在管理组级别创建资源Create resources at the management group level

随着组织的成熟,你能需要为管理组定义和分配策略基于角色的访问控制As your organization matures, you may need to define and assign policies or role-based access controls for a management group. 使用管理组级别的模板,可以声明方式在管理组级别应用策略和分配角色。With management group level templates, you can declaratively apply policies and assign roles at the management group level.

支持的资源Supported resources

可以在管理组级别部署以下资源类型:You can deploy the following resource types at the management group level:

  • 部署 - 适用于部署到订阅或资源组的嵌套模板。deployments - for nested templates that deploy to subscriptions or resource groups.
  • policyAssignmentspolicyAssignments
  • policyDefinitionspolicyDefinitions
  • policySetDefinitionspolicySetDefinitions
  • roleAssignmentsroleAssignments
  • roleDefinitionsroleDefinitions

架构Schema

用于管理组部署的架构不同于资源组部署的架构。The schema you use for management group deployments is different than the schema for resource group deployments.

对于模板,请使用:For templates, use:

https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#

对于所有部署范围,参数文件的架构都相同。The schema for a parameter file is the same for all deployment scopes. 对于参数文件,请使用:For parameter files, use:

https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#

部署命令Deployment commands

管理组部署的命令与资源组部署的命令不同。The commands for management group deployments are different than the commands for resource group deployments.

对于 Azure PowerShell,请使用 New-AzManagementGroupDeploymentFor Azure PowerShell, use New-AzManagementGroupDeployment.

New-AzManagementGroupDeployment `
  -ManagementGroupId "myMG" `
  -Location "China North" `
  -TemplateUri https://raw.githubusercontent.com/Azure/azure-docs-json-samples/master/management-level-deployment/azuredeploy.json

对于 REST API,请使用部署 - 在管理组范围内创建For REST API, use Deployments - Create At Management Group Scope.

部署位置和名称Deployment location and name

对于管理组级别部署,必须为部署提供位置。For management group level deployments, you must provide a location for the deployment. 部署位置独立于部署的资源的位置。The location of the deployment is separate from the location of the resources you deploy. 部署位置指定何处存储部署数据。The deployment location specifies where to store deployment data.

可以为部署提供一个名称,也可以使用默认部署名称。You can provide a name for the deployment, or use the default deployment name. 默认名称是模板文件的名称。The default name is the name of the template file. 例如,部署一个名为 azuredeploy.json 的模板将创建默认部署名称 azuredeployFor example, deploying a template named azuredeploy.json creates a default deployment name of azuredeploy.

每个部署名称的位置不可变。For each deployment name, the location is immutable. 当某个位置中已有某个部署时,无法在另一位置创建同名的部署。You can't create a deployment in one location when there's an existing deployment with the same name in a different location. 如果出现错误代码 InvalidDeploymentLocation,请使用其他名称或使用与该名称的以前部署相同的位置。If you get the error code InvalidDeploymentLocation, either use a different name or the same location as the previous deployment for that name.

使用模板函数Use template functions

对于管理组部署,在使用模板函数时有一些重要注意事项:For management group deployments, there are some important considerations when using template functions:

  • 不支持 resourceGroup() 函数。 The resourceGroup() function is not supported.

  • 支持 subscription() 函数。The subscription() function is not supported.

  • 支持 reference()list() 函数。The reference() and list() functions are supported.

  • 支持 resourceId() 函数。The resourceId() function is supported. 可以使用它获取在管理组级别部署中使用的资源的资源 ID。Use it to get the resource ID for resources that are used at management group level deployments. 不要为资源组参数提供值。Don't provide a value for the resource group parameter.

    例如,若要获取策略定义的资源 ID,请使用:For example, to get the resource ID for a policy definition, use:

    resourceId('Microsoft.Authorization/policyDefinitions/', parameters('policyDefinition'))
    

    返回的资源 ID 具有以下格式:The returned resource ID has the following format:

    /providers/{resourceProviderNamespace}/{resourceType}/{resourceName}
    

创建策略Create policies

定义策略Define policy

以下示例展示如何在管理组级别定义策略。The following example shows how to define a policy at the management group level.

{
  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {},
  "variables": {},
  "resources": [
    {
      "type": "Microsoft.Authorization/policyDefinitions",
      "apiVersion": "2018-05-01",
      "name": "locationpolicy",
      "properties": {
        "policyType": "Custom",
        "parameters": {},
        "policyRule": {
          "if": {
            "field": "location",
            "equals": "chinaeast2"
          },
          "then": {
            "effect": "deny"
          }
        }
      }
    }
  ]
}

分配策略Assign policy

以下示例将现有的策略定义分配到管理组。The following example assigns an existing policy definition to the management group. 如果策略使用参数,请将参数作为对象提供。If the policy takes parameters, provide them as an object. 如果策略不使用参数,请使用默认的空对象。If the policy doesn't take parameters, use the default empty object.

{
  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "policyDefinitionID": {
      "type": "string"
    },
    "policyName": {
      "type": "string"
    },
    "policyParameters": {
      "type": "object",
      "defaultValue": {}
    }
  },
  "variables": {},
  "resources": [
    {
      "type": "Microsoft.Authorization/policyAssignments",
      "apiVersion": "2018-03-01",
      "name": "[parameters('policyName')]",
      "properties": {
        "policyDefinitionId": "[parameters('policyDefinitionID')]",
        "parameters": "[parameters('policyParameters')]"
      }
    }
  ]
}

模板示例Template sample

后续步骤Next steps