使用 Azure Policy 实现 Azure Cosmos DB 资源的治理和控制Use Azure Policy to implement governance and controls for Azure Cosmos DB resources

Azure Policy 有助于强制实施组织治理标准、评估资源符合性并实现自动修复。Azure Policy helps to enforce organizational governance standards, assess resource compliance, and implement automatic remediation. 常见的用例包括安全性、成本管理和配置一致性。Common use cases include security, cost management, and configuration consistency.

Azure Policy 提供内置策略定义。Azure Policy provides built-in policy definitions. 可以为内置策略定义未解决的方案创建自定义策略定义。You can create custom policy definitions for scenarios that are not addressed by the built-in policy definitions. 有关更多详细信息,请参阅 Azure Policy 文档See the Azure Policy documentation for more details.

分配内置策略定义Assign a built-in policy definition

策略定义描述了资源符合性条件以及在满足某个条件时所产生的效果。Policy definitions describe resource compliance conditions and the effect to take if a condition is met. 策略分配是根据策略定义创建的__ __。Policy assignments are created from policy definitions. 可以对 Azure Cosmos DB 资源使用内置或自定义策略定义。You can use built-in or custom policy definitions for your Azure Cosmos DB resources. 策略分配的范围为 Azure 管理组、Azure 订阅或资源组,策略分配将应用于所选范围内的资源。Policy assignments are scoped to an Azure management group, an Azure subscription, or a resource group and they are applied to the resources within the selected scope. 或者,可以从所选范围中排除特定资源。Optionally, you can exclude specific resources from the scope.

可以使用 Azure 门户Azure PowerShellAzure CLIARM 模板创建策略分配。You can create policy assignments with the Azure portal, Azure PowerShell, Azure CLI, or ARM template.

若要根据 Azure Cosmos DB 的内置策略定义创建策略分配,请使用使用 Azure 门户创建策略分配一文中的步骤。To create a policy assignment from a built-in policy definition for Azure Cosmos DB, use the steps in create a policy assignment with the Azure portal article.

在选择策略定义的步骤中,在“搜索”字段中输入 Cosmos DB 来筛选可用的内置策略定义。At the step to select a policy definition, enter Cosmos DB in the Search field to filter the list of available built-in policy definitions. 选择一个可用的内置策略定义,然后选择“选择”继续创建策略分配****。Select one of the available built-in policy definitions, and then choose Select to continue creating the policy assignment.

提示

你还可以将“可用定义”格窗中显示的内置策略定义名称与 Azure PowerShell、Azure CLI 或 ARM 模板结合使用来创建策略分配****。You can also use the built-in policy definition names shown in the Available Definitions pane with Azure PowerShell, Azure CLI, or ARM templates to create policy assignments.

搜索 Azure Cosmos DB 内置策略定义

创建自定义策略定义Create a custom policy definition

对于内置策略未解决的特定方案,可以创建自定义策略定义For specific scenarios that are not addressed by built-in policies, you can create a custom policy definition. 之后,根据自定义策略定义创建策略分配__ __。Later you create a Policy assignment from your custom policy definition.

策略规则中的属性类型和属性别名Property types and property aliases in policy rules

使用自定义策略定义步骤来标识创建策略规则所需的资源属性和属性别名。Use the custom policy definition steps to identify the resource properties and property aliases, which are required to create policy rules.

若要确定特定于 Azure Cosmos DB 的属性别名,请将命名空间 Microsoft.DocumentDB 与“自定义策略定义步骤”一文中所述的其中一种方法结合使用。To identify Azure Cosmos DB specific property aliases, use the namespace Microsoft.DocumentDB with one of the methods shown in the custom policy definition steps article.

使用 Azure CLI:Use the Azure CLI:

# Login first with az login when you are using local Shell
az cloud set -n AzureChinaCloud
az login

# Get Azure Policy aliases for namespace Microsoft.DocumentDB
az provider show --namespace Microsoft.DocumentDB --expand "resourceTypes/aliases" --query "resourceTypes[].aliases[].name"

使用 Azure PowerShell:Use Azure PowerShell:

# Login first with Connect-AzAccount -Environment AzureChinaCloud if you are using local Shell
Connect-AzAccount -Environment AzureChinaCloud

# Use Get-AzPolicyAlias to list aliases for Microsoft.DocumentDB namespace
(Get-AzPolicyAlias -NamespaceMatch 'Microsoft.DocumentDB').Aliases

这些命令输出 Azure Cosmos DB 属性的属性别名列表。These commands output the list of property alias names for Azure Cosmos DB property. 下面是输出的摘录:The following is an excerpt from the output:

[
  "Microsoft.DocumentDB/databaseAccounts/sku.name",
  "Microsoft.DocumentDB/databaseAccounts/virtualNetworkRules[*]",
  "Microsoft.DocumentDB/databaseAccounts/virtualNetworkRules[*].id",
  "Microsoft.DocumentDB/databaseAccounts/isVirtualNetworkFilterEnabled",
  "Microsoft.DocumentDB/databaseAccounts/consistencyPolicy.defaultConsistencyLevel",
  "Microsoft.DocumentDB/databaseAccounts/enableAutomaticFailover",
  "Microsoft.DocumentDB/databaseAccounts/Locations",
  "Microsoft.DocumentDB/databaseAccounts/Locations[*]",
  "Microsoft.DocumentDB/databaseAccounts/Locations[*].locationName",
  "..."
]

可以在自定义策略定义规则中使用这些属性别名中的任何一个。You can use any of these property alias names in the custom policy definition rules.

下面是有关用于检查 Cosmos DB 帐户是否配置了多个写入位置的策略定义示例。The following is an example policy definition that checks if an Azure Cosmos DB account is configured for multiple write locations. 自定义策略定义包括两个规则:一个用于检查属性别名的具体类型,另一个用于检查类型的具体属性,在本例中即存储多个写入位置设置的字段。The custom policy definition includes two rules: one to check for the specific type of property alias, and the second one for the specific property of the type, in this case the field that stores the multiple write location setting. 这两个规则都使用别名。Both rules use the alias names.

"policyRule": {
  "if": {
    "allOf": [
      {
        "field": "type",
        "equals": "Microsoft.DocumentDB/databaseAccounts"
      },
      {
        "field": "Microsoft.DocumentDB/databaseAccounts/enableMultipleWriteLocations",
        "notEquals": true
      }
    ]
  },
  "then": {
    "effect": "Audit"
  }
}

同内置策略定义一样,自定义策略定义可用于创建策略分配。Custom policy definitions can be used to create policy assignments just like the built-in policy definitions are used.

策略符合性Policy compliance

创建策略分配后,Azure Policy 将评估分配范围内的资源。After the policy assignments are created, Azure Policy evaluates the resources in the assignment's scope. 每个资源会接受策略符合性评估__。Each resource's compliance with the policy is assessed. 策略中指定的效果会应用到不符合的资源__。The effect specified in the policy is then applied to non-compliant resources.

你可以在 Azure 门户或通过 Azure CLIAzure Monitor 日志查看符合性结果和修正详细信息。You can review the compliance results and remediation details in the Azure portal or via the Azure CLI or the Azure Monitor logs.

以下屏幕截图显示了两个策略分配示例。The following screenshot shows two example policy assignments.

其中一个分配基于内置的策略定义,该定义检查 Azure Cosmos DB 资源是否仅部署到允许的 Azure 区域。One assignment is based on a built-in policy definition, which checks that the Azure Cosmos DB resources are deployed only to the allowed Azure regions. 资源合规性显示范围内资源的策略评估结果(合规或不合规)。Resource compliance shows policy evaluation outcome (compliant or non-compliant) for in-scope resources.

另一个分配基于自定义策略定义。The other assignment is based on a custom policy definition. 此分配检查 Cosmos DB 帐户是否配置了多个写入位置。This assignment checks that Cosmos DB accounts are configured for multiple write locations.

部署策略分配后,符合性仪表板将显示评估结果。After the policy assignments are deployed, the compliance dashboard shows evaluation results. 请注意,部署策略分配后,可能需要 30 分钟才会显示评估结果。Note that this can take up to 30 minutes after deploying a policy assignment. 此外,创建策略分配后即可按需启动策略评估扫描Additionally, policy evaluation scans can be started on-demand immediately after creating policy assignments.

此屏幕截图显示了范围内 Azure Cosmos DB 帐户的以下合规性评估结果:The screenshot shows the following compliance evaluation results for in-scope Azure Cosmos DB accounts:

  • 两个帐户均不遵从必须配置虚拟网络 (VNet) 筛选的策略。Zero of two accounts are compliant with a policy that Virtual Network (VNet) filtering must be configured.
  • 两个帐户均不遵从帐户需配置多个写入位置的策略Zero of two accounts are compliant with a policy that requires the account to be configured for multiple write locations
  • 两个帐户均不遵从将资源部署到允许的 Azure 区域的策略。Zero of two accounts are compliant with a policy that resources were deployed to allowed Azure regions.

列出的 Azure 策略分配的合规性结果

若要修正不合规的资源,请参阅如何使用 Azure Policy 修正资源To remediate the non-compliant resources, see how to remediate resources with Azure Policy.

后续步骤Next steps