了解 Azure Policy 效果Understand Azure Policy effects

Azure Policy 中的每个策略定义都有单一效果。Each policy definition in Azure Policy has a single effect. 该效果确定了在评估匹配的策略规则时发生的情况。That effect determines what happens when the policy rule is evaluated to match. 如果这些效果适用于新资源、更新的资源或现有资源,则它们的行为会有所不同。The effects behave differently if they are for a new resource, an updated resource, or an existing resource.

策略定义目前支持以下效果:These effects are currently supported in a policy definition:

评估顺序Order of evaluation

Azure Policy 首先评估通过 Azure 资源管理器创建或更新资源的请求。Requests to create or update a resource through Azure Resource Manager are evaluated by Azure Policy first. Azure Policy 创建应用于资源的所有分配列表,然后根据每个定义评估资源。Azure Policy creates a list of all assignments that apply to the resource and then evaluates the resource against each definition. Azure Policy 在将请求转交给相应的资源提供程序之前处理多个效果。Azure Policy processes several of the effects before handing the request to the appropriate Resource Provider. 这样做可以防止资源提供程序在资源不符合 Azure Policy 的设计治理控制时进行不必要的处理。Doing so prevents unnecessary processing by a Resource Provider when a resource doesn't meet the designed governance controls of Azure Policy.

  • 首先检查已禁用以确定是否应评估策略规则。Disabled is checked first to determine if the policy rule should be evaluated.
  • 然后评估 AppendModifyAppend and Modify are then evaluated. 由于上述任一效果可能会改变请求,因此所做的更改可能会阻止 audit 或 deny 效果的触发。Since either could alter the request, a change made may prevent an audit or deny effect from triggering.
  • 然后评估 “拒绝”。Deny is then evaluated. 通过在“审核”之前评估“拒绝”,可以防止两次记录不需要的资源。By evaluating deny before audit, double logging of an undesired resource is prevented.
  • 然后在请求传输到资源提供程序之前评估审核Audit is then evaluated before the request going to the Resource Provider.

资源提供程序返回成功代码后,将会评估 AuditIfNotExistsDeployIfNotExists 以确定是否需要其他合规性日志记录或操作。After the Resource Provider returns a success code, AuditIfNotExists and DeployIfNotExists evaluate to determine if additional compliance logging or action is required.

对于 EnforceOPAConstraintEnforceRegoPolicy 效果,目前没有任何评估顺序。There currently isn't any order of evaluation for the EnforceOPAConstraint or EnforceRegoPolicy effects.

已禁用Disabled

对于测试情况以及在策略定义已参数化效果时,此效果很有用。This effect is useful for testing situations or for when the policy definition has parameterized the effect. 借助这种灵活性可以禁用单个分配,而无需禁用该策略的所有分配。This flexibility makes it possible to disable a single assignment instead of disabling all of that policy's assignments.

Disabled 效果的替代效果是针对策略分配设置的 enforcementModeAn alternative to the Disabled effect is enforcementMode which is set on the policy assignment. 如果 enforcementMode 设置为 Disabled,则仍会评估资源。When enforcementMode is Disabled, resources are still evaluated. 不会发生日志记录(例如活动日志)和策略效果。Logging, such as Activity logs, and the policy effect don't occur. 有关详细信息,请参阅策略分配 - 强制模式For more information, see policy assignment - enforcement mode.

附加Append

附加用于在创建或更新期间向请求的资源添加其他字段。Append is used to add additional fields to the requested resource during creation or update. 一个常见的示例是为存储资源指定允许的 IP。A common example is specifying allowed IPs for a storage resource.

Important

Append 旨在与非标记属性配合使用。Append is intended for use with non-tag properties. 尽管 Append 可以在创建或更新请求期间将标记添加到资源,但我们建议对标记改用 Modify 效果。While Append can add tags to a resource during a create or update request, it's recommended to use the Modify effect for tags instead.

