使用 Azure Stack Hub 策略模块管理 Azure PolicyManage Azure policy using the Azure Stack Hub policy module

使用 Azure Stack Hub 策略模块,可为 Azure 订阅配置与 Azure Stack Hub 相同的版本控制和服务可用性。The Azure Stack Hub policy module enables you to configure an Azure subscription with the same versioning and service availability as Azure Stack Hub. 该模块使用 New-AzureRmPolicyDefinition PowerShell cmdlet 创建一项 Azure Policy ,用于限制订阅中提供的资源类型和服务。The module uses the New-AzureRmPolicyDefinition PowerShell cmdlet to create an Azure policy, which limits the resource types and services available in a subscription. 然后使用 New-AzureRmPolicyAssignment cmdlet 在合适的作用域内创建一个策略分配。You then create a policy assignment within the appropriate scope by using the New-AzureRmPolicyAssignment cmdlet. 配置策略后,可以使用 Azure 订阅来开发针对 Azure Stack Hub 的应用。After configuring the policy, you can use your Azure subscription to develop apps targeted for Azure Stack Hub.

安装模块Install the module

  1. 按照安装适用于 Azure Stack Hub 的 PowerShell 步骤 1 中的说明,安装所需的 AzureRM PowerShell 模块版本。Install the required version of the AzureRM PowerShell module, as described in Step 1 of Install PowerShell for Azure Stack Hub.

  2. 从 GitHub 下载 Azure Stack Hub 工具Download the Azure Stack Hub tools from GitHub.

  3. 配置适用于 Azure Stack Hub 的 PowerShellConfigure PowerShell for use with Azure Stack Hub.

  4. 导入 AzureStack.Policy.psm1**** 模块:Import the AzureStack.Policy.psm1 module:

    Import-Module .\Policy\AzureStack.Policy.psm1
    

将策略应用于 Azure 订阅Apply policy to Azure subscription

可以使用以下命令将默认 Azure Stack Hub 策略应用于 Azure 订阅。You can use the following commands to apply a default Azure Stack Hub policy to your Azure subscription. 在运行这些命令之前,请将 Azure subscription name 替换为 Azure 订阅的名称:Before running these commands, replace Azure subscription name with the name of your Azure subscription:

Add-AzureRmAccount
$s = Select-AzureRmSubscription -SubscriptionName "Azure subscription name"
$policy = New-AzureRmPolicyDefinition -Name AzureStackPolicyDefinition -Policy (Get-AzsPolicy)
$subscriptionID = $s.Subscription.SubscriptionId
New-AzureRmPolicyAssignment -Name AzureStack -PolicyDefinition $policy -Scope /subscriptions/$subscriptionID

将策略应用于资源组Apply policy to a resource group

你可能想要应用更细化的策略。You might want to apply policies that are more granular. 例如,你在相同的订阅中可能有其他正在运行的资源。For example, you might have other resources running in the same subscription. 可以将策略应用范围限定为特定资源组,这样就可以使用 Azure 资源测试 Azure Stack Hub 的应用。You can scope the policy application to a specific resource group, which enables you to test your apps for Azure Stack Hub using Azure resources. 在运行以下命令之前,请将 Azure subscription name 替换为 Azure 订阅的名称:Before running the following commands, replace Azure subscription name with the name of your Azure subscription:

Add-AzureRmAccount
$rgName = 'myRG01'
$s = Select-AzureRmSubscription -SubscriptionName "Azure subscription name"
$policy = New-AzureRmPolicyDefinition -Name AzureStackPolicyDefinition -Policy (Get-AzsPolicy)
$subscriptionID = $s.Subscription.SubscriptionId
New-AzureRmPolicyAssignment -Name AzureStack -PolicyDefinition $policy -Scope /subscriptions/$subscriptionID/resourceGroups/$rgName

执行中的策略Policy in action

部署 Azure Policy 后,当尝试部署被策略禁止的资源时会收到错误:Once you've deployed the Azure policy, you receive an error when you try to deploy a resource that is prohibited by policy:

由于策略约束而资源部署失败的结果

后续步骤Next steps