使用 ARM 模板进行管理组部署Management group deployments with ARM templates

随着组织的不断发展,可以部署 Azure 资源管理器模板(ARM 模板)来创建管理组级别的资源。As your organization matures, you can deploy an Azure Resource Manager template (ARM template) to create resources at the management group level. 例如,你可能需要为管理组定义和分配策略Azure 基于角色的访问控制 (Azure RBAC)For example, you may need to define and assign policies or Azure role-based access control (Azure RBAC) for a management group. 使用管理组级别的模板,可以声明方式在管理组级别应用策略和分配角色。With management group level templates, you can declaratively apply policies and assign roles at the management group level.

支持的资源Supported resources

并非所有资源类型都可以部署到管理组级别。Not all resource types can be deployed to the management group level. 本部分列出了支持的资源类型。This section lists which resource types are supported.

对于 Azure 蓝图,请使用:For Azure Blueprints, use:

  • 项目artifacts
  • blueprintsblueprints
  • blueprintAssignmentsblueprintAssignments
  • versionsversions

对于 Azure 策略,请使用:For Azure Policies, use:

  • policyAssignmentspolicyAssignments
  • policyDefinitionspolicyDefinitions
  • policySetDefinitionspolicySetDefinitions
  • remediationsremediations

对于 Azure 基于角色的访问控制 (Azure RBAC),请使用:For Azure role-based access control (Azure RBAC), use:

  • roleAssignmentsroleAssignments
  • roleDefinitionsroleDefinitions

对于部署到订阅或资源组的嵌套模板,请使用:For nested templates that deploy to subscriptions or resource groups, use:

  • deploymentsdeployments

若要管理资源,请使用:For managing your resources, use:

  • tagstags

管理组是租户级资源。Management groups are tenant-level resources. 但你可以将新管理组的范围设置为租户,从而在管理组部署中创建管理组。However, you can create management groups in a management group deployment by setting the scope of the new management group to the tenant. 请参阅管理组See Management group.

架构Schema

用于管理组部署的架构不同于资源组部署的架构。The schema you use for management group deployments is different than the schema for resource group deployments.

对于模板,请使用:For templates, use:

{
    "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
    ...
}

对于所有部署范围,参数文件的架构都相同。The schema for a parameter file is the same for all deployment scopes. 对于参数文件,请使用:For parameter files, use:

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
    ...
}

部署命令Deployment commands

若要部署到管理组,请使用管理组部署命令。To deploy to a management group, use the management group deployment commands.

对于 Azure CLI,请使用 az deployment mg createFor Azure CLI, use az deployment mg create:

az deployment mg create \
  --name demoMGDeployment \
  --location chinanorth \
  --management-group-id myMG \
  --template-uri "https://raw.githubusercontent.com/Azure/azure-docs-json-samples/master/management-level-deployment/azuredeploy.json"

有关部署命令和部署 ARM 模板的选项的更多详细信息,请参阅:For more detailed information about deployment commands and options for deploying ARM templates, see:

部署位置和名称Deployment location and name

对于管理组级别部署,必须为部署提供位置。For management group level deployments, you must provide a location for the deployment. 部署位置独立于部署的资源的位置。The location of the deployment is separate from the location of the resources you deploy. 部署位置指定何处存储部署数据。The deployment location specifies where to store deployment data. 订阅租户部署也需要位置。Subscription and tenant deployments also require a location. 对于资源组部署,资源组的位置用于存储部署数据。For resource group deployments, the location of the resource group is used to store the deployment data.

可以为部署提供一个名称,也可以使用默认部署名称。You can provide a name for the deployment, or use the default deployment name. 默认名称是模板文件的名称。The default name is the name of the template file. 例如,部署一个名为 azuredeploy.json 的模板将创建默认部署名称 azuredeployFor example, deploying a template named azuredeploy.json creates a default deployment name of azuredeploy.