“附加”评估Append evaluation

在创建或更新资源期间,会在资源提供程序处理请求之前进行“附加”评估。Append evaluates before the request gets processed by a Resource Provider during the creation or updating of a resource. 当满足策略规则的 if 条件时,“附加”会向资源添加字段。Append adds fields to the resource when the if condition of the policy rule is met. 如果“附加”效果使用其他值替代原始请求中的值,则它会充当拒绝效果并拒绝该请求。If the append effect would override a value in the original request with a different value, then it acts as a deny effect and rejects the request. 若要将新值附加到现有数组,请使用别名的 [*] 版本。To append a new value to an existing array, use the [*] version of the alias.

当使用附加效果的策略定义作为评估周期的一部分运行时,它不会更改已存在的资源。When a policy definition using the append effect is run as part of an evaluation cycle, it doesn't make changes to resources that already exist. 相反,它会将符合 if 条件的任意资源标记为不符合。Instead, it marks any resource that meets the if condition as non-compliant.

“附加”属性Append properties

附加效果只有“详细信息” 数组,它是必需的。An append effect only has a details array, which is required. 因为 “详细信息”是一个数组,它可能需要单个或多个字段/值 对。As details is an array, it can take either a single field/value pair or multiples. 请参阅定义结构,获取可接受的字段列表。Refer to definition structure for the list of acceptable fields.

“附加”示例Append examples

示例 1:使用具有数组的非 [*] 别名的单个字段/值对,可在存储帐户上设置 IP 规则。Example 1: Single field/value pair using a non-[*] alias with an array value to set IP rules on a storage account. 如果非 [*] 别名是数组,该效果将以整个数组的形式附加When the non-[*] alias is an array, the effect appends the value as the entire array. 如果数组已存在,该冲突会导致拒绝事件发生。If the array already exists, a deny event occurs from the conflict.

"then": {
    "effect": "append",
    "details": [{
        "field": "Microsoft.Storage/storageAccounts/networkAcls.ipRules",
        "value": [{
            "action": "Allow",
            "value": "134.5.0.0/21"
        }]
    }]
}

示例 2:使用 [*] 别名和数组 value 在存储帐户上设置 IP 规则的单个 field/value 对。Example 2: Single field/value pair using an [*] alias with an array value to set IP rules on a storage account. 通过使用 [*] 别名,该效果会将附加到可能预先存在的数组。By using the [*] alias, the effect appends the value to a potentially pre-existing array. 如果该数组尚不存在,系统会创建该数组。If the array doesn't exist yet, it will be created.

"then": {
    "effect": "append",
    "details": [{
        "field": "Microsoft.Storage/storageAccounts/networkAcls.ipRules[*]",
        "value": {
            "value": "40.40.40.40",
            "action": "Allow"
        }
    }]
}

修改Modify

Modify 用于在创建或更新期间在资源中添加、更新或删除标记。Modify is used to add, update, or remove tags on a resource during creation or update. 一个常见的示例是在 costCenter 等资源中更新标记。A common example is updating tags on resources such as costCenter. 除非目标资源是资源组,否则 Modify 策略的 mode 应始终设置为 IndexedA Modify policy should always have mode set to Indexed unless the target resource is a resource group. 可以使用修正任务来修正现有的不合规资源。Existing non-compliant resources can be remediated with a remediation task. 单个 Modify 规则可以包含任意数量的操作。A single Modify rule can have any number of operations.

Important

Modify 目前只能与标记配合使用。Modify is currently only for use with tags. 如果你正在管理标记,我们建议使用 Modify 而不要使用 Append,因为 Modify 提供更多的操作类型,且能够修正现有的资源。If you are managing tags, it's recommended to use Modify instead of Append as Modify provides additional operation types and the ability to remediate existing resources. 但是,如果无法创建托管标识,则我们建议使用 Append。However, Append is recommended if you aren't able to create a managed identity.

Modify 评估Modify evaluation

Modify 在创建或更新资源期间,在资源提供程序处理请求之前进行评估。Modify evaluates before the request gets processed by a Resource Provider during the creation or updating of a resource. 当满足策略规则的 if 条件时,Modify 会在资源中添加或更新标记。Modify adds or updates tags on a resource when the if condition of the policy rule is met.

当使用 Modify 效果的策略定义作为评估周期的一部分运行时,它不会更改已存在的资源。When a policy definition using the Modify effect is run as part of an evaluation cycle, it doesn't make changes to resources that already exist. 相反,它会将符合 if 条件的任意资源标记为不符合。Instead, it marks any resource that meets the if condition as non-compliant.

Modify 属性Modify properties

Modify 效果 details 属性包含用于定义修正任务所需的权限的所有子属性,以及用于添加、更新或删除标记值的操作The details property of the Modify effect has all the subproperties that define the permissions needed for remediation and the operations used to add, update, or remove tag values.

  • roleDefinitionIds [必选]roleDefinitionIds [required]
    • 此属性必须包含与可通过订阅访问的基于角色的访问控制角色 ID 匹配的字符串数组。This property must include an array of strings that match role-based access control role ID accessible by the subscription. 有关详细信息,请参阅修正 - 配置策略定义For more information, see remediation - configure policy definition.
    • 定义的角色必须包含授予参与者角色的所有操作。The role defined must include all operations granted to the Contributor role.
  • operations [必需]operations [required]
    • 要对匹配的资源完成的所有标记操作的数组。An array of all tag operations to be completed on matching resources.
    • 属性:Properties:
      • operation [必需]operation [required]
        • 定义要对匹配的资源执行的操作。Defines what action to take on a matching resource. 选项为:addOrReplaceAddRemoveOptions are: addOrReplace, Add, Remove. Add 的行为类似于 Append 效果。Add behaves similar to the Append effect.
      • field [必需]field [required]
        • 要添加、替换或删除的标记。The tag to add, replace, or remove. 标记名称必须遵守适用于其他字段的相同命名约定。Tag names must adhere to the same naming convention for other fields.
      • value(可选)value (optional)
        • 要为标记设置的值。The value to set the tag to.
        • 如果 operationaddOrReplaceAdd,则此属性是必需的。This property is required if operation is addOrReplace or Add.

Modify 操作Modify operations

使用 operations 属性数组可在单个策略定义中以不同的方式更改多个标记。The operations property array makes it possible to alter several tags in different ways from a single policy definition. 每个操作由 operationfieldvalue 属性组成。Each operation is made up of operation, field, and value properties. operation 确定修正任务对标记执行的操作,field 确定要更改的标记,value 定义该标记的新设置。Operation determines what the remediation task does to the tags, field determines which tag is altered, and value defines the new setting for that tag. 下面是进行标记更改的示例:The example below makes the following tag changes:

  • environment 标记设置为“Test”,即使它已存在并使用不同的值。Sets the environment tag to "Test", even if it already exists with a different value.
  • 删除标记 TempResourceRemoves the tag TempResource.
  • Dept 标记设置为在策略分配中配置的策略参数 DeptNameSets the Dept tag to the policy parameter DeptName configured on the policy assignment.
"details": {
    ...
    "operations": [
        {
            "operation": "addOrReplace",
            "field": "tags['environment']",
            "value": "Test"
        },
        {
            "operation": "Remove",
            "field": "tags['TempResource']",
        },
        {
            "operation": "addOrReplace",
            "field": "tags['Dept']",
            "value": "[parameters('DeptName')]"
        }
    ]
}

operation 属性具有以下选项:The operation property has the following options:

操作Operation 说明Description
addOrReplaceaddOrReplace 将定义的标记和值添加到资源,即使该标记已存在并使用不同的值。Adds the defined tag and value to the resource, even if the tag already exists with a different value.
添加Add 将定义的标记和值添加到资源。Adds the defined tag and value to the resource.
删除Remove 从资源中删除定义的标记。Removes the defined tag from the resource.

Modify 示例Modify examples

示例 1:添加 environment 标记,并将现有的 environment 标记替换为“Test”:Example 1: Add the environment tag and replace existing environment tags with "Test":

"then": {
    "effect": "modify",
    "details": {
        "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
        ],
        "operations": [
            {
                "operation": "addOrReplace",
                "field": "tags['environment']",
                "value": "Test"
            }
        ]
    }
}

示例 2:删除 env 标记并添加 environment 标记,或将现有的 environment 标记替换为一个参数化值:Example 2: Remove the env tag and add the environment tag or replace existing environment tags with a parameterized value:

"then": {
    "effect": "modify",
    "details": {
        "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
        ],
        "operations": [
            {
                "operation": "Remove",
                "field": "tags['env']"
            },
            {
                "operation": "addOrReplace",
                "field": "tags['environment']",
                "value": "[parameters('tagValue')]"
            }
        ]
    }
}

拒绝Deny

“拒绝”用于通过策略定义防止与定义的标准不匹配的资源请求,并使请求失败。Deny is used to prevent a resource request that doesn't match defined standards through a policy definition and fails the request.

“拒绝”评估Deny evaluation

创建或更新匹配的资源时,“拒绝”会在发送给资源提供程序之前阻止请求。When creating or updating a matched resource, deny prevents the request before being sent to the Resource Provider. 该请求返回为 403 (Forbidden)The request is returned as a 403 (Forbidden). 在门户中,可以将 Forbidden(禁止)视为策略分配阻止的部署状态。In the portal, the Forbidden can be viewed as a status on the deployment that was prevented by the policy assignment.

在评估现有资源期间,与“拒绝”策略定义匹配的资源将标记为不合规。During evaluation of existing resources, resources that match a deny policy definition are marked as non-compliant.

“拒绝”属性Deny properties

“拒绝”效果没有任何可用于策略定义的 then 条件的其他属性。The deny effect doesn't have any additional properties for use in the then condition of the policy definition.

“拒绝”示例Deny example

示例:使用“拒绝”效果。Example: Using the deny effect.

"then": {
    "effect": "deny"
}

审核Audit

“审核”用于评估不合规资源时在活动日志中创建警告事件,但不会停止请求。Audit is used to create a warning event in the activity log when evaluating a non-compliant resource, but it doesn't stop the request.

“审核”评估Audit evaluation

“审核”是创建或更新资源期间由 Azure Policy 检查的最后一个效果。Audit is the last effect checked by Azure Policy during the creation or update of a resource. 然后,Azure Policy 将资源发送到资源提供程序。Azure Policy then sends the resource to the Resource Provider. “审核”对于资源请求和评估周期的工作方式相同。Audit works the same for a resource request and an evaluation cycle. Azure Policy 将 Microsoft.Authorization/policies/audit/action 操作添加到活动日志,并将资源标记为不合规。Azure Policy adds a Microsoft.Authorization/policies/audit/action operation to the activity log and marks the resource as non-compliant.

“审核”属性Audit properties

“审核”效果没有任何可用于策略定义的 then 条件的其他属性。The audit effect doesn't have any additional properties for use in the then condition of the policy definition.

“审核”示例Audit example

示例:使用“审核”效果。Example: Using the audit effect.

"then": {
    "effect": "audit"
}

AuditIfNotExistsAuditIfNotExists

AuditIfNotExists 对匹配 if 条件的资源启用审核,但没有在 then 条件的 details 中指定的组件。AuditIfNotExists enables auditing on resources that match the if condition, but doesn't have the components specified in the details of the then condition.

AuditIfNotExists 评估AuditIfNotExists evaluation

AuditIfNotExists 在资源提供程序处理资源创建或更新请求并返回成功状态代码后运行。AuditIfNotExists runs after a Resource Provider has handled a create or update resource request and has returned a success status code. 如果没有相关资源或如果由 ExistenceCondition 定义的资源未评估为 true,则会发生审核。The audit occurs if there are no related resources or if the resources defined by ExistenceCondition don't evaluate to true. 与使用“审核”效果时一样,Azure Policy 会将 Microsoft.Authorization/policies/audit/action 操作添加到活动日志。Azure Policy adds a Microsoft.Authorization/policies/audit/action operation to the activity log the same way as the audit effect. 触发后,满足 if 条件 的资源是标记为不符合的资源。When triggered, the resource that satisfied the if condition is the resource that is marked as non-compliant.

AuditIfNotExists 属性AuditIfNotExists properties

AuditIfNotExists 效果的 “details”属性具有定义要匹配的相关资源的所有子属性。The details property of the AuditIfNotExists effects has all the subproperties that define the related resources to match.

  • Type [必选]Type [required]
    • 指定要匹配的相关资源的类型。Specifies the type of the related resource to match.
    • 如果 details.typeIf 条件资源下的资源类型,则策略将在已评估资源的范围内查询此类型的资源。If details.type is a resource type underneath the if condition resource, the policy queries for resources of this type within the scope of the evaluated resource. 否则,策略将在与已评估资源相同的资源组内进行查询。Otherwise, policy queries within the same resource group as the evaluated resource.
  • Name(可选)Name (optional)
    • 指定要匹配的资源的确切名称,并使策略提取一个特定资源,而不是指定类型的所有资源。Specifies the exact name of the resource to match and causes the policy to fetch one specific resource instead of all resources of the specified type.
    • if.field.typethen.details.type 的条件值匹配时,Name 将变为_必需_且必须为 [field('name')]When the condition values for if.field.type and then.details.type match, then Name becomes required and must be [field('name')]. 但是,应改为考虑 audit 效果。However, an audit effect should be considered instead.
  • ResourceGroupName(可选)ResourceGroupName (optional)
    • 允许相关资源的匹配来自不同的资源组。Allows the matching of the related resource to come from a different resource group.
    • 如果 typeif 条件资源下的一个资源,则不适用。Doesn't apply if type is a resource that would be underneath the if condition resource.
    • 默认值是 if 条件资源的资源组。Default is the if condition resource's resource group.
  • ExistenceScope(可选)ExistenceScope (optional)
    • 允许的值为 Subscription 和 ResourceGroup 。Allowed values are Subscription and ResourceGroup.
    • 设置从中获取相关资源以在其中进行匹配的范围。Sets the scope of where to fetch the related resource to match from.
    • 如果 typeif 条件资源下的一个资源,则不适用。Doesn't apply if type is a resource that would be underneath the if condition resource.
    • ResourceGroup 将限制在 if 条件资源的资源组或 ResourceGroupName 中指定的资源组。For ResourceGroup, would limit to the if condition resource's resource group or the resource group specified in ResourceGroupName.
    • 对于 Subscription ,则查询全部订阅以获取相关资源。For Subscription, queries the entire subscription for the related resource.
    • 默认值是 ResourceGroup 。Default is ResourceGroup.
  • ExistenceCondition(可选)ExistenceCondition (optional)
    • 如果未指定,任何 type 的相关资源均满足此效果,并且不会触发审核。If not specified, any related resource of type satisfies the effect and doesn't trigger the audit.
    • 使用与 if 条件的策略规则相同的语言,但会分别针对每个相关资源进行评估。Uses the same language as the policy rule for the if condition, but is evaluated against each related resource individually.
    • 如果任何匹配的相关资源评估结果为 true,该效果就会得到满足并且不会触发审核。If any matching related resource evaluates to true, the effect is satisfied and doesn't trigger the audit.
    • 可以使用 [field()] 检查 if 条件中的值的等效性。Can use [field()] to check equivalence with values in the if condition.
    • 例如,可用于验证父资源(位于 if 条件中)与匹配的相关资源位于相同的资源位置。For example, could be used to validate that the parent resource (in the if condition) is in the same resource location as the matching related resource.

AuditIfNotExists 示例AuditIfNotExists example

示例:评估虚拟机以确定是否存在反恶意软件扩展,然后在缺失时进行审核。Example: Evaluates Virtual Machines to determine if the Antimalware extension exists then audits when missing.

{
    "if": {
        "field": "type",
        "equals": "Microsoft.Compute/virtualMachines"
    },
    "then": {
        "effect": "auditIfNotExists",
        "details": {
            "type": "Microsoft.Compute/virtualMachines/extensions",
            "existenceCondition": {
                "allOf": [{
                        "field": "Microsoft.Compute/virtualMachines/extensions/publisher",
                        "equals": "Microsoft.Azure.Security"
                    },
                    {
                        "field": "Microsoft.Compute/virtualMachines/extensions/type",
                        "equals": "IaaSAntimalware"
                    }
                ]
            }
        }
    }
}

DeployIfNotExistsDeployIfNotExists

与 AuditIfNotExists 类似,DeployIfNotExists 策略定义在满足条件时执行模板部署。Similar to AuditIfNotExists, a DeployIfNotExists policy definition executes a template deployment when the condition is met.

Note

deployIfNotExists 支持嵌套模板,但目前不支持链接模版Nested templates are supported with deployIfNotExists, but linked templates are currently not supported.

DeployIfNotExists 评估DeployIfNotExists evaluation

DeployIfNotExists 在资源提供程序处理资源创建或更新请求并返回成功状态代码后运行。DeployIfNotExists runs after a Resource Provider has handled a create or update resource request and has returned a success status code. 如果没有相关资源或如果由 ExistenceCondition 定义的资源未评估为 true,则会发生模板部署。A template deployment occurs if there are no related resources or if the resources defined by ExistenceCondition don't evaluate to true.

在评估周期中,具有与资源匹配的 DeployIfNotExists 效果的策略定义被标记为不合规,但不对该资源执行任何操作。During an evaluation cycle, policy definitions with a DeployIfNotExists effect that match resources are marked as non-compliant, but no action is taken on that resource.

DeployIfNotExists 属性DeployIfNotExists properties

DeployIfNotExists 效果的 details 属性包含用于定义要匹配的相关资源和要执行的模板部署的所有子属性。The details property of the DeployIfNotExists effect has all the subproperties that define the related resources to match and the template deployment to execute.

  • Type [必选]Type [required]

    • 指定要匹配的相关资源的类型。Specifies the type of the related resource to match.
    • 首先尝试提取 if 条件资源下的资源,然后在与 if 条件资源相同的资源组中进行查询。Starts by trying to fetch a resource underneath the if condition resource, then queries within the same resource group as the if condition resource.
  • Name(可选)Name (optional)

    • 指定要匹配的资源的确切名称,并使策略提取一个特定资源,而不是指定类型的所有资源。Specifies the exact name of the resource to match and causes the policy to fetch one specific resource instead of all resources of the specified type.
    • if.field.typethen.details.type 的条件值匹配时,Name 将变为_必需_且必须为 [field('name')]When the condition values for if.field.type and then.details.type match, then Name becomes required and must be [field('name')].
  • ResourceGroupName(可选)ResourceGroupName (optional)

    • 允许相关资源的匹配来自不同的资源组。Allows the matching of the related resource to come from a different resource group.
    • 如果 typeif 条件资源下的一个资源,则不适用。Doesn't apply if type is a resource that would be underneath the if condition resource.
    • 默认值是 if 条件资源的资源组。Default is the if condition resource's resource group.
    • 如果执行模板部署,则将其部署在此值的资源组中。If a template deployment is executed, it's deployed in the resource group of this value.
  • ExistenceScope(可选)ExistenceScope (optional)

    • 允许的值为 Subscription 和 ResourceGroup 。Allowed values are Subscription and ResourceGroup.
    • 设置从中获取相关资源以在其中进行匹配的范围。Sets the scope of where to fetch the related resource to match from.
    • 如果 typeif 条件资源下的一个资源,则不适用。Doesn't apply if type is a resource that would be underneath the if condition resource.
    • ResourceGroup 将限制在 if 条件资源的资源组或 ResourceGroupName 中指定的资源组。For ResourceGroup, would limit to the if condition resource's resource group or the resource group specified in ResourceGroupName.
    • 对于 Subscription ,则查询全部订阅以获取相关资源。For Subscription, queries the entire subscription for the related resource.
    • 默认值是 ResourceGroup 。Default is ResourceGroup.
  • ExistenceCondition(可选)ExistenceCondition (optional)

    • 如果未指定,任何 type 的相关资源均满足此效果,并且不会触发部署。If not specified, any related resource of type satisfies the effect and doesn't trigger the deployment.
    • 使用与 if 条件的策略规则相同的语言,但会分别针对每个相关资源进行评估。Uses the same language as the policy rule for the if condition, but is evaluated against each related resource individually.
    • 如果任何匹配的相关资源评估结果为 true,该效果就会得到满足并且不会触发部署。If any matching related resource evaluates to true, the effect is satisfied and doesn't trigger the deployment.
    • 可以使用 [field()] 检查 if 条件中的值的等效性。Can use [field()] to check equivalence with values in the if condition.
    • 例如,可用于验证父资源(位于 if 条件中)与匹配的相关资源位于相同的资源位置。For example, could be used to validate that the parent resource (in the if condition) is in the same resource location as the matching related resource.
  • roleDefinitionIds [必选]roleDefinitionIds [required]

    • 此属性必须包含与可通过订阅访问的基于角色的访问控制角色 ID 匹配的字符串数组。This property must include an array of strings that match role-based access control role ID accessible by the subscription. 有关详细信息,请参阅修正 - 配置策略定义For more information, see remediation - configure policy definition.
  • DeploymentScope(可选)DeploymentScope (optional)

    • 允许的值为 Subscription 和 ResourceGroup 。Allowed values are Subscription and ResourceGroup.
    • 设置要触发的部署类型。Sets the type of deployment to be triggered. Subscription 指示在订阅级别部署ResourceGroup 指示部署到资源组。Subscription indicates a deployment at subscription level, ResourceGroup indicates a deployment to a resource group.
    • 使用订阅级别部署时,必须在 Deployment 中指定 location 属性。A location property must be specified in the Deployment when using subscription level deployments.
    • 默认值是 ResourceGroup 。Default is ResourceGroup.
  • Deployment [必选]Deployment [required]

    • 该属性应包含完整的模板部署,因为它将传递给 Microsoft.Resources/deployments PUT API。This property should include the full template deployment as it would be passed to the Microsoft.Resources/deployments PUT API. 有关详细信息,请参阅部署 REST APIFor more information, see the Deployments REST API.

    Note

    Deployment 属性中的所有函数都将作为模板(而不是策略)的组件进行评估。All functions inside the Deployment property are evaluated as components of the template, not the policy. 此异常是将值从策略传递到模板的 parameters 属性。The exception is the parameters property that passes values from the policy to the template. 本节中模板参数名称下的 value 用于执行此值传递操作(请参阅 DeployIfNotExists 示例中的 fullDbName)。The value in this section under a template parameter name is used to perform this value passing (see fullDbName in the DeployIfNotExists example).

DeployIfNotExists 示例DeployIfNotExists example

示例:评估 SQL Server 数据库以确定是否启用 transparentDataEncryption。Example: Evaluates SQL Server databases to determine if transparentDataEncryption is enabled. 如果未启用,则执行启用它的部署。If not, then a deployment to enable is executed.

"if": {
    "field": "type",
    "equals": "Microsoft.Sql/servers/databases"
},
"then": {
    "effect": "DeployIfNotExists",
    "details": {
        "type": "Microsoft.Sql/servers/databases/transparentDataEncryption",
        "name": "current",
        "roleDefinitionIds": [
            "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/{roleGUID}",
            "/providers/Microsoft.Authorization/roleDefinitions/{builtinroleGUID}"
        ],
        "existenceCondition": {
            "field": "Microsoft.Sql/transparentDataEncryption.status",
            "equals": "Enabled"
        },
        "deployment": {
            "properties": {
                "mode": "incremental",
                "template": {
                    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                    "contentVersion": "1.0.0.0",
                    "parameters": {
                        "fullDbName": {
                            "type": "string"
                        }
                    },
                    "resources": [{
                        "name": "[concat(parameters('fullDbName'), '/current')]",
                        "type": "Microsoft.Sql/servers/databases/transparentDataEncryption",
                        "apiVersion": "2014-04-01",
                        "properties": {
                            "status": "Enabled"
                        }
                    }]
                },
                "parameters": {
                    "fullDbName": {
                        "value": "[field('fullName')]"
                    }
                }
            }
        }
    }
}

