快速入门:使用 Go 创建管理组Quickstart: Create a management group with Go

管理组是一些容器,可以帮助跨多个订阅管理访问权限、策略和符合性。Management groups are containers that help you manage access, policy, and compliance across multiple subscriptions. 可以创建这些容器来构建可以与 Azure PolicyAzure 基于角色的访问控制配合使用的有效且高效的层次结构。Create these containers to build an effective and efficient hierarchy that can be used with Azure Policy and Azure Role Based Access Controls. 若要详细了解管理组,请参阅使用 Azure 管理组整理资源For more information on management groups, see Organize your resources with Azure management groups.

在目录中创建的第一个管理组可能需要最多 15 分钟才能完成。The first management group created in the directory could take up to 15 minutes to complete. 一些进程会首次运行以在 Azure 中为目录设置管理组服务。There are processes that run the first time to set up the management groups service within Azure for your directory. 在进程完成后将显示通知。You receive a notification when the process is complete. 有关详细信息,请参阅管理组的初始设置For more information, see initial setup of management groups.

先决条件Prerequisites

  • 如果没有 Azure 订阅,请在开始前创建一个试用版订阅帐户。If you don't have an Azure subscription, create a trial subscription account before you begin.

  • Azure 服务主体,包括 clientId 和 clientSecret 。An Azure service principal, including the clientId and clientSecret. 如果你没有与 Azure Policy 一起使用的服务主体,或想要创建一个新的服务主体,请参阅用于 .NET 身份验证的 Azure 管理库If you don't have a service principal for use with Azure Policy or want to create a new one, see Azure management libraries for .NET authentication. 跳到安装 .NET Core 包的步骤,我们将在接下来的步骤中执行此安装。Skip the step to install the .NET Core packages as we'll do that in the next steps.

  • 如果未启用层次结构保护,则租户中的任何 Azure AD 用户即使未分配有管理组写入权限,也可创建管理组。Any Azure AD user in the tenant can create a management group without the management group write permission assigned to that user if hierarchy protection isn't enabled. 这个新的管理组将成为根管理组的子级或默认管理组,并将为创建者分配“所有者”角色。This new management group becomes a child of the Root Management Group or the default management group and the creator is given an "Owner" role assignment. 管理组服务允许此功能,因此不需要在根级别分配角色。Management group service allows this ability so that role assignments aren't needed at the root level. 创建根管理组时,用户没有访问权限。No users have access to the Root Management Group when it's created. 为避免在查找 Azure AD 全局管理员以开始使用管理组方面遇到阻碍,我们允许在根级别创建初始管理组。To avoid the hurdle of finding the Azure AD Global Admins to start using management groups, we allow the creation of the initial management groups at the root level.

添加管理组包Add the management group package

若要使用 Go 来管理管理组,必须添加包。To enable Go to manage management groups, the package must be added. 此包适用于可使用 Go 的任何情况,包括 Windows 10 上的 bash 或本地安装的 bash。This package works wherever Go can be used, including bash on Windows 10 or locally installed.

  1. 检查是否已安装最新的 Go(至少为 1.15 版)。Check that the latest Go is installed (at least 1.15). 如果尚未安装,请在 Golang.org 下载。If it isn't yet installed, download it at Golang.org.

  2. 请确保安装最新的 Azure CLI(至少为 2.5.1)。Check that the latest Azure CLI is installed (at least 2.5.1). 如果尚未安装,请参阅安装 Azure CLIIf it isn't yet installed, see Install the Azure CLI.

    备注

    在以下示例中,需要 Azure CLI 来启用 Go 以使用 auth.NewAuthorizerFromCLI() 方法。Azure CLI is required to enable Go to use the auth.NewAuthorizerFromCLI() method in the following example. 有关其他选项的信息,请参阅 Azure SDK for Go - 更多身份验证详细信息For information about other options, see Azure SDK for Go - More authentication details.

  3. 通过 Azure CLI 进行身份验证。Authenticate through Azure CLI.

    az cloud set -n AzureChinaCloud
    az login
    
  4. 在你选择的 Go 环境中,请安装管理组所需的包:In your Go environment of choice, install the required packages for management groups:

    # Add the management group package for Go
    go get -u github.com/Azure/azure-sdk-for-go/services/preview/resources/mgmt/2018-03-01-preview/managementgroups
    
    # Add the Azure auth package for Go
    go get -u github.com/Azure/go-autorest/autorest/azure/auth
    

应用程序设置Application setup

将 Go 包添加到你选择的环境中后,就可设置能创建管理组的 Go 应用程序了。With the Go packages added to your environment of choice, it's time to setup the Go application that can create a management group.

  1. 创建 Go 应用程序并将以下源保存为 mgCreate.goCreate the Go application and save the following source as mgCreate.go:

    package main
    
    import (
       "context"
       "fmt"
       "os"
    
       mg "github.com/Azure/azure-sdk-for-go/services/preview/resources/mgmt/2018-03-01-preview/managementgroups"
       "github.com/Azure/go-autorest/autorest/azure/auth"
    )
    
    func main() {
       // Get variables from command line arguments
       var mgName = os.Args[1]
    
       // Create and authorize a client
       mgClient := mg.NewClient()
       authorizer, err := auth.NewAuthorizerFromCLI()
       if err == nil {
           mgClient.Authorizer = authorizer
       } else {
           fmt.Printf(err.Error())
       }
    
       // Create the request
       Request := mg.CreateManagementGroupRequest{
           Name: &mgName,
       }
    
       // Run the query and get the results
       var results, queryErr = mgClient.CreateOrUpdate(context.Background(), mgName, Request, "no-cache")
       if queryErr == nil {
           fmt.Printf("Results: " + fmt.Sprint(results) + "\n")
       } else {
           fmt.Printf(queryErr.Error())
       }
    }
    
  2. 构建 Go 应用程序:Build the Go application:

    go build mgCreate.go
    
  3. 使用已编译的 Go 应用程序创建管理组。Create a management group using the compiled Go application. <Name> 替换为新的管理组的名称:Replace <Name> with the name of your new management group:

    mgCreate "<Name>"
    

结果是根管理组中的一个新的管理组。The result is a new management group in the root management group.

清理资源Clean up resources

如果希望从 Go 环境中删除已安装的包,可使用以下命令执行此操作:If you wish to remove the installed packages from your Go environment, you can do so by using the following command:

# Remove the installed packages from the Go environment
go clean -i github.com/Azure/azure-sdk-for-go/services/preview/resources/mgmt/2018-03-01-preview/managementgroups
go clean -i github.com/Azure/go-autorest/autorest/azure/auth

后续步骤Next steps

在本快速入门中,你创建了一个管理组来整理资源层次结构。In this quickstart, you created a management group to organize your resource hierarchy. 管理组可以包含订阅或其他管理组。The management group can hold subscriptions or other management groups.

要详细了解管理组以及如何管理资源层次结构,请继续执行以下操作:To learn more about management groups and how to manage your resource hierarchy, continue to: