Azure Policy 豁免结构Azure Policy exemption structure
Azure Policy 例外(预览版)功能用于免除资源层次结构或单个资源对计划或定义的评估。The Azure Policy exemptions (preview) feature is used to exempt a resource hierarchy or an individual resource from evaluation of initiatives or definitions. 免除的资源计入总体符合性,但不能被评估或具有暂时豁免。Resources that are exempt count toward overall compliance, but can't be evaluated or have a temporary waiver. 有关详细信息,请参阅了解 Azure Policy 中的范围。For more information, see Understand scope in Azure Policy. Azure Policy 例外仅适用于资源管理器模式,不适用于资源提供程序模式。Azure Policy exemptions only work with Resource Manager modes and don't work with Resource Provider modes.
重要
此功能在预览期间免费。This feature is free during preview. 有关定价详细信息,请参阅 Azure Policy 定价。For pricing details, see Azure Policy pricing.
使用 JSON 创建策略例外。You use JSON to create a policy exemption. 策略例外包含以下各项的元素:The policy exemption contains elements for:
- 显示名称display name
- descriptiondescription
- metadatametadata
- 策略分配policy assignment
- 计划中的策略定义policy definitions within an initiative
- 例外类别exemption category
- expirationexpiration
备注
策略例外创建为资源层次结构上的子对象,或创建为被授予例外的单个资源,因此目标不包含在例外定义中。A policy exemption is created as a child object on the resource hierarchy or the individual resource granted the exemption, so the target isn't included in the exemption definition.
例如,以下 JSON 在名为 resourceShouldBeCompliantInit
的计划分配的资源的“豁免”类别中显示了策略例外。For example, the following JSON shows a policy exemption in the waiver category of a resource to an initiative assignment named resourceShouldBeCompliantInit
. 该资源仅受到计划中两个策略定义的免除,即 customOrgPolicy
自定义策略定义(引用 requiredTags
)和“允许的位置”内置策略定义(ID:e56962a6-4747-49cd-b67b-bf8b01975c4c
,引用 allowedLocations
):The resource is exempt from only two of the policy definitions in the initiative, the customOrgPolicy
custom policy definition (reference requiredTags
) and the 'Allowed locations' built-in policy definition (ID: e56962a6-4747-49cd-b67b-bf8b01975c4c
, reference allowedLocations
):
{
"id": "/subscriptions/{subId}/resourceGroups/ExemptRG/providers/Microsoft.Authorization/policyExemptions/resourceIsNotApplicable",
"name": "resourceIsNotApplicable",
"type": "Microsoft.Authorization/policyExemptions",
"properties": {
"displayName": "This resource is scheduled for deletion",
"description": "This resources is planned to be deleted by end of quarter and has been granted a waiver to the policy.",
"metadata": {
"requestedBy": "Storage team",
"approvedBy": "IA",
"approvedOn": "2020-07-26T08:02:32.0000000Z",
"ticketRef": "4baf214c-8d54-4646-be3f-eb6ec7b9bc4f"
},
"policyAssignmentId": "/subscriptions/{mySubscriptionID}/providers/Microsoft.Authorization/policyAssignments/resourceShouldBeCompliantInit",
"policyDefinitionReferenceIds": [
"requiredTags",
"allowedLocations"
],
"exemptionCategory": "waiver",
"expiresOn": "2020-12-31T23:59:00.0000000Z"
}
}
包含与策略例外使用的匹配的 policyDefinitionReferenceIds
的相关计划的代码片段:Snippet of the related initiative with the matching policyDefinitionReferenceIds
used by the policy exemption:
"policyDefinitions": [
{
"policyDefinitionId": "/subscriptions/{mySubscriptionID}/providers/Microsoft.Authorization/policyDefinitions/customOrgPolicy",
"policyDefinitionReferenceId": "requiredTags",
"parameters": {
"reqTags": {
"value": "[parameters('init_reqTags')]"
}
}
},
{
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c",
"policyDefinitionReferenceId": "allowedLocations",
"parameters": {
"listOfAllowedLocations": {
"value": "[parameters('init_listOfAllowedLocations')]"
}
}
}
]
显示名称和说明Display name and description
使用“显示名称”和“说明”来标识策略例外,并提供其与特定资源配合使用时的上下文 。You use displayName and description to identify the policy exemption and provide context for its use with the specific resource. displayName 的最大长度为 128 个字符,description 的最大长度为 512 个字符。displayName has a maximum length of 128 characters and description a maximum length of 512 characters.
元数据Metadata
通过“元数据”属性,可以创建存储相关信息所需的任何子属性。The metadata property allows creating any child property needed for storing relevant information. 在上面的示例中,属性“requestedBy”、“approvedBy”、“approvedOn”和“ticketRef”包含客户值,以提供有关免除请求者、批准者、批准时间,以及该请求的内部跟踪工单的信息 。In the example above, properties requestedBy, approvedBy, approvedOn, and ticketRef contains customer values to provide information on who requested the exemption, who approved it and when, and an internal tracking ticket for the request. 这些“元数据”属性是示例,但不是必需的,且“元数据”不仅限于这些子属性 。These metadata properties are examples, but they aren't required and metadata isn't limited to these child properties.
策略分配 IDPolicy assignment ID
此字段必须是策略分配或计划分配的完整路径名称。This field must be the full path name of either a policy assignment or an initiative assignment.
policyAssignmentId
是字符串,而不是数组。policyAssignmentId
is a string and not an array. 此属性定义父级资源层次结构或单个资源是从哪个分配免除的。This property defines which assignment the parent resource hierarchy or individual resource is exempt from.
策略定义 IDPolicy definition IDs
如果 policyAssignmentId
用于计划分配,则 policyDefinitionReferenceIds
属性可用于指定主题资源可豁免计划中的哪些策略定义。If the policyAssignmentId
is for an initiative assignment, the policyDefinitionReferenceIds
property may be used to specify which policy definition(s) in the initiative the subject resource has an exemption to. 由于可以从一个或多个包含的策略定义中免除资源,因此此属性是一个数组。As the resource may be exempted from one or more included policy definitions, this property is an array. 这些值必须与 policyDefinitions.policyDefinitionReferenceId
字段中的计划定义中的值相匹配。The values must match the values in the initiative definition in the policyDefinitions.policyDefinitionReferenceId
fields.
例外类别Exemption category
存在两个例外类别,用于组例外:Two exemption categories exist and are used to group exemptions:
- 缓解:由于通过另一种方法满足了策略意图,因此授予了豁免。Mitigated: The exemption is granted because the policy intent is met through another method.
- 豁免:由于暂时接受资源的不合规状态,因此授予了豁免。Waiver: The exemption is granted because the non-compliance state of the resource is temporarily accepted. 使用此类别的另一个原因是,对于某些资源或资源层次结构,应将其从计划中的一个或多个定义中排除,但不应将其从整个计划中排除。Another reason to use this category is for a resource or resource hierarchy that should be excluded from one or more definitions in an initiative, but shouldn't be excluded from the entire initiative.
过期时间Expiration
若要设置资源层次结构或单个资源不再在分配中豁免的时间,请设置 expiresOn
属性。To set when a resource hierarchy or an individual resource is no longer exempt to an assignment, set the expiresOn
property. 此可选属性必须采用通用 ISO 8601 日期/时间格式 yyyy-MM-ddTHH:mm:ss.fffffffZ
。This optional property must be in the Universal ISO 8601 DateTime format yyyy-MM-ddTHH:mm:ss.fffffffZ
.
备注
达到 expiresOn
日期后,策略例外不会被删除。The policy exemptions isn't deleted when the expiresOn
date is reached. 该对象会保留用于记录,但不再受到免除。The object is preserved for record-keeping, but the exemption is no longer honored.
所需的权限Required permissions
管理策略例外对象所需的 Azure RBAC 权限位于 Microsoft.Authorization/policyExemptions
操作组中。The Azure RBAC permissions needed to manage Policy exemption objects are in the Microsoft.Authorization/policyExemptions
operation group. 内置角色资源策略参与者和安全管理员都具有 read
和 write
权限,策略见解数据编写者(预览版)具有 read
权限。The built-in roles Resource Policy Contributor and Security Admin both have the read
and write
permissions and Policy Insights Data Writer (Preview) has the read
permission.
鉴于授予免除的影响,免除具有附加的安全措施。Exemptions have additional security measures because of the impact of granting an exemption. 除了要求对资源层次结构或单个资源进行 Microsoft.Authorization/policyExemptions/write
操作外,例外的创建者还必须在目标分配上具有 exempt/Action
谓词。Beyond requiring the Microsoft.Authorization/policyExemptions/write
operation on the resource hierarchy or individual resource, the creator of an exemption must have the exempt/Action
verb on the target assignment.
后续步骤Next steps
- 了解策略定义结构。Learn about the policy definition structure.
- 了解如何以编程方式创建策略。Understand how to programmatically create policies.
- 了解如何获取符合性数据。Learn how to get compliance data.
- 了解如何修正不符合的资源。Learn how to remediate non-compliant resources.
- 参阅使用 Azure 管理组来组织资源,了解什么是管理组。Review what a management group is with Organize your resources with Azure management groups.