Azure Policy 分配结构Azure Policy assignment structure

Azure Policy 使用策略分配来定义为哪些资源分配了哪些策略或计划。Policy assignments are used by Azure Policy to define which resources are assigned which policies or initiatives. 在分配时,策略分配可以确定该组资源的参数值,因此,可以重复使用能够处理相同资源属性并满足不同合规需求的策略定义。The policy assignment can determine the values of parameters for that group of resources at assignment time, making it possible to reuse policy definitions that address the same resource properties with different needs for compliance.

使用 JSON 创建策略分配。You use JSON to create a policy assignment. 策略分配包含以下各项的元素:The policy assignment contains elements for:

  • 显示名称display name
  • descriptiondescription
  • metadatametadata
  • 强制模式enforcement mode
  • 排除的范围excluded scopes
  • 策略定义policy definition
  • 不符合性消息non-compliance messages
  • 参数parameters

例如,以下 JSON 显示包含动态参数的、处于 DoNotEnforce 模式的策略分配:For example, the following JSON shows a policy assignment in DoNotEnforce mode with dynamic parameters:

{
    "properties": {
        "displayName": "Enforce resource naming rules",
        "description": "Force resource names to begin with DeptA and end with -LC",
        "metadata": {
            "assignedBy": "Cloud Center of Excellence"
        },
        "enforcementMode": "DoNotEnforce",
        "notScopes": [],
        "policyDefinitionId": "/subscriptions/{mySubscriptionID}/providers/Microsoft.Authorization/policyDefinitions/ResourceNaming",
        "nonComplianceMessages": [
            {
                "message": "Resource names must start with 'DeptA' and end with '-LC'."
            }
        ],
        "parameters": {
            "prefix": {
                "value": "DeptA"
            },
            "suffix": {
                "value": "-LC"
            }
        }
    }
}

所有 Azure Policy 示例均位于 Azure Policy 示例中。All Azure Policy samples are at Azure Policy samples.

显示名称和说明Display name and description

使用 displayNamedescription 来标识策略分配,并提供它与特定资源集配合使用时的上下文。You use displayName and description to identify the policy assignment and provide context for its use with the specific set of resources. displayName 的最大长度为 128 个字符,description 的最大长度为 512 个字符。displayName has a maximum length of 128 characters and description a maximum length of 512 characters.

元数据Metadata

可选 metadata 属性存储关于策略分配的信息。The optional metadata property stores information about the policy assignment. 客户可在 metadata 中定义对其组织有用的任何属性和值。Customers can define any properties and values useful to their organization in metadata. 但是,Azure Policy 使用一些常见属性。However, there are some common properties used by Azure Policy. 每个 metadata 属性的限制为 1024 个字符。Each metadata property has a limit of 1024 characters.

常见元数据属性Common metadata properties

  • assignedBy(字符串):创建分配的安全主体的友好名称。assignedBy (string): The friendly name of the security principal that created the assignment.

  • createdBy(字符串):创建分配的安全主体的 GUID。createdBy (string): The GUID of the security principal that created the assignment.

  • createdOn(字符串):分配创建时间的通用 ISO 8601 日期/时间格式。createdOn (string): The Universal ISO 8601 DateTime format of the assignment creation time.

  • parameterScopes(对象):一个键值对的集合,其中键与 strongType 配置的参数名相匹配,该值定义门户中使用的资源范围,通过匹配 strongType 来提供可用资源的列表。parameterScopes (object): A collection of key-value pairs where the key matches a strongType configured parameter name and the value defines the resource scope used in Portal to provide the list of available resources by matching strongType. 如果此范围不同于分配范围,门户将设置此值。Portal sets this value if the scope is different than the assignment scope. 如果已设置,则在门户中编辑策略分配会自动将参数的范围设置为此值。If set, an edit of the policy assignment in Portal automatically sets the scope for the parameter to this value. 但是,范围未锁定到该值,可以将其更改为另一个范围。However, the scope isn't locked to the value and it can be changed to another scope.

    下面的 parameterScopes 示例针对名为 backupPolicyId 的 strongType 参数,该参数用于在门户中编辑分配时设置资源选择范围。The following example of parameterScopes is for a strongType parameter named backupPolicyId that sets a scope for resource selection when the assignment is edited in the Portal.

    "metadata": {
        "parameterScopes": {
            "backupPolicyId": "/subscriptions/{SubscriptionID}/resourcegroups/{ResourceGroupName}"
    
    
  • updatedBy (string): The friendly name of the security principal that updated the assignment, if any.

  • updatedOn (string): The Universal ISO 8601 DateTime format of the assignment update time, if any.

Enforcement Mode

The enforcementMode property provides customers the ability to test the outcome of a policy on existing resources without initiating the policy effect or triggering entries in the Azure Activity log. This scenario is commonly referred to as "What If" and aligns to safe deployment practices. enforcementMode is different from the Disabled effect, as that effect prevents resource evaluation from happening at all.

This property has the following values:

Mode JSON Value Type Remediate manually Activity log entry Description
Enabled Default string Yes Yes The policy effect is enforced during resource creation or update.
Disabled DoNotEnforce string Yes No The policy effect isn't enforced during resource creation or update.

If enforcementMode isn't specified in a policy or initiative definition, the value Default is used. Remediation tasks can be started for deployIfNotExists policies, even when enforcementMode is set to DoNotEnforce.

Excluded scopes

The scope of the assignment includes all child resource containers and child resources. If a child resource container or child resource shouldn't have the definition applied, each can be excluded from evaluation by setting notScopes. This property is an array to enable excluding one or more resource containers or resources from evaluation. notScopes can be added or updated after creation of the initial assignment.

备注

An excluded resource is different from an exempted resource. For more information, see Understand scope in Azure Policy.

Policy definition ID

This field must be the full path name of either a policy definition or an initiative definition. policyDefinitionId is a string and not an array. It's recommended that if multiple policies are often assigned together, to use an initiative instead.

Non-compliance messages

To set a custom message that describes why a resource is non-compliant with the policy or initiative definition, set nonComplianceMessages in the assignment definition. This node is an array of message entries. This custom message is in addition to the default error message for non-compliance and is optional.

重要

Custom messages for non-compliance are only supported on definitions or initiatives with Resource Manager modes definitions.

"nonComplianceMessages": [
    {
        "message": "Default message"
    }
]

如果分配是针对某个计划的,则可以为该计划中的每个策略定义配置不同的消息。If the assignment is for an initiative, different messages can be configured for each policy definition in the initiative. 消息使用在计划定义中配置的 policyDefinitionReferenceId 值。The messages use the policyDefinitionReferenceId value configured in the initiative definition. 有关详细信息,请参阅策略定义属性For details, see policy definitions properties.

"nonComplianceMessages": [
    {
        "message": "Default message"
    },
    {
        "message": "Message for just this policy definition by reference ID",
        "policyDefinitionReferenceId": "10420126870854049575"
    }
]

parametersParameters

此策略分配段为策略定义或计划定义中定义的参数提供值。This segment of the policy assignment provides the values for the parameters defined in the policy definition or initiative definition. 通过这种设计,可对不同的资源重复使用某个策略或计划定义,但需要检查不同的业务价值或成果。This design makes it possible to reuse a policy or initiative definition with different resources, but check for different business values or outcomes.

"parameters": {
    "prefix": {
        "value": "DeptA"
    },
    "suffix": {
        "value": "-LC"
    }
}

在此示例中,事先在策略定义中定义的参数为 prefixsuffixIn this example, the parameters previously defined in the policy definition are prefix and suffix. 此特定策略分配将 prefix 设置为 DeptA,将 suffix 设置为 -LCThis particular policy assignment sets prefix to DeptA and suffix to -LC. 可对不同部门的一组不同参数重复使用同一个策略定义,以降低策略定义的重复性和复杂性,同时提供灵活性。The same policy definition is reusable with a different set of parameters for a different department, reducing the duplication and complexity of policy definitions while providing flexibility.

后续步骤Next steps