快速入门:使用 Bicep 文件创建策略分配以识别不合规的资源Quickstart: Create a policy assignment to identify non-compliant resources by using a Bicep file

若要了解 Azure 中的符合性,第一步是确定资源的状态。The first step in understanding compliance in Azure is to identify the status of your resources. 本快速入门逐步讲解如何使用编译为 Azure 资源管理器模板(ARM 模板)的 Bicep(预览版)文件创建策略分配,以识别未使用托管磁盘的虚拟机。This quickstart steps you through the process of using a Bicep (Preview) file compiled to an Azure Resource Manager template (ARM template) to create a policy assignment to identify virtual machines that aren't using managed disks. 此过程结束时,你可以成功识别哪些虚拟机未使用托管磁盘。At the end of this process, you'll successfully identify virtual machines that aren't using managed disks. 这些虚拟机不符合策略分配要求。They're non-compliant with the policy assignment.

ARM 模板是定义项目基础结构和配置的 JavaScript 对象表示法 (JSON) 文件。An ARM template is a JavaScript Object Notation (JSON) file that defines the infrastructure and configuration for your project. 该模板使用声明性语法,使你可以声明要部署的内容,而不需要编写一系列编程命令来进行创建。The template uses declarative syntax, which lets you state what you intend to deploy without having to write the sequence of programming commands to create it.

如果你的环境满足先决条件,并且你熟悉如何使用 ARM 模板,请选择“部署到 Azure”按钮。If your environment meets the prerequisites and you're familiar with using ARM templates, select the Deploy to Azure button. 模板将在 Azure 门户中打开。The template opens in the Azure portal.

部署用于将 Azure Policy 分配给 Azure 的 ARM 模板的按钮。

备注

模板中的 Policy Definition ID 参数应视为以下类似格式。The Policy Definition ID parameter in template should be looked as the following similar format. /providers/Microsoft.Authorization/policyDefinitions/0a914e76-4921-4c19-b460-a2d36003525a

先决条件Prerequisites

  • 如果没有 Azure 订阅,请在开始前创建一个试用版订阅帐户。If you don't have an Azure subscription, create a trial subscription account before you begin.
  • 已安装 Bicep 0.3 版本或更高版本。Bicep version 0.3 or higher installed. 如果你还没有 Bicep CLI 或需要更新,请参阅安装 Bicep(预览版)If you don't yet have Bicep CLI or need to update, see Install Bicep (Preview).

查阅 Bicep 文件Review the Bicep file

在本快速入门中,你会创建一个策略分配,并分配一个“审核未使用托管磁盘的 VM”内置策略定义 (06a78e20-9358-41c9-923c-fb736d382a4d)。In this quickstart, you create a policy assignment and assign a built-in policy definition called Audit VMs that do not use managed disks (06a78e20-9358-41c9-923c-fb736d382a4d). 有关可用内置策略的部分列表,请参阅 Azure Policy 示例For a partial list of available built-in policies, see Azure Policy samples.

将以下 Bicep 文件创建为 assignment.bicepCreate the following Bicep file as assignment.bicep:

param policyAssignmentName string = 'audit-vm-manageddisks'
param policyDefinitionID string = '/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d'

resource assignment 'Microsoft.Authorization/policyAssignments@2019-09-01' = {
    name: policyAssignmentName
    properties: {
        scope: subscriptionResourceId('Microsoft.Resources/resourceGroups', resourceGroup().name)
        policyDefinitionId: policyDefinitionID
    }
}

output assignmentId string = assignment.id

该文件中定义了以下资源:The resource defined in the file is:

部署模板Deploy the template

备注

Azure Policy 服务是免费的。Azure Policy service is free. 有关详细信息,请参阅 Azure Policy 概述For more information, see Overview of Azure Policy.

安装 Bicep CLI 并创建文件后,你可以通过以下方式部署 Bicep 文件:After the Bicep CLI is installed and file created, you can deploy the Bicep file with:

New-AzResourceGroupDeployment `
  -Name PolicyDeployment `
  -ResourceGroupName PolicyGroup `
  -TemplateFile assignment.bicep

其他某些资源:Some additional resources:

验证部署Validate the deployment

选择页面左侧的“符合性”。Select Compliance in the left side of the page. 然后找到所创建的“审核未使用托管磁盘的 VM”策略分配。Then locate the Audit VMs that do not use managed disks policy assignment you created.

“策略符合性”页上符合性详细信息的屏幕截图。

如果存在与此新分配不相符的任何现有资源,这些资源会在“不符合的资源”下显示。If there are any existing resources that aren't compliant with this new assignment, they appear under Non-compliant resources.

有关详细信息,请参阅合规工作原理For more information, see How compliance works.

清理资源Clean up resources

删除创建的分配,请执行以下步骤:To remove the assignment created, follow these steps:

  1. 选择“Azure Policy”页面左侧中的“符合性”(或“分配”)并找到你创建的“审核未使用托管磁盘的 VM”策略分配。Select Compliance (or Assignments) in the left side of the Azure Policy page and locate the Audit VMs that do not use managed disks policy assignment you created.

  2. 右键单击“审核不使用托管磁盘的 VM”策略分配并选择“删除分配”。Right-click the Audit VMs that do not use managed disks policy assignment and select Delete assignment.

    使用上下文菜单从“符合性”页中删除分配的屏幕截图。

  3. 删除 assignment.bicep 文件,Delete the assignment.bicep file.

后续步骤Next steps

在本快速入门中,我们在某个范围分配了一个内置策略定义并评估了其合规性报告。In this quickstart, you assigned a built-in policy definition to a scope and evaluated its compliance report. 策略定义可验证范围内的所有资源都符合策略,并可标识不符合策略的资源。The policy definition validates that all the resources in the scope are compliant and identifies which ones aren't.

要了解有关分配策略以验证新资源是否符合要求的详细信息,请继续以下教程:To learn more about assigning policies to validate that new resources are compliant, continue to the tutorial for: