使用 Azure CLI 创建策略分配以识别不符合的资源Create a policy assignment to identify non-compliant resources with Azure CLI

若要了解 Azure 中的符合性,第一步是确定资源的状态。The first step in understanding compliance in Azure is to identify the status of your resources. 本快速入门逐步讲解如何创建策略分配,以识别未使用托管磁盘的虚拟机。This quickstart steps you through the process of creating a policy assignment to identify virtual machines that aren't using managed disks.

此过程结束时,你可以成功识别哪些虚拟机未使用托管磁盘。At the end of this process, you'll successfully identify virtual machines that aren't using managed disks. 这些虚拟机不符合策略分配要求。They're non-compliant with the policy assignment.

Azure CLI 用于从命令行或脚本创建和管理 Azure 资源。Azure CLI is used to create and manage Azure resources from the command line or in scripts. 本指南使用 Azure CLI 创建策略分配,并识别 Azure 环境中的不合规资源。This guide uses Azure CLI to create a policy assignment and to identify non-compliant resources in your Azure environment.

如果没有 Azure 订阅,请在开始前创建一个试用帐户If you don't have an Azure subscription, create a trial account account before you begin.

本快速入门需要运行 Azure CLI 2.0.4 版或更高版本,以便在本地安装并使用 CLI。This quickstart requires that you run Azure CLI version 2.0.4 or later to install and use the CLI locally. 若要查找版本,请运行 az --versionTo find the version, run az --version. 如果需要进行安装或升级,请参阅安装 Azure CLIIf you need to install or upgrade, see Install Azure CLI.

先决条件Prerequisites

使用 Azure CLI 注册 Policy Insights 资源提供程序。Register the Policy Insights resource provider using Azure CLI. 注册此资源提供程序可确保订阅能够使用它。Registering the resource provider makes sure that your subscription works with it. 要注册资源提供程序,必须具有注册资源提供程序操作的权限。To register a resource provider, you must have permission to the register resource provider operation. 此操作包含在“参与者”和“所有者”角色中。This operation is included in the Contributor and Owner roles. 运行以下命令,注册资源提供程序:Run the following command to register the resource provider:

az provider register --namespace 'Microsoft.PolicyInsights'

有关注册和查看资源提供程序的详细信息,请参阅资源提供程序和类型For more information about registering and viewing resource providers, see Resource Providers and Types

安装 ARMClient(如果尚未安装)。If you haven't already, install the ARMClient. 该工具可将 HTTP 请求发送到基于 Azure 资源管理器的 API。It's a tool that sends HTTP requests to Azure Resource Manager-based APIs.

创建策略分配Create a policy assignment

本快速入门将创建一个策略分配,并分配“审核未使用托管磁盘的 VM”定义。In this quickstart, you create a policy assignment and assign the Audit VMs that do not use managed disks definition. 此策略定义可识别不符合策略定义中设置的条件的资源。This policy definition identifies resources that aren't compliant to the conditions set in the policy definition.

运行以下命令创建策略分配:Run the following command to create a policy assignment:

az policy assignment create --name 'audit-vm-manageddisks' --display-name 'Audit VMs without managed disks Assignment' --scope '<scope>' --policy '<policy definition ID>'

上述命令使用以下信息:The preceding command uses the following information:

  • 名称 - 分配的实际名称。Name - The actual name of the assignment. 对于此示例,使用 audit-vm-manageddisksFor this example, audit-vm-manageddisks was used.
  • 显示名称 - 策略分配的显示名称。DisplayName - Display name for the policy assignment. 本例使用了“审核未使用托管磁盘分配的虚拟机”。In this case, you're using Audit VMs without managed disks Assignment.
  • 策略 - 策略定义 ID,用作创建分配的依据。Policy – The policy definition ID, based on which you're using to create the assignment. 在本例中,它为策略定义“审核未使用托管磁盘的 VM”的 ID。In this case, it's the ID of policy definition Audit VMs that do not use managed disks. 若要获取策略定义 ID,请运行以下命令:To get the policy definition ID, run this command: az policy definition list --query "[?displayName=='Audit VMs that do not use managed disks']"
  • 范围 - 范围确定在其中实施策略分配的资源或资源组。Scope - A scope determines what resources or grouping of resources the policy assignment gets enforced on. 它可以从订阅延伸至资源组。It could range from a subscription to resource groups. 请务必将 <scope> 替换为资源组的名称。Be sure to replace <scope> with the name of your resource group.

识别不合规的资源Identify non-compliant resources

若要查看此新分配下不合规的资源,请运行以下命令获取策略分配 ID:To view the resources that aren't compliant under this new assignment, get the policy assignment ID by running the following commands:

$policyAssignment = Get-AzPolicyAssignment | Where-Object { $_.Properties.DisplayName -eq 'Audit VMs without managed disks Assignment' }
$policyAssignment.PolicyAssignmentId

有关策略分配 ID 的详细信息,请参阅 Get-AzPolicyAssignmentFor more information about policy assignment IDs, see Get-AzPolicyAssignment.

接下来,运行以下命令,获取输出到 JSON 文件中的不合规资源的资源 ID:Next, run the following command to get the resource IDs of the non-compliant resources that are output into a JSON file:

armclient post "/subscriptions/<subscriptionID>/resourceGroups/<rgName>/providers/Microsoft.PolicyInsights/policyStates/latest/queryResults?api-version=2017-12-12-preview&$filter=IsCompliant eq false and PolicyAssignmentId eq '<policyAssignmentID>'&$apply=groupby((ResourceId))" > <json file to direct the output with the resource IDs into>

结果应如以下示例所示:Your results resemble the following example:

{
    "@odata.context": "https://management.chinacloudapi.cn/subscriptions/<subscriptionId>/providers/Microsoft.PolicyInsights/policyStates/$metadata#latest",
    "@odata.count": 3,
    "value": [{
            "@odata.id": null,
            "@odata.context": "https://management.chinacloudapi.cn/subscriptions/<subscriptionId>/providers/Microsoft.PolicyInsights/policyStates/$metadata#latest/$entity",
            "ResourceId": "/subscriptions/<subscriptionId>/resourcegroups/<rgname>/providers/microsoft.compute/virtualmachines/<virtualmachineId>"
        },
        {
            "@odata.id": null,
            "@odata.context": "https://management.chinacloudapi.cn/subscriptions/<subscriptionId>/providers/Microsoft.PolicyInsights/policyStates/$metadata#latest/$entity",
            "ResourceId": "/subscriptions/<subscriptionId>/resourcegroups/<rgname>/providers/microsoft.compute/virtualmachines/<virtualmachine2Id>"
        },
        {
            "@odata.id": null,
            "@odata.context": "https://management.chinacloudapi.cn/subscriptions/<subscriptionId>/providers/Microsoft.PolicyInsights/policyStates/$metadata#latest/$entity",
            "ResourceId": "/subscriptions/<subscriptionName>/resourcegroups/<rgname>/providers/microsoft.compute/virtualmachines/<virtualmachine3ID>"
        }

    ]
}

这些结果与 Azure 门户视图中“不合规资源”下通常所列的结果类似。The results are comparable to what you'd typically see listed under Non-compliant resources in the Azure portal view.

清理资源Clean up resources

要删除创建的分配,请使用以下命令:To remove the assignment created, use the following command:

az policy assignment delete --name 'audit-vm-manageddisks' --scope '/subscriptions/<subscriptionID>/<resourceGroupName>'

后续步骤Next steps

本快速入门已分配一个策略定义用于识别 Azure 环境中的不合规资源。In this quickstart, you assigned a policy definition to identify non-compliant resources in your Azure environment.

要了解有关分配策略以验证新资源是否符合要求的详细信息,请继续以下教程:To learn more about assigning policies to validate that new resources are compliant, continue to the tutorial for: