快速入门:使用 ARM 模板创建策略分配以识别不合规的资源Quickstart: Create a policy assignment to identify non-compliant resources by using an ARM template

若要了解 Azure 中的符合性,第一步是确定资源的状态。The first step in understanding compliance in Azure is to identify the status of your resources. 本快速入门逐步讲解如何使用 Azure 资源管理器模板(ARM 模板)创建策略分配,以识别未使用托管磁盘的虚拟机。This quickstart steps you through the process of using an Azure Resource Manager template (ARM template) to create a policy assignment to identify virtual machines that aren't using managed disks. 此过程结束时,你可以成功识别哪些虚拟机未使用托管磁盘。At the end of this process, you'll successfully identify virtual machines that aren't using managed disks. 这些虚拟机不符合策略分配要求。They're non-compliant with the policy assignment.

ARM 模板是定义项目基础结构和配置的 JavaScript 对象表示法 (JSON) 文件。An ARM template is a JavaScript Object Notation (JSON) file that defines the infrastructure and configuration for your project. 该模板使用声明性语法,使你可以声明要部署的内容,而不需要编写一系列编程命令来进行创建。The template uses declarative syntax, which lets you state what you intend to deploy without having to write the sequence of programming commands to create it.

如果你的环境满足先决条件,并且你熟悉如何使用 ARM 模板,请选择“部署到 Azure”按钮。If your environment meets the prerequisites and you're familiar with using ARM templates, select the Deploy to Azure button. Azure 门户中会打开模板。The template will open in the Azure portal.

部署用于将 Azure 策略分配给 Azure 的 ARM 模板

先决条件Prerequisites

如果没有 Azure 订阅,请在开始前创建一个试用帐户If you don't have an Azure subscription, create a trial account before you begin.

查看模板Review the template

在本快速入门中,我们将创建一个策略分配,并分配一个名为“审核不使用托管磁盘的 VM”的内置策略定义。In this quickstart, you create a policy assignment and assign a built-in policy definition called Audit VMs that do not use managed disks. 有关可用内置策略的部分列表,请参阅 Azure Policy 示例For a partial list of available built-in policies, see Azure Policy samples.

本快速入门中使用的模板来自 Azure 快速启动模板The template used in this quickstart is from Azure Quickstart Templates.

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "policyAssignmentName": {
      "type": "string",
      "metadata": {
        "description": "Specifies the name of the policy assignment."
      }
    },
    "rgName":{
      "type": "string",
      "defaultValue": "[resourceGroup().name]",
      "metadata": {
        "description": "Specifies the name of the resource group where you want to assign the policy."
      }
    },
    "policyDefinitionID": {
      "type": "string",
      "metadata": {
        "description": "Specifies the ID of the policy definition or policy set definition being assigned."
      }
    }
  },
  "resources": [
    {
      "type": "Microsoft.Authorization/policyAssignments",
      "name": "[parameters('policyAssignmentName')]",
      "apiVersion": "2018-05-01",
      "properties": {
        "scope": "[concat(subscription().id, '/resourceGroups/', parameters('rgName'))]",
        "policyDefinitionId": "[parameters('policyDefinitionID')]"
      }
    }
  ]
}

该模板中定义了以下资源:The resource defined in the template is:

部署模板Deploy the template

备注

Azure Policy 服务是免费的。Azure Policy service is free. 有关详细信息,请参阅 Azure Policy 概述For more information, see Overview of Azure Policy.

  1. 选择下图登录到 Azure 门户并打开模板:Select the following image to sign in to the Azure portal and open the template:

    部署用于将 Azure 策略分配给 Azure 的 ARM 模板

  2. 选择或输入以下值:Select or enter the following values:

    名称Name Value
    订阅Subscription 选择 Azure 订阅。Select your Azure subscription.
    资源组Resource group 选择“新建”,指定名称,然后选择“确定”。 Select Create new, specify a name, and then select OK. 在屏幕截图中,资源组名称为 mypolicyquickstart<Date in MMDD>rgIn the screenshot, the resource group name is mypolicyquickstart<Date in MMDD>rg.
    位置Location 选择区域。Select a region. 例如,中国北部For example, China North.
    策略分配名称Policy Assignment Name 指定策略分配名称。Specify a policy assignment name. 如果需要,可以使用策略定义显示名称。You can use the policy definition display if you want. 例如,“审核不使用托管磁盘的 VM”。For example, Audit VMs that do not use managed disks.
    资源组名称Rg Name 指定要将策略分配到的资源组名称。Specify a resource group name where you want to assign the policy to. 本快速入门使用默认值 [resourceGroup().name]In this quickstart, use the default value [resourceGroup().name]. resourceGroup() 是检索资源组的模板函数。resourceGroup() is a template function that retrieves the resource group.
    策略定义 IDPolicy Definition ID 指定 /providers/Microsoft.Authorization/policyDefinitions/0a914e76-4921-4c19-b460-a2d36003525aSpecify /providers/Microsoft.Authorization/policyDefinitions/0a914e76-4921-4c19-b460-a2d36003525a.
    我同意上述条款和条件I agree to the terms and conditions stated above (选择)(Select)
  3. 选择“购买”。Select Purchase.

其他某些资源:Some additional resources:

验证部署Validate the deployment

选择页面左侧的“符合性”。Select Compliance in the left side of the page. 然后找到所创建的“审核未使用托管磁盘的 VM”策略分配。Then locate the Audit VMs that do not use managed disks policy assignment you created.

策略符合性概述页

如果存在与此新分配不相符的任何现有资源,这些资源会在“不符合的资源”下显示。If there are any existing resources that aren't compliant with this new assignment, they appear under Non-compliant resources.

有关详细信息,请参阅合规工作原理For more information, see How compliance works.

清理资源Clean up resources

删除创建的分配,请执行以下步骤:To remove the assignment created, follow these steps:

  1. 选择“Azure Policy”页面左侧中的“符合性”(或“分配”)并找到你创建的“审核未使用托管磁盘的 VM”策略分配。 Select Compliance (or Assignments) in the left side of the Azure Policy page and locate the Audit VMs that do not use managed disks policy assignment you created.

  2. 右键单击“审核不使用托管磁盘的 VM”策略分配并选择“删除分配”。 Right-click the Audit VMs that do not use managed disks policy assignment and select Delete assignment.

    从符合性概述页中删除分配

后续步骤Next steps

在本快速入门中,我们在某个范围分配了一个内置策略定义并评估了其合规性报告。In this quickstart, you assigned a built-in policy definition to a scope and evaluated its compliance report. 策略定义可验证范围内的所有资源都符合策略,并可标识不符合策略的资源。The policy definition validates that all the resources in the scope are compliant and identifies which ones aren't.

要了解有关分配策略以验证新资源是否符合要求的详细信息,请继续以下教程:To learn more about assigning policies to validate that new resources are compliant, continue to the tutorial for: