Policy Definitions - Create Or Update

參考

Service:: Policy

API Version:: 2023-04-01

在訂用帳戶中建立或更新原則定義。
此作業會使用指定的名稱，在指定的訂用帳戶中建立或更新原則定義。

PUT https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/policyDefinitions/{policyDefinitionName}?api-version=2023-04-01

URI 參數

名稱位於必要類型 Description

名稱	位於	必要	類型	Description
policyDefinitionName	path	True	string	要建立的原則定義名稱。 Regex pattern: `^[^<>%&:\?.+/][^<>*%&:\?.+/ ]+$`
subscriptionId	path	True	string uuid	目標訂用帳戶的標識碼。此值必須是 UUID。
api-version	query	True	string	用於此作業的 API 版本。

policyDefinitionName

path

True

string

要建立的原則定義名稱。

Regex pattern: ^[^<>*%&:\?.+/]*[^<>*%&:\?.+/ ]+$

subscriptionId

path

True

string

uuid

目標訂用帳戶的標識碼。此值必須是 UUID。

api-version

query

True

string

用於此作業的 API 版本。

要求本文

名稱	類型	Description
properties.description	string	原則定義描述。
properties.displayName	string	原則定義的顯示名稱。
properties.metadata	object	原則定義元數據。元數據是開放式物件，通常是索引鍵值組的集合。
properties.mode	string	原則定義模式。一些範例包括 All、Indexed、Microsoft.KeyVault.Data。
properties.parameters	<string, ParameterDefinitionsValue>	原則規則中使用的參數定義。索引鍵是參數名稱。
properties.policyRule	object	原則規則。
properties.policyType	policyType	原則定義的類型。可能的值為 NotSpecified、BuiltIn、Custom 和 Static。
properties.version	string	#.#.# 格式的原則定義版本。
properties.versions	string[]	此原則定義的可用版本清單。

回應

名稱	類型	Description
201 Created	PolicyDefinition	建立 - 傳回原則定義的相關信息。
Other Status Codes	CloudError	描述作業失敗原因的錯誤回應。

安全性

azure_auth

Azure Active Directory OAuth2 Flow。

Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

Scopes

名稱	Description
user_impersonation	模擬您的用戶帳戶

範例

Create or update a policy definition

Create or update a policy definition with advanced parameters

Create or update a policy definition

PUT https://management.azure.com/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyDefinitions/ResourceNaming?api-version=2023-04-01

{
  "properties": {
    "mode": "All",
    "displayName": "Enforce resource naming convention",
    "description": "Force resource names to begin with given 'prefix' and/or end with given 'suffix'",
    "metadata": {
      "category": "Naming"
    },
    "policyRule": {
      "if": {
        "not": {
          "field": "name",
          "like": "[concat(parameters('prefix'), '*', parameters('suffix'))]"
        }
      },
      "then": {
        "effect": "deny"
      }
    },
    "parameters": {
      "prefix": {
        "type": "String",
        "metadata": {
          "displayName": "Prefix",
          "description": "Resource name prefix"
        }
      },
      "suffix": {
        "type": "String",
        "metadata": {
          "displayName": "Suffix",
          "description": "Resource name suffix"
        }
      }
    }
  }
}

from typing import Any, IO, Union

from azure.identity import DefaultAzureCredential

from azure.mgmt.resource import PolicyClient

"""
# PREREQUISITES
    pip install azure-identity
    pip install azure-mgmt-resource
# USAGE
    python create_or_update_policy_definition.py

    Before run the sample, please set the values of the client ID, tenant ID and client secret
    of the AAD application as environment variables: AZURE_CLIENT_ID, AZURE_TENANT_ID,
    AZURE_CLIENT_SECRET. For more info about how to get the value, please see:
    https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal
"""


def main():
    client = PolicyClient(
        credential=DefaultAzureCredential(),
        policy_definition_name="ResourceNaming",
        policy_definition_version="POLICY_DEFINITION_VERSION",
        policy_set_definition_name="POLICY_SET_DEFINITION_NAME",
        subscription_id="ae640e6b-ba3e-4256-9d62-2993eecfa6f2",
    )

    response = client.policy_definitions.create_or_update(
        policy_definition_name="ResourceNaming",
        parameters={
            "properties": {
                "description": "Force resource names to begin with given 'prefix' and/or end with given 'suffix'",
                "displayName": "Enforce resource naming convention",
                "metadata": {"category": "Naming"},
                "mode": "All",
                "parameters": {
                    "prefix": {
                        "metadata": {"description": "Resource name prefix", "displayName": "Prefix"},
                        "type": "String",
                    },
                    "suffix": {
                        "metadata": {"description": "Resource name suffix", "displayName": "Suffix"},
                        "type": "String",
                    },
                },
                "policyRule": {
                    "if": {
                        "not": {"field": "name", "like": "[concat(parameters('prefix'), '*', parameters('suffix'))]"}
                    },
                    "then": {"effect": "deny"},
                },
            }
        },
    )
    print(response)


