Azure Policy 计划定义结构Azure Policy initiative definition structure

使用计划可组合多个相关策略定义,以简化分配和管理,因为可将组作为单个项使用。Initiatives enable you to group several related policy definitions to simplify assignments and management because you work with a group as a single item. 例如,可以将相关标记策略组合为单个计划。For example, you can group related tagging policy definitions into a single initiative. 将应用计划,而非单独分配每个策略。Rather than assigning each policy individually, you apply the initiative.

使用 JSON 创建策略计划定义。You use JSON to create a policy initiative definition. 策略计划定义包含以下各项的元素:The policy initiative definition contains elements for:

  • 显示名称display name
  • descriptiondescription
  • metadatametadata
  • parametersparameters
  • 策略定义policy definitions

下面的示例演示如何创建用于处理 costCenterproductName 这两个标记的计划。The following example illustrates how to create an initiative for handling two tags: costCenter and productName. 它使用两个内置策略来应用默认标记值。It uses two built-in policies to apply the default tag value.

{
    "properties": {
        "displayName": "Billing Tags Policy",
        "policyType": "Custom",
        "description": "Specify cost Center tag and product name tag",
        "metadata": {
            "version": "1.0.0",
            "category": "Tags"
        },
        "parameters": {
            "costCenterValue": {
                "type": "String",
                "metadata": {
                    "description": "required value for Cost Center tag"
                },
                "defaultValue": "DefaultCostCenter"
            },
            "productNameValue": {
                "type": "String",
                "metadata": {
                    "description": "required value for product Name tag"
                },
                "defaultValue": "DefaultProduct"
            }
        },
        "policyDefinitions": [{
                "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62",
                "parameters": {
                    "tagName": {
                        "value": "costCenter"
                    },
                    "tagValue": {
                        "value": "[parameters('costCenterValue')]"
                    }
                }
            },
            {
                "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2a0e14a6-b0a6-4fab-991a-187a4f81c498",
                "parameters": {
                    "tagName": {
                        "value": "costCenter"
                    },
                    "tagValue": {
                        "value": "[parameters('costCenterValue')]"
                    }
                }
            },
            {
                "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62",
                "parameters": {
                    "tagName": {
                        "value": "productName"
                    },
                    "tagValue": {
                        "value": "[parameters('productNameValue')]"
                    }
                }
            },
            {
                "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2a0e14a6-b0a6-4fab-991a-187a4f81c498",
                "parameters": {
                    "tagName": {
                        "value": "productName"
                    },
                    "tagValue": {
                        "value": "[parameters('productNameValue')]"
                    }
                }
            }
        ]
    }
}

Azure Policy 内置项和模式位于 Azure Policy 示例Azure Policy built-ins and patterns are at Azure Policy samples.

MetadataMetadata

可选 metadata 属性存储关于策略计划定义的信息。The optional metadata property stores information about the policy initiative definition. 客户可在 metadata 中定义对其组织有用的任何属性和值。Customers can define any properties and values useful to their organization in metadata. 但是,Azure Policy 和内置项使用一些常见属性。However, there are some common properties used by Azure Policy and in built-ins.

常见元数据属性Common metadata properties

  • version(字符串):跟踪有关策略计划定义的内容版本的详细信息。version (string): Tracks details about the version of the contents of a policy initiative definition.
  • category(字符串):确定在 Azure 门户中的哪个类别下显示策略定义。category (string): Determines under which category in Azure portal the policy definition is displayed.
  • preview(布尔值):如果策略计划定义为“预览版”,则为 true 或 false 标志。preview (boolean): True or false flag for if the policy initiative definition is preview.
  • deprecated(布尔值):如果策略计划定义被标记为“已弃用”,则为 true 或 false 标志。deprecated (boolean): True or false flag for if the policy initiative definition has been marked as deprecated.

