在管理组级别创建资源Create resources at the management group level

随着组织的不断发展,可以部署 Azure 资源管理器模板(ARM 模板)来创建管理组级别的资源。As your organization matures, you can deploy an Azure Resource Manager template (ARM template) to create resources at the management group level. 例如,你可能需要为管理组定义和分配策略Azure 基于角色的访问控制 (Azure RBAC)For example, you may need to define and assign policies or Azure role-based access control (Azure RBAC) for a management group. 使用管理组级别的模板,可以声明方式在管理组级别应用策略和分配角色。With management group level templates, you can declaratively apply policies and assign roles at the management group level.

支持的资源Supported resources

并非所有资源类型都可以部署到管理组级别。Not all resource types can be deployed to the management group level. 本部分列出了支持的资源类型。This section lists which resource types are supported.

对于 Azure 蓝图,请使用:For Azure Blueprints, use:

  • 项目artifacts
  • blueprintsblueprints
  • blueprintAssignmentsblueprintAssignments
  • versionsversions

对于 Azure 策略,请使用:For Azure Policies, use:

  • policyAssignmentspolicyAssignments
  • policyDefinitionspolicyDefinitions
  • policySetDefinitionspolicySetDefinitions
  • remediationsremediations

对于基于角色的访问控制,请使用:For role-based access control, use:

  • roleAssignmentsroleAssignments
  • roleDefinitionsroleDefinitions

对于部署到订阅或资源组的嵌套模板,请使用:For nested templates that deploy to subscriptions or resource groups, use:

  • deploymentsdeployments

用于管理资源:For managing your resources:

  • tagstags

架构Schema

用于管理组部署的架构不同于资源组部署的架构。The schema you use for management group deployments is different than the schema for resource group deployments.

对于模板,请使用:For templates, use:

https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#

对于所有部署范围,参数文件的架构都相同。The schema for a parameter file is the same for all deployment scopes. 对于参数文件,请使用:For parameter files, use:

https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#

部署命令Deployment commands

管理组部署的命令与资源组部署的命令不同。The commands for management group deployments are different than the commands for resource group deployments.

对于 Azure CLI,请使用 az deployment mg createFor Azure CLI, use az deployment mg create:

az deployment mg create \
  --name demoMGDeployment \
  --location ChinaNorth \
  --management-group-id myMG \
  --template-uri "https://raw.githubusercontent.com/Azure/azure-docs-json-samples/master/management-level-deployment/azuredeploy.json"

对于 Azure PowerShell,请使用 New-AzManagementGroupDeploymentFor Azure PowerShell, use New-AzManagementGroupDeployment.

New-AzManagementGroupDeployment `
  -Name demoMGDeployment `
  -Location "China North" `
  -ManagementGroupId "myMG" `
  -TemplateUri "https://raw.githubusercontent.com/Azure/azure-docs-json-samples/master/management-level-deployment/azuredeploy.json"

对于 REST API,请使用部署 - 在管理组范围内创建For REST API, use Deployments - Create At Management Group Scope.

部署位置和名称Deployment location and name

对于管理组级别部署,必须为部署提供位置。For management group level deployments, you must provide a location for the deployment. 部署位置独立于部署的资源的位置。The location of the deployment is separate from the location of the resources you deploy. 部署位置指定何处存储部署数据。The deployment location specifies where to store deployment data.

可以为部署提供一个名称,也可以使用默认部署名称。You can provide a name for the deployment, or use the default deployment name. 默认名称是模板文件的名称。The default name is the name of the template file. 例如,部署一个名为 azuredeploy.json 的模板将创建默认部署名称 azuredeployFor example, deploying a template named azuredeploy.json creates a default deployment name of azuredeploy.

每个部署名称的位置不可变。For each deployment name, the location is immutable. 当某个位置中已有某个部署时,无法在另一位置创建同名的部署。You can't create a deployment in one location when there's an existing deployment with the same name in a different location. 如果出现错误代码 InvalidDeploymentLocation,请使用其他名称或使用与该名称的以前部署相同的位置。If you get the error code InvalidDeploymentLocation, either use a different name or the same location as the previous deployment for that name.

部署范围Deployment scopes

部署到管理组时,可以将部署命令中指定的管理组或租户中的其他管理组作为目标。When deploying to a management group, you can target the management group specified in the deployment command or other management groups in the tenant. 还可以将管理组中的订阅或资源组作为目标。You can also target subscriptions or resource groups within a management group. 部署模板的用户必须有权访问指定的作用域。The user deploying the template must have access to the specified scope.

将通过部署命令对管理组应用模板的资源部分中定义的资源。Resources defined within the resources section of the template are applied to the management group from the deployment command.

{
    "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "resources": [
        management-group-level-resources
    ],
    "outputs": {}
}

若要以另一个管理组为目标,请添加嵌套部署并指定 scope 属性。To target another management group, add a nested deployment and specify the scope property.

{
    "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "mgName": {
            "type": "string"
        }
    },
    "variables": {
        "mgId": "[concat('Microsoft.Management/managementGroups/', parameters('mgName'))]"
    },
    "resources": [
        {
            "type": "Microsoft.Resources/deployments",
            "apiVersion": "2019-10-01",
            "name": "nestedDeployment",
            "scope": "[variables('mgId')]",
            "location": "chinaeast",
            "properties": {
                "mode": "Incremental",
                "template": {
                    nested-template-with-resources-in-different-mg
                }
            }
        }
    ],
    "outputs": {}
}

若要以管理组中的订阅为目标,请使用嵌套部署和 subscriptionId 属性。To target a subscription within the management group, use a nested deployment and the subscriptionId property. 若要以订阅中的资源组为目标,请添加另一个嵌套部署和 resourceGroup 属性。To target a resource group within that subscription, add another nested deployment and the resourceGroup property.

{
  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Resources/deployments",
      "apiVersion": "2020-06-01",
      "name": "nestedSub",
      "location": "chinanorth2",
      "subscriptionId": "00000000-0000-0000-0000-000000000000",
      "properties": {
        "mode": "Incremental",
        "template": {
          "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
          "contentVersion": "1.0.0.0",
          "resources": [
            {
              "type": "Microsoft.Resources/deployments",
              "apiVersion": "2020-06-01",
              "name": "nestedRG",
              "resourceGroup": "rg2",
              "properties": {
                "mode": "Incremental",
                "template": {
                  nested-template-with-resources-in-resource-group
                }
              }
            }
          ]
        }
      }
    }
  ]
}

若要使用管理组部署在订阅中创建资源组并将存储帐户部署到该资源组,请参阅部署到订阅和资源组To use a management group deployment for creating a resource group within a subscription and deploying a storage account to that resource group, see Deploy to subscription and resource group.

使用模板函数Use template functions

对于管理组部署,在使用模板函数时有一些重要注意事项:For management group deployments, there are some important considerations when using template functions:

  • 不支持 resourceGroup() 函数。The resourceGroup() function is not supported.

  • 不支持 subscription() 函数。The subscription() function is not supported.

  • 支持 reference()list() 函数。The reference() and list() functions are supported.

  • 请勿对部署到管理组的资源使用 resourceId() 函数。Don't use the resourceId() function for resources deployed to the management group.

    对于作为管理组的扩展实现的资源,请改用 extensionResourceId() 函数。Instead, use the extensionResourceId() function for resources that are implemented as extensions of the management group. 部署到管理组的自定义策略定义是管理组的扩展。Custom policy definitions that are deployed to the management group are extensions of the management group.

    若要获取管理组级别的自定义策略定义的资源 ID,请使用:To get the resource ID for a custom policy definition at the management group level, use:

    "policyDefinitionId": "[extensionResourceId(variables('mgScope'), 'Microsoft.Authorization/policyDefinitions', parameters('policyDefinitionID'))]"
    

    对于管理组中可用的租户资源,请使用 tenantResourceId 函数。Use the tenantResourceId function for tenant resources that are available within the management group. 内置策略定义是租户级别资源。Built-in policy definitions are tenant level resources.

    若要获取内置策略定义的资源 ID,请使用:To get the resource ID for a built-in policy definition, use:

    "policyDefinitionId": "[tenantResourceId('Microsoft.Authorization/policyDefinitions', parameters('policyDefinitionID'))]"
    

Azure PolicyAzure Policy

下面的示例演示如何定义管理组级别策略,并对其进行分配。The following example shows how to define a policy at the management group level, and assign it.

{
    "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "targetMG": {
            "type": "string",
            "metadata": {
                "description": "Target Management Group"
            }
        },
        "allowedLocations": {
            "type": "array",
            "defaultValue": [
                "chinaeast2",
                "chineeast",
                "chinanorth"
            ],
            "metadata": {
                "description": "An array of the allowed locations, all other locations will be denied by the created policy."
            }
        }
    },
    "variables": {
        "mgScope": "[tenantResourceId('Microsoft.Management/managementGroups', parameters('targetMG'))]",
        "policyDefinition": "LocationRestriction"
    },
    "resources": [
        {
            "type": "Microsoft.Authorization/policyDefinitions",
            "name": "[variables('policyDefinition')]",
            "apiVersion": "2019-09-01",
            "properties": {
                "policyType": "Custom",
                "mode": "All",
                "parameters": {
                },
                "policyRule": {
                    "if": {
                        "not": {
                            "field": "location",
                            "in": "[parameters('allowedLocations')]"
                        }
                    },
                    "then": {
                        "effect": "deny"
                    }
                }
            }
        },
        {
            "type": "Microsoft.Authorization/policyAssignments",
            "name": "location-lock",
            "apiVersion": "2019-09-01",
            "dependsOn": [
                "[variables('policyDefinition')]"
            ],
            "properties": {
                "scope": "[variables('mgScope')]",
                "policyDefinitionId": "[extensionResourceId(variables('mgScope'), 'Microsoft.Authorization/policyDefinitions', variables('policyDefinition'))]"
            }
        }
    ]
}

部署到订阅和资源组Deploy to subscription and resource group

在管理组级别的部署中,可以以管理组中的订阅为目标。From a management group level deployment, you can target a subscription within the management group. 以下示例在一个订阅中创建资源组,并向该资源组部署存储帐户。The following example creates a resource group within a subscription and deploys a storage account to that resource group.

{
  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "nestedsubId": {
      "type": "string"
    },
    "nestedRG": {
      "type": "string"
    },
    "storageAccountName": {
      "type": "string"
    },
    "nestedLocation": {
      "type": "string"
    }
  },
  "resources": [
    {
      "type": "Microsoft.Resources/deployments",
      "apiVersion": "2020-06-01",
      "name": "nestedSub",
      "location": "[parameters('nestedLocation')]",
      "subscriptionId": "[parameters('nestedSubId')]",
      "properties": {
        "mode": "Incremental",
        "template": {
          "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
          "contentVersion": "1.0.0.0",
          "parameters": {
          },
          "variables": {
          },
          "resources": [
            {
              "type": "Microsoft.Resources/resourceGroups",
              "apiVersion": "2020-06-01",
              "name": "[parameters('nestedRG')]",
              "location": "[parameters('nestedLocation')]",
            },
            {
              "type": "Microsoft.Resources/deployments",
              "apiVersion": "2020-06-01",
              "name": "nestedSubRG",
              "resourceGroup": "[parameters('nestedRG')]",
              "dependsOn": [
                "[parameters('nestedRG')]"
              ],
              "properties": {
                "mode": "Incremental",
                "template": {
                  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                  "contentVersion": "1.0.0.0",
                  "resources": [
                    {
                      "type": "Microsoft.Storage/storageAccounts",
                      "apiVersion": "2019-04-01",
                      "name": "[parameters('storageAccountName')]",
                      "location": "[parameters('nestedLocation')]",
                      "sku": {
                        "name": "Standard_LRS"
                      }
                    }
                  ]
                }
              }
            }
          ]
        }
      }
    }
  ]
}

后续步骤Next steps