为 Azure 资源上的数组属性创作策略Author policies for array properties on Azure resources

Azure 资源管理器属性通常定义为字符串和布尔值。Azure Resource Manager properties are commonly defined as strings and booleans. 存在一对多关系时,复杂属性将定义为数组。When a one-to-many relationship exists, complex properties are instead defined as arrays. 在 Azure Policy 中,通过以下几种不同的方式来使用数组:In Azure Policy, arrays are used in several different ways:

  • 定义参数的类型,用于提供多个选项The type of a definition parameter, to provide multiple options
  • 使用条件 in 或 notIn 的策略规则的一部分 Part of a policy rule using the conditions in or notIn
  • 用于计算[*]别名的策略规则的一部分:Part of a policy rule that evaluates the [*] alias to evaluate:
    • 方案,如“无”、“任何”或“全部” Scenarios such as None, Any, or All
    • 具有计数的复杂方案Complex scenarios with count
  • 追加效果中,用于替换或添加到现有数组In the append effect to replace or add to an existing array

本文介绍 Azure Policy 对每种方式的使用情况,并提供了几个示例定义。This article covers each use by Azure Policy and provides several example definitions.

参数数组Parameter arrays

定义参数数组Define a parameter array

需要多个值时,将参数定义为数组可以实现策略的灵活性。Defining a parameter as an array allows the policy flexibility when more than one value is needed. 此策略定义允许对参数 allowedLocations 使用任意单个位置,默认值为 chinaeast2This policy definition allows any single location for the parameter allowedLocations and defaults to chinaeast2:

"parameters": {
    "allowedLocations": {
        "type": "string",
        "metadata": {
            "description": "The list of allowed locations for resources.",
            "displayName": "Allowed locations",
            "strongType": "location"
        },
        "defaultValue": "chinaeast2"
    }
}

由于类型为字符串,因此在分配策略时只能设置一个值。As type was string, only one value can be set when assigning the policy. 如果分配了此策略,则仅允许在单个 Azure 区域内使用范围内的资源。If this policy is assigned, resources in scope are only allowed within a single Azure region. 大多数策略定义需要允许批准的选项列表,例如允许 chinanorthchinanorth2chinaeast2Most policies definitions need to allow for a list of approved options, such as allowing chinanorth, chinanorth2, and chinaeast2.

若要创建策略定义以允许多个选项,请使用“数组”类型。To create the policy definition to allow multiple options, use the array type. 同一个策略可以重写,如下所示:The same policy can be rewritten as follows:

"parameters": {
    "allowedLocations": {
        "type": "array",
        "metadata": {
            "description": "The list of allowed locations for resources.",
            "displayName": "Allowed locations",
            "strongType": "location"
        },
        "defaultValue": "chinaeast2",
        "allowedValues": [
            "chinanorth",
            "chinanorth2",
            "chinaeast2"
        ]

    }
}

备注

保存策略定义后,无法更改参数上的属性。Once a policy definition is saved, the type property on a parameter can't be changed.

在策略分配过程中,此新参数定义会使用多个值。This new parameter definition takes more than one value during policy assignment. 定义数组属性 allowedValues 后,分配期间可用的值将进一步限制为预定义的选项列表。With the array property allowedValues defined, the values available during assignment are further limited to the predefined list of choices. 可以选择使用 allowedValues。Use of allowedValues is optional.

在分配期间将值传递给参数数组Pass values to a parameter array during assignment

通过 Azure 门户分配策略时,数组类型的参数显示为单个文本框。When assigning the policy through the Azure portal, a parameter of type array is displayed as a single textbox. 提示显示“使用 ; 来分隔值。The hint says "Use ; to separate values. (例如,伦敦;纽约)”。(e.g. London;New York)". 若要将 chinanorthchinanorth2chinaeast2 的允许位置值传递给该参数,请使用以下字符串:To pass the allowed location values of chinanorth, chinanorth2, and chinaeast2 to the parameter, use the following string:

chinanorth;chinanorth2;chinaeast2

使用 Azure CLI、Azure PowerShell 或 REST API 时,参数值的格式不同。The format for the parameter value is different when using Azure CLI, Azure PowerShell, or the REST API. 这些值通过 JSON 字符串(还包括参数名称)传递。The values are passed through a JSON string that also includes the name of the parameter.