备注

Azure Policy 服务会使用 versionpreviewdeprecated 属性,将变更级别传达给内置策略定义或计划和状态。The Azure Policy service uses version, preview, and deprecated properties to convey level of change to a built-in policy definition or initiative and state. version 的格式为:{Major}.{Minor}.{Patch}The format of version is: {Major}.{Minor}.{Patch}. 特定状态(例如“弃用”或“预览版”)会附加至 version 属性,或另一个属性中附加为“布尔值”。Specific states, such as deprecated or preview, are appended to the version property or in another property as a boolean. 有关 Azure Policy 版本内置方式的详细信息,请参阅内置版本控制For more information about the way Azure Policy versions built-ins, see Built-in versioning.

parametersParameters

参数可减少策略定义的数量,有助于简化策略管理。Parameters help simplify your policy management by reducing the number of policy definitions. 使用类似窗体中字段的参数 - nameaddresscitystateThink of parameters like the fields on a form – name, address, city, state. 这些参数始终不变,但其值会基于窗体中的各填写内容变化。These parameters always stay the same, however their values change based on the individual filling out the form. 构建策略计划时,参数同样适用。Parameters work the same way when building policy initiatives. 通过在策略计划定义中包含参数,可以在包含的策略中重复使用该参数。By including parameters in a policy initiative definition, you can reuse that parameter in the included policies.

备注

分配计划后,不能更改计划级别参数。Once an initiative is assigned, initative level parameters can't be altered. 因此,建议在定义参数时设置 defaultValue。Due to this, the recommendation is to set a defaultValue when defining the parameter.

参数属性Parameter properties

参数有下述可以在策略计划定义中使用的属性:A parameter has the following properties that are used in the policy initiative definition:

  • name:参数的名称。name: The name of your parameter. 由策略规则中的 parameters 部署函数使用。Used by the parameters deployment function within the policy rule. 有关详细信息,请参阅使用参数值For more information, see using a parameter value.
  • type:确定参数是“字符串”、“数组”、“对象”、“布尔值”、“整数”、“浮点数”,还是“日期/时间”。type: Determines if the parameter is a string, array, object, boolean, integer, float, or datetime.
  • metadata:定义主要由 Azure 门户用来显示用户友好信息的子属性:metadata: Defines subproperties primarily used by the Azure portal to display user-friendly information:
    • description:说明参数的用途。description: The explanation of what the parameter is used for. 可以用来提供可接受值的示例。Can be used to provide examples of acceptable values.
    • displayName:在门户中显示的用于参数的友好名称。displayName: The friendly name shown in the portal for the parameter.
    • strongType:(可选)通过门户分配策略定义时使用。strongType: (Optional) Used when assigning the policy definition through the portal. 提供上下文感知列表。Provides a context aware list. 有关详细信息,请参阅 strongTypeFor more information, see strongType.
  • defaultValue:(可选)设置分配的参数的值(如果值未给定)。defaultValue: (Optional) Sets the value of the parameter in an assignment if no value is given.
  • allowedValues:(可选)提供参数在分配过程中所接受值的数组。allowedValues: (Optional) Provides an array of values that the parameter accepts during assignment.

例如,可以定义策略计划定义,以限制各种包含的策略定义中的资源位置。As an example, you could define a policy initiative definition to limit the locations of resources in the various included policy definitions. allowedLocations 可以是该策略计划定义的一个参数。A parameter for that policy initiative definition could be allowedLocations. 然后,该参数可用于每个包含的策略定义,并在分配策略计划期间定义。The parameter is then available to each included policy definition and defined during assignment of the policy initiative.

"parameters": {
    "init_allowedLocations": {
        "type": "array",
        "metadata": {
            "description": "The list of allowed locations for resources.",
            "displayName": "Allowed locations",
            "strongType": "location"
        },
        "defaultValue": [ "chinaeast2" ],
        "allowedValues": [
            "chinaeast",
            "chinanorth2",
            "chinanorth"
        ]
    }
}

将参数值传递到策略定义Passing a parameter value to a policy definition

声明要将哪些计划参数传递到计划定义的 policyDefinitions 数组中的哪些包含的策略定义。You declare which initiative parameters you pass to which included policy definitions in the policyDefinitions array of the initiative definition. 尽管参数名称可以是相同的,但在计划中使用与策略定义中不同的名称可以简化代码以提升可读性。While the parameter name can be the same, using different names in the initiatives than in the policy definitions simplifies code readability.

例如,可以将之前定义的 init_allowedLocations 计划参数传递到多个包含的策略定义及其参数 sql_locations 和 vm_locations,如下所示 :For example, the init_allowedLocations initiative parameter defined previously can be passed to several included policy definitions and their parameters, sql_locations and vm_locations, like this:

"policyDefinitions": [
    {
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0ec8fc28-d5b7-4603-8fec-39044f00a92b",
        "policyDefinitionReferenceId": "allowedLocationsSQL",
        "parameters": {
            "sql_locations": {
                "value": "[parameters('init_allowedLocations')]"
            }
        }
    },
    {
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/aa09bd0f-aa5f-4343-b6ab-a33a6a6304f3",
        "policyDefinitionReferenceId": "allowedLocationsVMs",
        "parameters": {
            "vm_locations": {
                "value": "[parameters('init_allowedLocations')]"
            }
        }
    }
]

此示例引用 init_allowedLocations 参数,该参数已在参数属性中演示过。This sample references the init_allowedLocations parameter that was demonstrated in parameter properties.

strongTypestrongType

metadata 属性中,可以使用 strongType 提供 Azure 门户中的选项多选列表。Within the metadata property, you can use strongType to provide a multi-select list of options within the Azure portal. strongType 可以是受支持的资源类型,也可以是允许值。strongType can be a supported resource type or an allowed value. 若要确定资源类型是否对 strongType有效,请使用 Get-AzResourceProviderTo determine if a resource type is valid for strongType, use Get-AzResourceProvider.

支持部分不是由 Get-AzResourceProvider 返回的资源类型。Some resource types not returned by Get-AzResourceProvider are supported. 这些资源类型为:Those resource types are:

  • Microsoft.RecoveryServices/vaults/backupPolicies

strongType 的非资源类型允许值有:The non-resource type allowed values for strongType are:

  • location
  • resourceTypes
  • storageSkus
  • vmSKUs
  • existingResourceGroups

策略定义Policy definitions

计划定义的 policyDefinitions 部分是一个数组,其中现有策略定义包含在该计划中。The policyDefinitions portion of the initiative definition is an array of which existing policy definitions are included in the initiative. 将参数值传递到策略定义中所述,此属性是将计划参数传递到策略定义的位置。As mentioned in Passing a parameter value to a policy definition, this property is where initiative parameters are passed to the policy definition.

策略定义属性Policy definition properties

每个表示策略定义的数组元素具有以下属性:Each array element that represents a policy definition has the following properties:

  • policyDefinitionId(字符串):要包含的自定义或内置策略定义的 ID。policyDefinitionId (string): The ID of the custom or built-in policy definition to include.
  • policyDefinitionReferenceId(字符串):包含的策略定义的短名称。policyDefinitionReferenceId (string): A short name for the included policy definition.
  • parameters:(可选)用于将计划参数作为该策略定义中的属性传递到包含的策略定义的名称/值对。parameters: (Optional) The name/value pairs for passing an initiative parameter to the included policy definition as a property in that policy definition. 有关详细信息,请参阅参数For more information, see Parameters.

下面是 policyDefinitions 的一个示例,,它有两个包含的策略定义,会向这两个策略定义分别传递相同的计划参数:Here is an example of policyDefinitions that has two included policy definitions that are each passed the same initiative parameter:

"policyDefinitions": [
    {
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0ec8fc28-d5b7-4603-8fec-39044f00a92b",
        "policyDefinitionReferenceId": "allowedLocationsSQL",
        "parameters": {
            "sql_locations": {
                "value": "[parameters('init_allowedLocations')]"
            }
        }
    },
    {
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/aa09bd0f-aa5f-4343-b6ab-a33a6a6304f3",
        "policyDefinitionReferenceId": "allowedLocationsVMs",
        "parameters": {
            "vm_locations": {
                "value": "[parameters('init_allowedLocations')]"
            }
        }
    }
]

后续步骤Next steps