使用 ARM 模板进行管理组部署Management group deployments with ARM templates
随着组织的不断发展,可以部署 Azure 资源管理器模板(ARM 模板)来创建管理组级别的资源。As your organization matures, you can deploy an Azure Resource Manager template (ARM template) to create resources at the management group level. 例如,你可能需要为管理组定义和分配策略或 Azure 基于角色的访问控制 (Azure RBAC)。For example, you may need to define and assign policies or Azure role-based access control (Azure RBAC) for a management group. 使用管理组级别的模板,可以声明方式在管理组级别应用策略和分配角色。With management group level templates, you can declaratively apply policies and assign roles at the management group level.
支持的资源Supported resources
并非所有资源类型都可以部署到管理组级别。Not all resource types can be deployed to the management group level. 本部分列出了支持的资源类型。This section lists which resource types are supported.
对于 Azure 蓝图,请使用:For Azure Blueprints, use:
- 项目artifacts
- blueprintsblueprints
- blueprintAssignmentsblueprintAssignments
- versionsversions
对于 Azure Policy,请使用:For Azure Policy, use:
- policyAssignmentspolicyAssignments
- policyDefinitionspolicyDefinitions
- policySetDefinitionspolicySetDefinitions
- remediationsremediations
对于 Azure 基于角色的访问控制 (Azure RBAC),请使用:For Azure role-based access control (Azure RBAC), use:
- roleAssignmentsroleAssignments
- roleDefinitionsroleDefinitions
对于部署到订阅或资源组的嵌套模板,请使用:For nested templates that deploy to subscriptions or resource groups, use:
- deploymentsdeployments
若要管理资源,请使用:For managing your resources, use:
- tagstags
管理组是租户级资源。Management groups are tenant-level resources. 但你可以将新管理组的范围设置为租户,从而在管理组部署中创建管理组。However, you can create management groups in a management group deployment by setting the scope of the new management group to the tenant. 请参阅管理组。See Management group.
架构Schema
用于管理组部署的架构不同于资源组部署的架构。The schema you use for management group deployments is different than the schema for resource group deployments.
对于模板,请使用:For templates, use:
{
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
...
}
对于所有部署范围,参数文件的架构都相同。The schema for a parameter file is the same for all deployment scopes. 对于参数文件,请使用:For parameter files, use:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
...
}
部署命令Deployment commands
若要部署到管理组,请使用管理组部署命令。To deploy to a management group, use the management group deployment commands.
对于 Azure CLI,请使用 az deployment mg create:For Azure CLI, use az deployment mg create:
az deployment mg create \
--name demoMGDeployment \
--location ChinaNorth \
--management-group-id myMG \
--template-uri "https://raw.githubusercontent.com/Azure/azure-docs-json-samples/master/management-level-deployment/azuredeploy.json"
有关部署命令和部署 ARM 模板的选项的更多详细信息,请参阅:For more detailed information about deployment commands and options for deploying ARM templates, see:
使用 ARM 模板和 Azure 门户部署资源Deploy resources with ARM templates and Azure portal
使用 ARM 模板和 Azure CLI 部署资源Deploy resources with ARM templates and Azure CLI
使用 ARM 模板和 Azure PowerShell 部署资源Deploy resources with ARM templates and Azure PowerShell
使用部署按钮从 GitHub 存储库部署模板Use a deployment button to deploy templates from GitHub repository
部署位置和名称Deployment location and name
对于管理组级别部署,必须为部署提供位置。For management group level deployments, you must provide a location for the deployment. 部署位置独立于部署的资源的位置。The location of the deployment is separate from the location of the resources you deploy. 部署位置指定何处存储部署数据。The deployment location specifies where to store deployment data. 订阅和租户部署也需要位置。Subscription and tenant deployments also require a location. 对于资源组部署,资源组的位置用于存储部署数据。For resource group deployments, the location of the resource group is used to store the deployment data.
可以为部署提供一个名称,也可以使用默认部署名称。You can provide a name for the deployment, or use the default deployment name. 默认名称是模板文件的名称。The default name is the name of the template file. 例如,部署一个名为 azuredeploy.json 的模板将创建默认部署名称 azuredeploy。For example, deploying a template named azuredeploy.json creates a default deployment name of azuredeploy.
每个部署名称的位置不可变。For each deployment name, the location is immutable. 当某个位置中已有某个部署时,无法在另一位置创建同名的部署。You can't create a deployment in one location when there's an existing deployment with the same name in a different location. 例如,如果在 chinaeast 中创建名为“deployment1”的管理组部署,则以后不能创建另一个名为“deployment1”但位置为“chinanorth”的部署。For example, if you create a management group deployment with the name deployment1 in chinaeast, you can't later create another deployment with the name deployment1 but a location of chinanorth. 如果出现错误代码 InvalidDeploymentLocation,请使用其他名称或使用与该名称的以前部署相同的位置。If you get the error code InvalidDeploymentLocation, either use a different name or the same location as the previous deployment for that name.
