如何在 ARM 模板中设置扩展资源的范围

了解如何在 Azure 资源管理器 （ARM） 模板中将 scope 属性与扩展资源类型配合使用。 扩展资源允许你修改或向其他资源添加功能，例如分配角色或应用锁。

扩展资源是管理 Azure 资源上权限、策略和其他设置的强大方法。 有关完整列表，请参阅 扩展其他资源功能的资源类型。

该 scope 属性仅适用于扩展资源类型。 若要为不是扩展类型的资源类型指定不同的范围，请使用嵌套部署或链接部署。 有关详细信息，请参见:

• 资源组部署
• 订阅部署
• 管理组部署
• 租户部署

在部署范围内应用

若要在目标部署范围内应用扩展资源类型，请将资源添加到模板，就像使用任何资源类型一样。 可用作用域如下：

• 资源组
• 订阅
• 管理组
• 租户

以下模板部署一个锁。

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Authorization/locks",
      "apiVersion": "2020-05-01",
      "name": "rgLock",
      "properties": {
        "level": "CanNotDelete",
        "notes": "Resource Group should not be deleted."
      }
    }
  ]
}

部署到资源组时，它会锁定资源组。

az deployment group create \
  --resource-group ExampleGroup \
  --template-uri "https://raw.githubusercontent.com/Azure/azure-docs-json-samples/master/azure-resource-manager/scope/locktargetscope.json"

 New-AzResourceGroupDeployment `
  -ResourceGroupName ExampleGroup `
  -TemplateUri "https://raw.githubusercontent.com/Azure/azure-docs-json-samples/master/azure-resource-manager/scope/locktargetscope.json"

下一个示例分配角色。

{
  "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "principalId": {
      "type": "string",
      "metadata": {
        "description": "The principal to assign the role to"
      }
    },
    "builtInRoleType": {
      "type": "string",
      "allowedValues": [
        "Owner",
        "Contributor",
        "Reader"
      ],
      "metadata": {
        "description": "Built-in role to assign"
      }
    },
    "roleNameGuid": {
      "type": "string",
      "metadata": {
        "description": "The role assignment name"
      }
    }
  },
  "variables": {
    "roleDefinitionIds": {
      "Owner": "[format('/subscriptions/{0}/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635', subscription().subscriptionId)]",
      "Contributor": "[format('/subscriptions/{0}/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c', subscription().subscriptionId)]",
      "Reader": "[format('/subscriptions/{0}/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7', subscription().subscriptionId)]"
    }
  },
  "resources": [
    {
      "type": "Microsoft.Authorization/roleAssignments",
      "apiVersion": "2022-04-01",
      "name": "[parameters('roleNameGuid')]",
      "properties": {
        "roleDefinitionId": "[variables('roleDefinitionIds')[parameters('builtInRoleType')]]",
        "principalId": "[parameters('principalId')]"
      }
    }
  ]
}

部署到订阅时，它会为订阅分配角色。

az deployment sub create \
  --name demoSubDeployment \
  --location chinaeast \
  --template-uri "https://raw.githubusercontent.com/Azure/azure-docs-json-samples/master/azure-resource-manager/scope/roletargetscope.json"

New-AzSubscriptionDeployment `
  -Name demoSubDeployment `
  -Location chinaeast `
  -TemplateUri "https://raw.githubusercontent.com/Azure/azure-docs-json-samples/master/azure-resource-manager/scope/roletargetscope.json"

应用于资源

若要将扩展资源应用于资源，请使用 scope 属性。 将 scope 属性设置为要向其添加扩展的资源的名称。 scope 属性是扩展资源类型的根属性。

下面的示例创建一个存储帐户并对其应用角色。

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "principalId": {
      "type": "string",
      "metadata": {
        "description": "The principal to assign the role to"
      }
    },
    "builtInRoleType": {
      "type": "string",
      "allowedValues": [
        "Owner",
        "Contributor",
        "Reader"
      ],
      "metadata": {
        "description": "Built-in role to assign"
      }
    },
    "roleNameGuid": {
      "type": "string",
      "defaultValue": "[newGuid()]",
      "metadata": {
        "description": "A new GUID used to identify the role assignment"
      }
    },
    "location": {
      "type": "string",
      "defaultValue": "[resourceGroup().location]",
      "metadata": {
        "description": "The location for the resources"
      }
    }
  },
  "variables": {
    "roleDefinitionIds": {
      "Owner": "[format('/subscriptions/{0}/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635', subscription().subscriptionId)]",
      "Contributor": "[format('/subscriptions/{0}/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c', subscription().subscriptionId)]",
      "Reader": "[format('/subscriptions/{0}/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7', subscription().subscriptionId)]"
    },
    "storageName": "[format('storage{0}', uniqueString(resourceGroup().id))]"
  },
  "resources": [
    {
      "type": "Microsoft.Storage/storageAccounts",
      "apiVersion": "2025-01-01",
      "name": "[variables('storageName')]",
      "location": "[parameters('location')]",
      "sku": {
        "name": "Standard_LRS"
      },
      "kind": "Storage",
      "properties": {}
    },
    {
      "type": "Microsoft.Authorization/roleAssignments",
      "apiVersion": "2022-04-01",
      "scope": "[format('Microsoft.Storage/storageAccounts/{0}', variables('storageName'))]",
      "name": "[parameters('roleNameGuid')]",
      "properties": {
        "roleDefinitionId": "[variables('roleDefinitionIds')[parameters('builtInRoleType')]]",
        "principalId": "[parameters('principalId')]"
      },
      "dependsOn": [
        "[resourceId('Microsoft.Storage/storageAccounts', variables('storageName'))]"
      ]
    }
  ]
}

resourceGroup 和订阅属性仅可用于嵌套或链接部署。 单个资源不允许使用这些属性。 如果要部署其范围设置为其他资源组中资源的扩展资源，请使用嵌套或链接部署。

后续步骤

• 若要了解如何在模板中定义参数，请参阅 了解 ARM 模板的结构和语法。
• 有关解决常见部署错误的提示，请参阅排查使用 Azure Resource Manager 时的常见 Azure 部署错误。
• 有关部署需要 SAS 令牌的模板的信息，请参阅 使用 SAS 令牌部署专用 ARM 模板。