{
    "allowedLocations": {
        "value": [
            "chinanorth",
            "chinanorth2",
            "chinaeast2"
        ]
    }
}

若要将此字符串与每个 SDK 一起使用,请使用以下命令:To use this string with each SDK, use the following commands:

数组条件Array conditions

可与参数的数组 类型一起使用的策略规则条件限制为 innotInThe policy rule conditions that an array type of parameter may be used with is limited to in and notIn. 以带有条件 equals 的以下策略定义为例:Take the following policy definition with condition equals as an example:

{
  "policyRule": {
    "if": {
      "not": {
        "field": "location",
        "equals": "[parameters('allowedLocations')]"
      }
    },
    "then": {
      "effect": "audit"
    }
  },
  "parameters": {
    "allowedLocations": {
      "type": "Array",
      "metadata": {
        "description": "The list of allowed locations for resources.",
        "displayName": "Allowed locations",
        "strongType": "location"
      }
    }
  }
}

尝试通过 Azure 门户创建此策略定义会导致类似如下的错误消息:Attempting to create this policy definition through the Azure portal leads to an error such as this error message:

  • “由于验证错误,无法对策略‘{GUID}’进行参数化。"The policy '{GUID}' could not be parameterized because of validation errors. 请检查策略参数定义是否正确。Please check if policy parameters are properly defined. 内部异常语言表达式‘[parameters('allowedLocations')]’的计算结果为‘数组’类型,预期类型为‘字符串’。”The inner exception 'Evaluation result of language expression '[parameters('allowedLocations')]' is type 'Array', expected type is 'String'.'."

条件 equals 的预期类型为 字符串The expected type of condition equals is string. 由于 allowedLocations 被定义为数组类型,因此策略引擎会计算语言表达式并引发错误 。Since allowedLocations is defined as type array, the policy engine evaluates the language expression and throws the error. innotIn 条件下,策略引擎在语言表达式中应为“数组”类型。With the in and notIn condition, the policy engine expects the type array in the language expression. 若要解决此错误消息,请将 equals 更改为 innotInTo resolve this error message, change equals to either in or notIn.

引用数组资源属性Referencing array resource properties

许多用例需要使用所评估资源中的数组属性。Many use cases require working with array properties in the evaluated resource. 某些方案需要引用整个数组(例如,检查它的长度)。Some scenarios require referencing an entire array (for example, checking its length). 其他方案需要对每个单独的数组成员应用条件(例如,确保所有防火墙规则阻止从 Internet 进行访问)。Others require applying a condition to each individual array member (for example, ensure that all firewall rule block access from the internet). 了解 Azure Policy 引用资源属性的不同方式,以及这些引用在引用数组属性时的行为方式,是编写用于涵盖这些方案的条件的关键。Understanding the different ways Azure Policy can reference resource properties, and how these references behave when they refer to array properties is the key for writing conditions that cover these scenarios.

引用资源属性Referencing resource properties

Azure Policy 可以使用别名引用资源属性。有两种方法可用于在 Azure Policy 中引用资源属性的值:Resource properties can be referenced by Azure Policy using aliases There are two ways to reference the values of a resource property within Azure Policy:

  • 使用字段条件来检查是否所有选定的资源属性都满足某个条件。Use field condition to check whether all selected resource properties meet a condition. 示例:Example:

    {
      "field" : "Microsoft.Test/resourceType/property",
      "equals": "value"
    }
    
  • 使用 field() 函数访问属性的值。Use field() function to access the value of a property. 示例:Example:

    {
      "value": "[take(field('Microsoft.Test/resourceType/property'), 7)]",
      "equals": "prefix_"
    }
    

字段条件具有隐式的“所有成员”行为。The field condition has an implicit "all of" behavior. 如果别名表示值的集合,则它会检查是否所有单个值都满足该条件。If the alias represents a collection of values, it checks whether all individual values meet the condition. field() 函数按原样返回别名所表示的值,这些值随后可由其他模板函数操作。The field() function returns the values represented by the alias as-is, which can then be manipulated by other template functions.

引用数组字段Referencing array fields

数组资源属性通常由两种不同类型的别名表示。Array resource properties are usually represented by two different types of aliases. 一种是一个“普通”别名,另一种是附加了 [*]数组别名One 'normal' alias and array aliases that have [*] attached to it:

  • Microsoft.Test/resourceType/stringArray
  • Microsoft.Test/resourceType/stringArray[*]

引用数组Referencing the array

第一种别名表示单个值,即请求内容中 stringArray 属性的值。The first alias represents a single value, the value of stringArray property from the request content. 由于该属性的值是一个数组,因此在策略条件中并非十分有用。Since the value of that property is an array, it isn't very useful in policy conditions. 例如:For example:

{
  "field": "Microsoft.Test/resourceType/stringArray",
  "equals": "..."
}

此条件将整个 stringArray 数组与单个字符串值进行比较。This condition compares the entire stringArray array to a single string value. 大多数条件(包括 equals)仅接受字符串值,因此在将数组与字符串进行比较时没有多大用处。Most conditions, including equals, only accept string values, so there's not much use in comparing an array to a string. 引用数组属性的主要方案在检查该属性是否存在时十分有用:The main scenario where referencing the array property is useful is when checking whether it exists:

