastus",
            "westus"
          ],
          "policy": {
            "policyDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyDefinitions/25C9F66B",
            "policyAssignmentId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyAssignments/5382A69D",
            "policySetDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policySetDefinitions/392D107B",
            "policyDefinitionReferenceId": "DefRef"
          },
          "policyEffect": "Deny",
          "reason": "location must be one of the following: westus2"
        }
      ]
    }
  ],
  "contentEvaluationResult": {
    "policyEvaluations": [
      {
        "policyInfo": {
          "policyDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyDefinitions/435CAE41",
          "policySetDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policySetDefinitions/2162358E",
          "policyDefinitionReferenceId": "defref222",
          "policyAssignmentId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyAssignments/2FF66C37"
        },
        "evaluationResult": "NonCompliant",
        "evaluationDetails": {
          "evaluatedExpressions": [
            {
              "result": "True",
              "expressionKind": "field",
              "expression": "type",
              "path": "type",
              "expressionValue": "microsoft.compute/virtualmachines",
              "targetValue": "microsoft.compute/virtualmachines",
              "operator": "equals"
            }
          ]
        },
        "effectDetails": {
          "policyEffect": "Deny"
        }
      }
    ]
  }
}

Check policy restrictions at resource group scope including audit effect

範例要求

HTTP

POST https://management.azure.com/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/vmRg/providers/Microsoft.PolicyInsights/checkPolicyRestrictions?api-version=2023-03-01

{
  "resourceDetails": {
    "resourceContent": {
      "type": "Microsoft.Compute/virtualMachines",
      "properties": {
        "priority": "Spot"
      }
    },
    "apiVersion": "2019-12-01"
  },
  "pendingFields": [
    {
      "field": "name",
      "values": [
        "myVMName"
      ]
    },
    {
      "field": "location",
      "values": [
        "eastus",
        "westus",
        "westus2",
        "westeurope"
      ]
    },
    {
      "field": "tags"
    }
  ],
  "includeAuditEffect": true
}

範例回覆

狀態碼:: 200

{
  "fieldRestrictions": [
    {
      "field": "tags.newtag",
      "restrictions": [
        {
          "result": "Required",
          "defaultValue": "defaultVal",
          "policy": {
            "policyDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyDefinitions/1D0906C3",
            "policyAssignmentId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyAssignments/57DAC8A0",
            "policySetDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policySetDefinitions/05D92080",
            "policyDefinitionReferenceId": "DefRef"
          },
          "policyEffect": "Deny",
          "reason": "tags.newtag is required"
        }
      ]
    },
    {
      "field": "tags.environment",
      "restrictions": [
        {
          "result": "Required",
          "values": [
            "Prod",
            "Int",
            "Test"
          ],
          "policy": {
            "policyDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyDefinitions/30BD79F6",
            "policyAssignmentId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyAssignments/7EB1508A",
            "policySetDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policySetDefinitions/735551F1",
            "policyDefinitionReferenceId": "DefRef"
          },
          "policyEffect": "Audit",
          "reason": "tags.environment is required"
        }
      ]
    },
    {
      "field": "location",
      "restrictions": [
        {
          "result": "Deny",
          "values": [
            "west europe"
          ],
          "policy": {
            "policyDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyDefinitions/0711CCC1",
            "policyAssignmentId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyAssignments/1563EBD3",
            "policySetDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policySetDefinitions/1E17783A",
            "policyDefinitionReferenceId": "DefRef"
          },
          "policyEffect": "Deny",
          "reason": "The selected location is not allowed"
        },
        {
          "result": "Audit",
          "values": [
            "eastus",
            "westus"
          ],
          "policy": {
            "policyDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyDefinitions/25C9F66B",
            "policyAssignmentId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyAssignments/5382A69D",
            "policySetDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policySetDefinitions/392D107B",
            "policyDefinitionReferenceId": "DefRef"
          },
          "policyEffect": "Audit",
          "reason": "The selected location is not allowed"
        }
      ]
    }
  ],
  "contentEvaluationResult": {
    "policyEvaluations": [
      {
        "policyInfo": {
          "policyDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyDefinitions/435CAE41",
          "policySetDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policySetDefinitions/2162358E",
          "policyDefinitionReferenceId": "defref222",
          "policyAssignmentId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyAssignments/2FF66C37"
        },
        "evaluationResult": "NonCompliant",
        "evaluationDetails": {
          "evaluatedExpressions": [
            {
              "result": "True",
              "expressionKind": "field",
              "expression": "type",
              "path": "type",
              "expressionValue": "microsoft.compute/virtualmachines",
              "targetValue": "microsoft.compute/virtualmachines",
              "operator": "equals"
            }
          ],
          "reason": "Resource creation of the selected type is not allowed"
        },
        "effectDetails": {
          "policyEffect": "Audit"
        }
      }
    ]
  }
}

定義

名稱	Description
CheckRestrictionEvaluationDetails	原則評估詳細數據。
CheckRestrictionsRequest	檢查原則限制參數，描述正在評估的資源。
CheckRestrictionsResourceDetails	將評估之資源的相關信息。
CheckRestrictionsResult	資源上檢查原則限制評估的結果。
ContentEvaluationResult	所提供部分資源內容的評估結果。
ErrorDefinition	錯誤定義。
ErrorResponse	錯誤回應。
ExpressionEvaluationDetails	原則語言表達式的評估詳細數據。
FieldRestriction	特定原則所強加之欄位的限制。
FieldRestrictionResult	對欄位施加的限制類型。
FieldRestrictions	將依原則在資源中的欄位上設定的限制。
IfNotExistsEvaluationDetails	IfNotExists 效果的評估詳細數據。
PendingField	應根據 Azure 原則評估的欄位，以判斷限制。
PolicyEffectDetails	套用至資源之效果的詳細數據。
PolicyEvaluationResult	針對指定資源內容進行不符合規範的原則評估結果。
PolicyReference	原則的資源標識碼。
TypedErrorInfo	案例特定錯誤詳細數據。

CheckRestrictionEvaluationDetails

Object

原則評估詳細數據。

名稱	類型	Description
evaluatedExpressions	ExpressionEvaluationDetails[]	評估表達式的詳細數據。
ifNotExistsDetails	IfNotExistsEvaluationDetails	IfNotExists 效果的評估詳細數據。
reason	string	評估結果的原因。

CheckRestrictionsRequest

Object

檢查原則限制參數，描述正在評估的資源。

名稱	類型	預設值	Description
includeAuditEffect	boolean	False	是否要在結果中包含具有「稽核」效果的原則。默認值為 false。
pendingFields	PendingField[]		應評估是否有潛在限制的欄位和值清單。
resourceDetails	CheckRestrictionsResourceDetails		將評估之資源的相關信息。

CheckRestrictionsResourceDetails

Object

將評估之資源的相關信息。

名稱	類型	Description
apiVersion	string	資源內容的 API 版本。
resourceContent	object	資源內容。這應該包含任何已知屬性，而且可以是所有資源屬性的一組部分。
scope	string	正在建立資源的範圍。例如，如果資源是子資源，這會是父資源的資源標識符。

CheckRestrictionsResult

Object

資源上檢查原則限制評估的結果。

名稱	類型	Description
contentEvaluationResult	ContentEvaluationResult	所提供部分資源內容的評估結果。
fieldRestrictions	FieldRestrictions[]	原則將放在資源中各種欄位的限制。

ContentEvaluationResult

Object

所提供部分資源內容的評估結果。

名稱	類型	Description
policyEvaluations	PolicyEvaluationResult[]	針對指定資源內容的原則評估結果。這表示所提供的部分內容是否會遭到拒絕，as-is。

ErrorDefinition

Object

錯誤定義。

名稱	類型	Description
additionalInfo	TypedErrorInfo[]	其他案例特定錯誤詳細數據。
code	string	服務特定的錯誤碼，做為 HTTP 錯誤碼的子狀態。
details	ErrorDefinition[]	內部錯誤詳細數據。
message	string	錯誤的描述。
target	string	錯誤的目標。

ErrorResponse

Object

錯誤回應。

名稱	類型	Description
error	ErrorDefinition	錯誤詳細數據。

ExpressionEvaluationDetails

Object

原則語言表達式的評估詳細數據。

名稱	類型	Description
expression	string	評估的表達式。
expressionKind	string	評估的表達式種類。
expressionValue	object	表達式的值。
operator	string	比較表達式值和目標值的運算元。
path	string	如果表達式是欄位或別名，則屬性路徑。
result	string	評估結果。
targetValue	object	要與表達式值比較的目標值。

FieldRestriction

Object

特定原則所強加之欄位的限制。

名稱	類型	Description
defaultValue	string	如果使用者未提供值，則原則會為字段設定的值。
policy	PolicyReference	造成欄位限制的原則詳細數據。
policyEffect	string	造成欄位限制的原則效果。 http://aka.ms/policyeffects
reason	string	限制的原因。
result	FieldRestrictionResult	對欄位施加的限制類型。
values	string[]	原則要求或拒絕欄位的值。

FieldRestrictionResult

列舉型別

對欄位施加的限制類型。

值	Description
Audit	欄位和/或值將由原則稽核。
Deny	原則會拒絕欄位和/或值。
Removed	欄位將會由原則移除。
Required	原則需要欄位和/或值。

FieldRestrictions

Object

將依原則在資源中的欄位上設定的限制。

名稱	類型	Description
field	string	功能變數名稱。這可以是最上層屬性，例如 'name' 或 'type' 或 Azure 原則欄位別名。
restrictions	FieldRestriction[]	原則對該欄位的限制。

IfNotExistsEvaluationDetails

Object

IfNotExists 效果的評估詳細數據。

名稱	類型	Description
resourceId	string	IfNotExists 效果最後評估資源標識符。
totalResources	integer	存在條件適用的資源總數。

PendingField

Object

應根據 Azure 原則評估的欄位，以判斷限制。

名稱	類型	Description
field	string	功能變數名稱。這可以是最上層屬性，例如 'name' 或 'type' 或 Azure 原則欄位別名。
values	string[]	應根據 Azure 原則評估之字段的潛在值清單。

PolicyEffectDetails

Object

套用至資源之效果的詳細數據。

名稱	類型	Description
policyEffect	string	套用至資源的效果。 http://aka.ms/policyeffects

PolicyEvaluationResult

Object

針對指定資源內容進行不符合規範的原則評估結果。

名稱	類型	Description
effectDetails	PolicyEffectDetails	套用至資源之效果的詳細數據。
evaluationDetails	CheckRestrictionEvaluationDetails	評估的原則表達式和值的詳細結果。
evaluationResult	string	針對資源的原則評估結果。這通常為『NonCompliant』，但如果發生錯誤，可能會包含其他值。
policyInfo	PolicyReference	評估之原則的詳細數據。

PolicyReference

Object

原則的資源標識碼。

名稱	類型	Description
policyAssignmentId	string	原則指派的資源標識碼。
policyDefinitionId	string	原則定義的資源標識碼。
policyDefinitionReferenceId	string	原則集定義內特定原則定義的參考標識符。
policySetDefinitionId	string	原則集定義的資源標識碼。

TypedErrorInfo

Object

案例特定錯誤詳細數據。

名稱	類型	Description
info		案例特定的錯誤詳細數據。
type	string	包含的錯誤詳細數據類型。

共用方式為

Policy Restrictions - Check At Resource Group Scope

URI 參數

要求本文

回應

安全性

azure_auth

範圍

範例

Check policy restrictions at resource group scope

範例要求

範例回覆

Check policy restrictions at resource group scope including audit effect

範例要求

範例回覆

定義

CheckRestrictionEvaluationDetails

CheckRestrictionsRequest

CheckRestrictionsResourceDetails

CheckRestrictionsResult

ContentEvaluationResult

ErrorDefinition

ErrorResponse

ExpressionEvaluationDetails

FieldRestriction

FieldRestrictionResult

FieldRestrictions

IfNotExistsEvaluationDetails

PendingField

PolicyEffectDetails

PolicyEvaluationResult

PolicyReference

TypedErrorInfo