部署范围Deployment scopes
部署到管理组时,可以将资源部署到:When deploying to a management group, you can deploy resources to:
- 操作的目标管理组the target management group from the operation
- 租户中的另一个管理组another management group in the tenant
- 管理组中的订阅subscriptions in the management group
- 管理组中的资源组resource groups in the management group
- 资源组的租户the tenant for the resource group
可以将扩展资源的范围设置为与部署目标不同的范围。An extension resource can be scoped to a target that is different than the deployment target.
部署模板的用户必须有权访问指定的作用域。The user deploying the template must have access to the specified scope.
本部分演示如何指定不同范围。This section shows how to specify different scopes. 可以在单个模板中组合这些不同范围。You can combine these different scopes in a single template.
将范围设定为目标管理组Scope to target management group
将通过部署命令对管理组应用模板的资源部分中定义的资源。Resources defined within the resources section of the template are applied to the management group from the deployment command.
{
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
management-group-resources-default
],
"outputs": {}
}
将范围设定为另一个管理组Scope to another management group
若要以另一个管理组为目标,请添加嵌套部署并指定 scope 属性。To target another management group, add a nested deployment and specify the scope property. 将 scope 属性设置为 Microsoft.Management/managementGroups/<mg-name> 格式的值。Set the scope property to a value in the format Microsoft.Management/managementGroups/<mg-name>.
{
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"mgName": {
"type": "string"
}
},
"variables": {
"mgId": "[concat('Microsoft.Management/managementGroups/', parameters('mgName'))]"
},
"resources": [
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2019-10-01",
"name": "nestedDeployment",
"scope": "[variables('mgId')]",
"location": "chinaeast",
"properties": {
"mode": "Incremental",
"template": {
management-group-resources-non-default
}
}
}
],
"outputs": {}
}
订阅的范围Scope to subscription
还可以将管理组中的订阅作为目标。You can also target subscriptions within a management group. 部署模板的用户必须有权访问指定的作用域。The user deploying the template must have access to the specified scope.
若要以管理组中的订阅为目标,请使用嵌套部署和 subscriptionId 属性。To target a subscription within the management group, use a nested deployment and the subscriptionId property.
{
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-06-01",
"name": "nestedSub",
"location": "chinanorth2",
"subscriptionId": "00000000-0000-0000-0000-000000000000",
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
subscription-resources
}
]
}
}
}
]
}
将范围限定于资源组Scope to resource group
还可以将管理组中的资源组作为目标。You can also target resource groups within the management group. 部署模板的用户必须有权访问指定的作用域。The user deploying the template must have access to the specified scope.
若要以管理组中的资源组为目标,请使用嵌套部署。To target a resource group within the management group, use a nested deployment. 设置 subscriptionId 和 resourceGroup 属性。Set the subscriptionId and resourceGroup properties. 不要为嵌套部署设置位置,因为它部署在资源组的位置。Don't set a location for the nested deployment because it's deployed in the location of the resource group.
{
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-06-01",
"name": "nestedRGDeploy",
"subscriptionId": "00000000-0000-0000-0000-000000000000",
"resourceGroup": "demoResourceGroup",
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
resource-group-resources
}
]
}
}
}
]
}
若要使用管理组部署在订阅中创建资源组并将存储帐户部署到该资源组,请参阅部署到订阅和资源组。To use a management group deployment for creating a resource group within a subscription and deploying a storage account to that resource group, see Deploy to subscription and resource group.
将范围设定为租户Scope to tenant
若要在租户中创建资源,请将 scope 设置为 /。To create resources at the tenant, set the scope to /. 部署模板的用户必须具有在租户中进行部署所需的访问权限。The user deploying the template must have the required access to deploy at the tenant.
若要使用嵌套部署,请设置 scope 和 location。To use a nested deployment, set scope and location.
{
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-06-01",
"name": "nestedDeployment",
"location": "chinaeast",
"scope": "/",
"properties": {
"mode": "Incremental",
"template": {
tenant-resources
}
}
}
],
"outputs": {}
}
或者,可将某些资源类型(如管理组)的范围设置为 /。Or, you can set the scope to / for some resource types, like management groups. 下一部分将介绍如何创建新的管理组。Creating a new management group is described in the next section.
管理组Management group
若要在管理组部署中创建管理组,则必须将管理组的范围设置为 /。To create a management group in a management group deployment, you must set the scope to / for the management group.
下面的示例在根管理组中创建了一个新的管理组。The following example creates a new management group in the root management group.
{
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"mgName": {
"type": "string",
"defaultValue": "[concat('mg-', uniqueString(newGuid()))]"
}
},
"resources": [
{
"type": "Microsoft.Management/managementGroups",
"apiVersion": "2020-05-01",
"name": "[parameters('mgName')]",
"scope": "/",
"location": "chinaeast",
"properties": {}
}
],
"outputs": {
"output": {
"type": "string",
"value": "[parameters('mgName')]"
}
}
}
下一个示例将在指定为父级的管理组中创建一个新管理组。The next example creates a new management group in the management group specified as the parent. 请注意,范围设置为 /。Notice that the scope is set to /.