分层策略Layering policies

资源可能会受到多个分配的影响。A resource may be impacted by several assignments. 这些分配可能处于相同或不同的范围。These assignments may be at the same scope or at different scopes. 这些分配中的每一个也可能具有不同的定义效果。Each of these assignments is also likely to have a different effect defined. 将单独评估每个策略的条件和效果。The condition and effect for each policy is independently evaluated. 例如:For example:

  • 策略 1Policy 1
    • 将资源位置限制为“chinaeast2”Restricts resource location to 'chinaeast2'
    • 分配到订阅 AAssigned to subscription A
    • “拒绝”效果Deny effect
  • 策略 2Policy 2
    • 将资源位置限制为“chinaeast2”Restricts resource location to 'chinaeast2'
    • 分配到订阅 A 中的资源组 BAssigned to resource group B in subscription A
    • “审核”效果Audit effect

此设置将产生以下结果:This setup would result in the following outcome:

  • 位于“chinaeast2”的资源组 B 中的任何现有资源都符合策略 2,但不符合策略 1Any resource already in resource group B in 'chinaeast2' is compliant to policy 2 and non-compliant to policy 1
  • 不位于“chinaeast2”的资源组 B 中的任何现有资源都不符合策略 2,并且如果它们不在“chinaeast2”中,则也不符合策略 1Any resource already in resource group B not in 'chinaeast2' is non-compliant to policy 2 and non-compliant to policy 1 if not in 'chinaeast2'
  • 订阅 A 中任何不在“chinanorth2”中的新资源将会被策略 1 拒绝Any new resource in subscription A not in 'chinanorth2' is denied by policy 1
  • 位于“chinaeast2”的订阅 A 和资源组 B 中的任何新资源将会创建,但不符合策略 2Any new resource in subscription A and resource group B in 'chinaeast2' is created and non-compliant on policy 2

如果策略 1 和策略 2 都具有“拒绝”效果,则情况变为:If both policy 1 and policy 2 had effect of deny, the situation changes to:

  • 不位于“chinaeast2”的资源组 B 中的任何现有资源不符合策略 2Any resource already in resource group B not in 'chinaeast2' is non-compliant to policy 2
  • 不位于“chinaeast2”的资源组 B 中的任何现有资源不符合策略 1Any resource already in resource group B not in 'chinaeast2' is non-compliant to policy 1
  • 订阅 A 中任何不在“chinanorth2”中的新资源将会被策略 1 拒绝Any new resource in subscription A not in 'chinanorth2' is denied by policy 1
  • 订阅 A 的资源组 B 中的任何新资源将被拒绝Any new resource in resource group B of subscription A is denied

单独评估每个分配。Each assignment is individually evaluated. 因此,不存在因范围差异致使资源溜过间隙的可能性。As such, there isn't an opportunity for a resource to slip through a gap from differences in scope. 我们认为分层策略或策略重叠的最终结果是累积性的最高限制The net result of layering policies or policy overlap is considered to be cumulative most restrictive. 例如,如果策略 1 和策略 2 都具有“拒绝”效果,则重叠和冲突策略会阻止资源。As an example, if both policy 1 and 2 had a deny effect, a resource would be blocked by the overlapping and conflicting policies. 如果仍然需要在目标范围内创建资源,请查看每项分配的排除项,以验证适当的策略是否会影响适当的范围。If you still need the resource to be created in the target scope, review the exclusions on each assignment to validate the right policies are affecting the right scopes.

后续步骤Next steps