每个部署名称的位置不可变。For each deployment name, the location is immutable. 当某个位置中已有某个部署时,无法在另一位置创建同名的部署。You can't create a deployment in one location when there's an existing deployment with the same name in a different location. 例如,如果在 chinaeast 中创建名为“deployment1”的管理组部署,则以后不能创建另一个名为“deployment1”但位置为“chinanorth”的部署。For example, if you create a management group deployment with the name deployment1 in chinaeast, you can't later create another deployment with the name deployment1 but a location of chinanorth. 如果出现错误代码 InvalidDeploymentLocation,请使用其他名称或使用与该名称的以前部署相同的位置。If you get the error code InvalidDeploymentLocation, either use a different name or the same location as the previous deployment for that name.

部署范围Deployment scopes

部署到管理组时,可以将资源部署到:When deploying to a management group, you can deploy resources to:

  • 操作的目标管理组the target management group from the operation
  • 租户中的另一个管理组another management group in the tenant
  • 管理组中的订阅subscriptions in the management group
  • 管理组中的资源组resource groups in the management group
  • 资源组的租户the tenant for the resource group

可以将扩展资源的范围设置为与部署目标不同的范围。An extension resource can be scoped to a target that is different than the deployment target.

部署模板的用户必须有权访问指定的作用域。The user deploying the template must have access to the specified scope.

本部分演示如何指定不同范围。This section shows how to specify different scopes. 可以在单个模板中组合这些不同范围。You can combine these different scopes in a single template.

将范围设定为目标管理组Scope to target management group

将通过部署命令对管理组应用模板的资源部分中定义的资源。Resources defined within the resources section of the template are applied to the management group from the deployment command.

{
    "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "resources": [
        management-group-resources-default
    ],
    "outputs": {}
}

将范围设定为另一个管理组Scope to another management group

若要以另一个管理组为目标,请添加嵌套部署并指定 scope 属性。To target another management group, add a nested deployment and specify the scope property. scope 属性设置为 Microsoft.Management/managementGroups/<mg-name> 格式的值。Set the scope property to a value in the format Microsoft.Management/managementGroups/<mg-name>.

{
    "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "mgName": {
            "type": "string"
        }
    },
    "variables": {
        "mgId": "[concat('Microsoft.Management/managementGroups/', parameters('mgName'))]"
    },
    "resources": [
        {
            "type": "Microsoft.Resources/deployments",
            "apiVersion": "2019-10-01",
            "name": "nestedDeployment",
            "scope": "[variables('mgId')]",
            "location": "chinaeast",
            "properties": {
                "mode": "Incremental",
                "template": {
                    management-group-resources-non-default
                }
            }
        }
    ],
    "outputs": {}
}

订阅的范围Scope to subscription

还可以将管理组中的订阅作为目标。You can also target subscriptions within a management group. 部署模板的用户必须有权访问指定的作用域。The user deploying the template must have access to the specified scope.

若要以管理组中的订阅为目标,请使用嵌套部署和 subscriptionId 属性。To target a subscription within the management group, use a nested deployment and the subscriptionId property.

{
  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Resources/deployments",
      "apiVersion": "2020-06-01",
      "name": "nestedSub",
      "location": "chinanorth2",
      "subscriptionId": "00000000-0000-0000-0000-000000000000",
      "properties": {
        "mode": "Incremental",
        "template": {
          "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
          "contentVersion": "1.0.0.0",
          "resources": [
            {
              subscription-resources
            }
          ]
        }
      }
    }
  ]
}

将范围限定于资源组Scope to resource group

还可以将管理组中的资源组作为目标。You can also target resource groups within the management group. 部署模板的用户必须有权访问指定的作用域。The user deploying the template must have access to the specified scope.

若要以管理组中的资源组为目标,请使用嵌套部署。To target a resource group within the management group, use a nested deployment. 设置 subscriptionIdresourceGroup 属性。Set the subscriptionId and resourceGroup properties. 不要为嵌套部署设置位置,因为它部署在资源组的位置。Don't set a location for the nested deployment because it's deployed in the location of the resource group.