{
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"mgName": {
"type": "string",
"defaultValue": "[concat('mg-', uniqueString(newGuid()))]"
},
"parentMG": {
"type": "string"
}
},
"resources": [
{
"name": "[parameters('mgName')]",
"type": "Microsoft.Management/managementGroups",
"apiVersion": "2020-05-01",
"scope": "/",
"location": "chinaeast",
"properties": {
"details": {
"parent": {
"id": "[tenantResourceId('Microsoft.Management/managementGroups', parameters('parentMG'))]"
}
}
}
}
],
"outputs": {
"output": {
"type": "string",
"value": "[parameters('mgName')]"
}
}
}
订阅Subscriptions
若要部署一个会将现有 Azure 订阅移至新管理组的模板,请参阅在 ARM 模板中移动订阅To deploy a template that moves an existing Azure subscription to a new management group, see Move subscriptions in ARM template
Azure PolicyAzure Policy
部署到管理组的自定义策略定义是管理组的扩展。Custom policy definitions that are deployed to the management group are extensions of the management group. 若要获取自定义策略定义的 ID,请使用 extensionResourceId() 函数。To get the ID of a custom policy definition, use the extensionResourceId() function. 内置策略定义是租户级别资源。Built-in policy definitions are tenant level resources. 若要获取内置策略定义的 ID,请使用 tenantResourceId 函数。To get the ID of a built-in policy definition, use the tenantResourceId() function.
下面的示例演示如何定义管理组级别策略,并对其进行分配。The following example shows how to define a policy at the management group level, and assign it.
{
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"targetMG": {
"type": "string",
"metadata": {
"description": "Target Management Group"
}
},
"allowedLocations": {
"type": "array",
"defaultValue": [
"chinaeast2",
"chinaeast",
"chinanorth"
],
"metadata": {
"description": "An array of the allowed locations, all other locations will be denied by the created policy."
}
}
},
"variables": {
"mgScope": "[tenantResourceId('Microsoft.Management/managementGroups', parameters('targetMG'))]",
"policyDefinition": "LocationRestriction"
},
"resources": [
{
"type": "Microsoft.Authorization/policyDefinitions",
"name": "[variables('policyDefinition')]",
"apiVersion": "2019-09-01",
"properties": {
"policyType": "Custom",
"mode": "All",
"parameters": {
},
"policyRule": {
"if": {
"not": {
"field": "location",
"in": "[parameters('allowedLocations')]"
}
},
"then": {
"effect": "deny"
}
}
}
},
{
"type": "Microsoft.Authorization/policyAssignments",
"name": "location-lock",
"apiVersion": "2019-09-01",
"dependsOn": [
"[variables('policyDefinition')]"
],
"properties": {
"scope": "[variables('mgScope')]",
"policyDefinitionId": "[extensionResourceId(variables('mgScope'), 'Microsoft.Authorization/policyDefinitions', variables('policyDefinition'))]"
}
}
]
}
部署到订阅和资源组Deploy to subscription and resource group
在管理组级别的部署中,可以以管理组中的订阅为目标。From a management group level deployment, you can target a subscription within the management group. 以下示例在一个订阅中创建资源组,并向该资源组部署存储帐户。The following example creates a resource group within a subscription and deploys a storage account to that resource group.
{
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"nestedsubId": {
"type": "string"
},
"nestedRG": {
"type": "string"
},
"storageAccountName": {
"type": "string"
},
"nestedLocation": {
"type": "string"
}
},
"resources": [
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "nestedSub",
"location": "[parameters('nestedLocation')]",
"subscriptionId": "[parameters('nestedSubId')]",
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
},
"variables": {
},
"resources": [
{
"type": "Microsoft.Resources/resourceGroups",
"apiVersion": "2020-10-01",
"name": "[parameters('nestedRG')]",
"location": "[parameters('nestedLocation')]"
}
]
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "nestedRG",
"subscriptionId": "[parameters('nestedSubId')]",
"resourceGroup": "[parameters('nestedRG')]",
"dependsOn": [
"nestedSub"
],
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-04-01",
"name": "[parameters('storageAccountName')]",
"location": "[parameters('nestedLocation')]",
"kind": "StorageV2",
"sku": {
"name": "Standard_LRS"
}
}
]
}
}
}
]
}
后续步骤Next steps
- 若要了解如何分配角色,请参阅使用 Azure 资源管理器模板添加 Azure 角色分配。To learn about assigning roles, see Add Azure role assignments using Azure Resource Manager templates.
- 若要通过示例来了解如何为 Azure 安全中心部署工作区设置,请参阅 deployASCwithWorkspaceSettings.json。For an example of deploying workspace settings for Azure Security Center, see deployASCwithWorkspaceSettings.json.
- 还可以在订阅级别和租户级别部署模板。You can also deploy templates at subscription level and tenant level.