# x-ms-original-file: specification/resources/resource-manager/Microsoft.Authorization/stable/2023-04-01/examples/createOrUpdatePolicyDefinition.json
if __name__ == "__main__":
    main()

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

Sample Response

Status code:: 201

{
  "id": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyDefinitions/ResourceNaming",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "ResourceNaming",
  "properties": {
    "mode": "All",
    "displayName": "Naming Convention",
    "description": "Force resource names to begin with 'prefix' and end with 'suffix'",
    "metadata": {
      "category": "Naming"
    },
    "version": "1.2.1",
    "versions": [
      "1.2.1",
      "1.0.0"
    ],
    "policyRule": {
      "if": {
        "not": {
          "field": "name",
          "like": "[concat(parameters('prefix'), '*', parameters('suffix'))]"
        }
      },
      "then": {
        "effect": "deny"
      }
    },
    "parameters": {
      "prefix": {
        "type": "String",
        "metadata": {
          "displayName": "Prefix",
          "description": "Resource name prefix"
        }
      },
      "suffix": {
        "type": "String",
        "metadata": {
          "displayName": "Suffix",
          "description": "Resource name suffix"
        }
      }
    },
    "policyType": "Custom"
  }
}

Create or update a policy definition with advanced parameters

Sample Request

HTTP
Python

PUT https://management.azure.com/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyDefinitions/EventHubDiagnosticLogs?api-version=2023-04-01

{
  "properties": {
    "mode": "Indexed",
    "displayName": "Event Hubs should have diagnostic logging enabled",
    "description": "Audit enabling of logs and retain them up to a year. This enables recreation of activity trails for investigation purposes when a security incident occurs or your network is compromised",
    "metadata": {
      "category": "Event Hub"
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.EventHub/namespaces"
      },
      "then": {
        "effect": "AuditIfNotExists",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days",
                "equals": "[parameters('requiredRetentionDays')]"
              }
            ]
          }
        }
      }
    },
    "parameters": {
      "requiredRetentionDays": {
        "type": "Integer",
        "defaultValue": 365,
        "allowedValues": [
          0,
          30,
          90,
          180,
          365
        ],
        "metadata": {
          "displayName": "Required retention (days)",
          "description": "The required diagnostic logs retention in days"
        }
      }
    }
  }
}

from typing import Any, IO, Union

from azure.identity import DefaultAzureCredential

from azure.mgmt.resource import PolicyClient

"""
# PREREQUISITES
    pip install azure-identity
    pip install azure-mgmt-resource
# USAGE
    python create_or_update_policy_definition_advanced_params.py

    Before run the sample, please set the values of the client ID, tenant ID and client secret
    of the AAD application as environment variables: AZURE_CLIENT_ID, AZURE_TENANT_ID,
    AZURE_CLIENT_SECRET. For more info about how to get the value, please see:
    https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal
"""


def main():
    client = PolicyClient(
        credential=DefaultAzureCredential(),
        policy_definition_name="EventHubDiagnosticLogs",
        policy_definition_version="POLICY_DEFINITION_VERSION",
        policy_set_definition_name="POLICY_SET_DEFINITION_NAME",
        subscription_id="ae640e6b-ba3e-4256-9d62-2993eecfa6f2",
    )

    response = client.policy_definitions.create_or_update(
        policy_definition_name="EventHubDiagnosticLogs",
        parameters={
            "properties": {
                "description": "Audit enabling of logs and retain them up to a year. This enables recreation of activity trails for investigation purposes when a security incident occurs or your network is compromised",
                "displayName": "Event Hubs should have diagnostic logging enabled",
                "metadata": {"category": "Event Hub"},
                "mode": "Indexed",
                "parameters": {
                    "requiredRetentionDays": {
                        "allowedValues": [0, 30, 90, 180, 365],
                        "defaultValue": 365,
                        "metadata": {
                            "description": "The required diagnostic logs retention in days",
                            "displayName": "Required retention (days)",
                        },
                        "type": "Integer",
                    }
                },
                "policyRule": {
                    "if": {"equals": "Microsoft.EventHub/namespaces", "field": "type"},
                    "then": {
                        "details": {
                            "existenceCondition": {
                                "allOf": [
                                    {
                                        "equals": "true",
                                        "field": "Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled",
                                    },
                                    {
                                        "equals": "[parameters('requiredRetentionDays')]",
                                        "field": "Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days",
                                    },
                                ]
                            },
                            "type": "Microsoft.Insights/diagnosticSettings",
                        },
                        "effect": "AuditIfNotExists",
                    },
                },
            }
        },
    )
    print(response)


# x-ms-original-file: specification/resources/resource-manager/Microsoft.Authorization/stable/2023-04-01/examples/createOrUpdatePolicyDefinitionAdvancedParams.json
if __name__ == "__main__":
    main()

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

Sample Response

Status code:: 201

{
  "id": "/subscriptions/ae640e6b-ba3e-4256-9d62-2993eecfa6f2/providers/Microsoft.Authorization/policyDefinitions/ResourceNaming",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "ResourceNaming",
  "properties": {
    "mode": "Indexed",
    "displayName": "Event Hubs should have diagnostic logging enabled",
    "description": "Audit enabling of logs and retain them up to a year. This enables recreation of activity trails for investigation purposes when a security incident occurs or your network is compromised",
    "metadata": {
      "category": "Event Hub"
    },
    "version": "1.2.1",
    "versions": [
      "1.2.1",
      "1.0.0"
    ],
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.EventHub/namespaces"
      },
      "then": {
        "effect": "AuditIfNotExists",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days",
                "equals": "[parameters('requiredRetentionDays')]"
              }
            ]
          }
        }
      }
    },
    "parameters": {
      "requiredRetentionDays": {
        "type": "Integer",
        "defaultValue": 365,
        "allowedValues": [
          0,
          30,
          90,
          180,
          365
        ],
        "metadata": {
          "displayName": "Required retention (days)",
          "description": "The required diagnostic logs retention in days"
        }
      }
    }
  }
}

定義

名稱	Description
CloudError	原則作業的錯誤回應。
createdByType	建立資源的身分識別類型。
ErrorAdditionalInfo	資源管理錯誤其他資訊。
ErrorResponse	錯誤回應
Metadata	參數的一般元數據。
ParameterDefinitionsValue	可提供給原則的參數定義。
parameterType	參數的資料類型。
PolicyDefinition	原則定義。
policyType	原則定義的類型。可能的值為 NotSpecified、BuiltIn、Custom 和 Static。
systemData	與建立和上次修改資源相關的元數據。

CloudError

原則作業的錯誤回應。

名稱	類型	Description
error	ErrorResponse	錯誤回應所有 Azure Resource Manager API 的常見錯誤回應，以傳回失敗作業的錯誤詳細數據。 (這也會遵循 OData 錯誤回應格式。)

createdByType

建立資源的身分識別類型。

名稱	類型	Description
Application	string
Key	string
ManagedIdentity	string
User	string

ErrorAdditionalInfo

資源管理錯誤其他資訊。

名稱	類型	Description
info	object	其他資訊。
type	string	其他信息類型。

ErrorResponse

錯誤回應

名稱	類型	Description
additionalInfo	ErrorAdditionalInfo[]	錯誤其他資訊。
code	string	錯誤碼。
details	ErrorResponse[]	錯誤詳細資料。
message	string	錯誤訊息。
target	string	錯誤目標。

Metadata

參數的一般元數據。

名稱	類型	Description
assignPermissions	boolean	設定為 true，在原則指派期間，Azure 入口網站在此參數的資源標識符或資源範圍值上建立角色指派。如果您想要在指派範圍之外指派權限，此屬性會很有用。
description	string	參數的描述。
displayName	string	參數的顯示名稱。
strongType	string	透過入口網站指派原則定義時使用。提供可供使用者選擇的內容感知值清單。

ParameterDefinitionsValue

可提供給原則的參數定義。

名稱	類型	Description
allowedValues	object[]	參數允許的值。
defaultValue	object	如果未提供任何值，則為參數的預設值。
metadata	Metadata	參數的一般元數據。
schema	object	使用自我定義的 JSON 架構，在指派期間提供參數輸入的驗證。此屬性僅支援物件類型參數，並遵循 Json.NET 結構描述 2019-09 實作。您可在 https://json-schema.org/ 中深入了解如何使用結構描述，並在 https://www.jsonschemavalidator.net/ 中測試草稿結構描述。
type	parameterType	參數的資料類型。

parameterType

參數的資料類型。

名稱	類型	Description
Array	string
Boolean	string
DateTime	string
Float	string
Integer	string
Object	string
String	string