Azure Policy 分配结构Azure Policy assignment structure

Azure Policy 使用策略分配来定义为哪些资源分配了哪些策略或计划。Policy assignments are used by Azure Policy to define which resources are assigned which policies or initiatives. 在分配时,策略分配可以确定该组资源的参数值,因此,可以重复使用能够处理相同资源属性并满足不同合规需求的策略定义。The policy assignment can determine the values of parameters for that group of resources at assignment time, making it possible to reuse policy definitions that address the same resource properties with different needs for compliance.

使用 JSON 创建策略分配。You use JSON to create a policy assignment. 策略分配包含以下各项的元素:The policy assignment contains elements for:

  • 显示名称display name
  • descriptiondescription
  • metadatametadata
  • 强制模式enforcement mode
  • 策略定义policy definition
  • 参数parameters

例如,以下 JSON 显示包含动态参数的、处于 DoNotEnforce 模式的策略分配:For example, the following JSON shows a policy assignment in DoNotEnforce mode with dynamic parameters:

{
    "properties": {
        "displayName": "Enforce resource naming rules",
        "description": "Force resource names to begin with DeptA and end with -LC",
        "metadata": {
            "assignedBy": "Cloud Center of Excellence"
        },
        "enforcementMode": "DoNotEnforce",
        "policyDefinitionId": "/subscriptions/{mySubscriptionID}/providers/Microsoft.Authorization/policyDefinitions/ResourceNaming",
        "parameters": {
            "prefix": {
                "value": "DeptA"
            },
            "suffix": {
                "value": "-LC"
            }
        }
    }
}

所有 Azure Policy 示例均位于 Azure Policy 示例中。All Azure Policy samples are at Azure Policy samples.

显示名称和说明Display name and description

使用 displayNamedescription 来标识策略分配,并提供它与特定资源集配合使用时的上下文。You use displayName and description to identify the policy assignment and provide context for its use with the specific set of resources. displayName 的最大长度为 128 个字符,description 的最大长度为 512 个字符。displayName has a maximum length of 128 characters and description a maximum length of 512 characters.

强制模式Enforcement Mode

enforcementMode 属性使客户能够测试对现有资源应用某个策略后的结果,而无需启动策略效果,或触发 Azure 活动日志中的条目。The enforcementMode property provides customers the ability to test the outcome of a policy on existing resources without initiating the policy effect or triggering entries in the Azure Activity log. 此方案通常称为“What If”,与安全部署做法相符。This scenario is commonly referred to as "What If" and aligns to safe deployment practices. enforcementMode 不同于 Disabled 效果,后者会彻底阻止资源评估的发生。enforcementMode is different from the Disabled effect, as that effect prevents resource evaluation from happening at all.

此属性具有以下值:This property has the following values:

ModeMode JSON 值JSON Value 类型Type 手动修正Remediate manually 活动日志条目Activity log entry 说明Description
EnabledEnabled 默认Default stringstring Yes Yes 在创建或更新资源期间强制实施策略效果。The policy effect is enforced during resource creation or update.
已禁用Disabled DoNotEnforceDoNotEnforce stringstring Yes No 在创建或更新资源期间不强制实施策略效果。The policy effect isn't enforced during resource creation or update.

如果未在策略或计划定义中指定 enforcementMode,则使用值 DefaultIf enforcementMode isn't specified in a policy or initiative definition, the value Default is used. 即使 enforcementMode 设置为 DoNotEnforce,也可以针对 deployIfNotExists 策略启动修正任务Remediation tasks can be started for deployIfNotExists policies, even when enforcementMode is set to DoNotEnforce.

策略定义 IDPolicy definition ID

此字段必须是策略定义或计划定义的完整路径名称。This field must be the full path name of either a policy definition or an initiative definition. policyDefinitionId 是字符串,而不是数组。policyDefinitionId is a string and not an array. 如果经常要一起分配多个策略,我们建议改用计划It's recommended that if multiple policies are often assigned together, to use an initiative instead.

parametersParameters

此策略分配段为策略定义或计划定义中定义的参数提供值。This segment of the policy assignment provides the values for the parameters defined in the policy definition or initiative definition. 通过这种设计,可对不同的资源重复使用某个策略或计划定义,但需要检查不同的业务价值或成果。This design makes it possible to reuse a policy or initiative definition with different resources, but check for different business values or outcomes.

"parameters": {
    "prefix": {
        "value": "DeptA"
    },
    "suffix": {
        "value": "-LC"
    }
}

在此示例中,事先在策略定义中定义的参数为 prefixsuffixIn this example, the parameters previously defined in the policy definition are prefix and suffix. 此特定策略分配将 prefix 设置为 DeptA,将 suffix 设置为 -LCThis particular policy assignment sets prefix to DeptA and suffix to -LC. 可对不同部门的一组不同参数重复使用同一个策略定义,以降低策略定义的重复性和复杂性,同时提供灵活性。The same policy definition is reusable with a different set of parameters for a different department, reducing the duplication and complexity of policy definitions while providing flexibility.

后续步骤Next steps