{
  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Resources/deployments",
      "apiVersion": "2020-06-01",
      "name": "nestedRGDeploy",
      "subscriptionId": "00000000-0000-0000-0000-000000000000",
      "resourceGroup": "demoResourceGroup",
      "properties": {
        "mode": "Incremental",
        "template": {
          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
          "contentVersion": "1.0.0.0",
          "resources": [
            {
              resource-group-resources
            }
          ]
        }
      }
    }
  ]
}

若要使用管理组部署在订阅中创建资源组并将存储帐户部署到该资源组,请参阅部署到订阅和资源组To use a management group deployment for creating a resource group within a subscription and deploying a storage account to that resource group, see Deploy to subscription and resource group.

将范围设定为租户Scope to tenant

可通过将 scope 设置为 /,在租户中创建资源。You can create resources at the tenant by setting the scope set to /. 部署模板的用户必须具有在租户中进行部署所需的访问权限The user deploying the template must have the required access to deploy at the tenant.

可使用设置了 scopelocation 的嵌套部署。You can use a nested deployment with scope and location set.

{
    "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "resources": [
        {
            "type": "Microsoft.Resources/deployments",
            "apiVersion": "2020-06-01",
            "name": "nestedDeployment",
            "location": "chinaeast",
            "scope": "/",
            "properties": {
                "mode": "Incremental",
                "template": {
                    tenant-resources
                }
            }
        }
    ],
    "outputs": {}
}

或者,可将某些资源类型(如管理组)的范围设置为 /Or, you can set the scope to / for some resource types, like management groups. 下一部分将介绍如何创建新的管理组。Creating a new management group is described in the next section.

管理组Management group

若要在管理组部署中创建管理组,则必须将管理组的范围设置为 /To create a management group in a management group deployment, you must set the scope to / for the management group.

下面的示例在根管理组中创建了一个新的管理组。The following example creates a new management group in the root management group.

{
    "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "mgName": {
            "type": "string",
            "defaultValue": "[concat('mg-', uniqueString(newGuid()))]"
        }
    },
    "resources": [
        {
            "type": "Microsoft.Management/managementGroups",
            "apiVersion": "2020-05-01",
            "name": "[parameters('mgName')]",
            "scope": "/",
            "location": "chinaeast",
            "properties": {}
        }
    ],
    "outputs": {
        "output": {
            "type": "string",
            "value": "[parameters('mgName')]"
        }
    }
}

下一个示例将在指定为父级的管理组中创建一个新管理组。The next example creates a new management group in the management group specified as the parent. 请注意,范围设置为 /Notice that the scope is set to /.

{
    "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "mgName": {
            "type": "string",
            "defaultValue": "[concat('mg-', uniqueString(newGuid()))]"
        },
        "parentMG": {
            "type": "string"
        }
    },
    "resources": [
        {
            "name": "[parameters('mgName')]",
            "type": "Microsoft.Management/managementGroups",
            "apiVersion": "2020-05-01",
            "scope": "/",
            "location": "chinaeast",
            "properties": {
                "details": {
                    "parent": {
                        "id": "[tenantResourceId('Microsoft.Management/managementGroups', parameters('parentMG'))]"
                    }
                }
            }
        }
    ],
    "outputs": {
        "output": {
            "type": "string",
            "value": "[parameters('mgName')]"
        }
    }
}

Azure PolicyAzure Policy

部署到管理组的自定义策略定义是管理组的扩展。Custom policy definitions that are deployed to the management group are extensions of the management group. 若要获取自定义策略定义的 ID,请使用 extensionResourceId() 函数。To get the ID of a custom policy definition, use the extensionResourceId() function. 内置策略定义是租户级别资源。Built-in policy definitions are tenant level resources. 若要获取内置策略定义的 ID,请使用 tenantResourceId 函数。To get the ID of a built-in policy definition, use the tenantResourceId function.

下面的示例演示如何定义管理组级别策略,并对其进行分配。The following example shows how to define a policy at the management group level, and assign it.

{
    "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "targetMG": {
            "type": "string",
            "metadata": {
                "description": "Target Management Group"
            }
        },
        "allowedLocations": {
            "type": "array",
            "defaultValue": [
                "chinaeast2",
                "chinaeast",
                "chinanorth"
            ],
            "metadata": {
                "description": "An array of the allowed locations, all other locations will be denied by the created policy."
            }
        }
    },
    "variables": {
        "mgScope": "[tenantResourceId('Microsoft.Management/managementGroups', parameters('targetMG'))]",
        "policyDefinition": "LocationRestriction"
    },
    "resources": [
        {
            "type": "Microsoft.Authorization/policyDefinitions",
            "name": "[variables('policyDefinition')]",
            "apiVersion": "2019-09-01",
            "properties": {
                "policyType": "Custom",
                "mode": "All",
                "parameters": {
                },
                "policyRule": {
                    "if": {
                        "not": {
                            "field": "location",
                            "in": "[parameters('allowedLocations')]"
                        }
                    },
                    "then": {
                        "effect": "deny"
                    }
                }
            }
        },
        {
            "type": "Microsoft.Authorization/policyAssignments",
            "name": "location-lock",
            "apiVersion": "2019-09-01",
            "dependsOn": [
                "[variables('policyDefinition')]"
            ],
            "properties": {
                "scope": "[variables('mgScope')]",
                "policyDefinitionId": "[extensionResourceId(variables('mgScope'), 'Microsoft.Authorization/policyDefinitions', variables('policyDefinition'))]"
            }
        }
    ]
}

部署到订阅和资源组Deploy to subscription and resource group

在管理组级别的部署中,可以以管理组中的订阅为目标。From a management group level deployment, you can target a subscription within the management group. 以下示例在一个订阅中创建资源组,并向该资源组部署存储帐户。The following example creates a resource group within a subscription and deploys a storage account to that resource group.

{
    "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "nestedsubId": {
            "type": "string"
        },
        "nestedRG": {
            "type": "string"
        },
        "storageAccountName": {
            "type": "string"
        },
        "nestedLocation": {
            "type": "string"
        }
    },
    "resources": [
        {
            "type": "Microsoft.Resources/deployments",
            "apiVersion": "2020-06-01",
            "name": "nestedSub",
            "location": "[parameters('nestedLocation')]",
            "subscriptionId": "[parameters('nestedSubId')]",
            "properties": {
                "mode": "Incremental",
                "template": {
                    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                    "contentVersion": "1.0.0.0",
                    "parameters": {
                    },
                    "variables": {
                    },
                    "resources": [
                        {
                            "type": "Microsoft.Resources/resourceGroups",
                            "apiVersion": "2020-06-01",
                            "name": "[parameters('nestedRG')]",
                            "location": "[parameters('nestedLocation')]"
                        }
                    ]
                }
            }
        },
        {
            "type": "Microsoft.Resources/deployments",
            "apiVersion": "2020-06-01",
            "name": "nestedRG",
            "subscriptionId": "[parameters('nestedSubId')]",
            "resourceGroup": "[parameters('nestedRG')]",
            "dependsOn": [
                "nestedSub"
            ],
            "properties": {
                "mode": "Incremental",
                "template": {
                    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                    "contentVersion": "1.0.0.0",
                    "resources": [
                        {
                            "type": "Microsoft.Storage/storageAccounts",
                            "apiVersion": "2019-04-01",
                            "name": "[parameters('storageAccountName')]",
                            "location": "[parameters('nestedLocation')]",
                            "kind": "StorageV2",
                            "sku": {
                                "name": "Standard_LRS"
                            }
                        }
                    ]
                }
            }
        }
    ]
}

后续步骤Next steps