{
  "field": "Microsoft.Test/resourceType/stringArray",
  "exists": "true"
}

在使用 field() 函数的情况下,返回的值是请求内容中的数组,该数组随后可与接受数组参数的任何受支持模板函数结合使用。With the field() function, the returned value is the array from the request content, which can then be used with any of the supported template functions that accept array arguments. 例如,以下条件检查 stringArray 的长度是否大于 0:For example, the following condition checks whether the length of stringArray is greater than 0:

{
  "value": "[length(field('Microsoft.Test/resourceType/stringArray'))]",
  "greater": 0
}

引用数组成员集合Referencing the array members collection

使用 [*] 语法的别名表示从数组属性中选择的属性值的集合,这不同于选择数组属性本身。Aliases that use the [*] syntax represent a collection of property values selected from an array property, which is different than selecting the array property itself. 如果使用的是 Microsoft.Test/resourceType/stringArray[*],它将返回一个包含 stringArray 的所有成员的集合。In the case of Microsoft.Test/resourceType/stringArray[*], it returns a collection that has all of the members of stringArray. 如前所述,field 条件会检查所有选定的资源属性是否满足该条件,因此仅当 stringArray 的所有成员均等于 "value" 时,以下条件才为 true。As mentioned previously, a field condition checks that all selected resource properties meet the condition, therefore the following condition is true only if all the members of stringArray are equal to '"value"'.

{
  "field": "Microsoft.Test/resourceType/stringArray[*]",
  "equals": "value"
}

如果数组包含对象,则可以使用 [*] 别名从每个数组成员选择特定属性的值。If the array contains objects, a [*] alias can be used to select the value of a specific property from each array member. 示例:Example:

{
  "field": "Microsoft.Test/resourceType/objectArray[*].property",
  "equals": "value"
}

如果 objectArray 中的所有 property 属性的值均等于 "value",则此条件为 true。This condition is true if the values of all property properties in objectArray are equal to "value".

使用 field() 函数引用数组别名时,返回的值是全部所选值的数组。When using the field() function to reference an array alias, the returned value is an array of all the selected values. 此行为意味着 field() 函数的常见用例(将模板函数应用于资源属性值的功能)非常有限。This behavior means that the common use case of the field() function, the ability to apply template functions to resource property values, is very limited. 在这种情况下可使用的模板函数只能是接受数组参数的模板函数。The only template functions that can be used in this case are the ones that accept array arguments. 例如,可以通过 [length(field('Microsoft.Test/resourceType/objectArray[*].property'))] 获取数组的长度。For example, it's possible to get the length of the array with [length(field('Microsoft.Test/resourceType/objectArray[*].property'))]. 但是,更复杂的方案(例如,将模板函数应用于每个数组成员,并将其与所需的值进行比较)仅在使用 count 表达式时才可行。However, more complex scenarios like applying template function to each array members and comparing it to a desired value are only possible when using the count expression. 有关详细信息,请参阅 Count 表达式For more information, see Count expression.

概括而言,请参阅以下示例资源内容和通过各种别名返回的所选值:To summarize, see the following example resource content and the selected values returned by various aliases:

{
  "tags": {
    "env": "prod"
  },
  "properties":
  {
    "stringArray": [ "a", "b", "c" ],
    "objectArray": [
      {
        "property": "value1",
        "nestedArray": [ 1, 2 ]
      },
      {
        "property": "value2",
        "nestedArray": [ 3, 4 ]
      }
    ]
  }
}

对示例资源内容使用字段条件时,结果如下所示:When using the field condition on the example resource content, the results are as follows:

AliasAlias 所选值Selected values
Microsoft.Test/resourceType/missingArray null
Microsoft.Test/resourceType/missingArray[*] 值的空集合。An empty collection of values.
Microsoft.Test/resourceType/missingArray[*].property 值的空集合。An empty collection of values.
Microsoft.Test/resourceType/stringArray ["a", "b", "c"]
Microsoft.Test/resourceType/stringArray[*] "a", "b", "c""a", "b", "c"
Microsoft.Test/resourceType/objectArray[*] { "property": "value1", "nestedArray": [ 1, 2 ] },{ "property": "value1", "nestedArray": [ 1, 2 ] },
{ "property": "value2", "nestedArray": [ 3, 4 ] }
Microsoft.Test/resourceType/objectArray[*].property "value1", "value2""value1", "value2"
Microsoft.Test/resourceType/objectArray[*].nestedArray [ 1, 2 ], [ 3, 4 ][ 1, 2 ], [ 3, 4 ]
Microsoft.Test/resourceType/objectArray[*].nestedArray[*] 1, 2, 3, 41, 2, 3, 4

对示例资源内容使用 field() 函数时,结果如下所示:When using the field() function on the example resource content, the results are as follows:

表达式Expression 返回的值Returned Value
[field('Microsoft.Test/resourceType/missingArray')] ""
[field('Microsoft.Test/resourceType/missingArray[*]')] []
[field('Microsoft.Test/resourceType/missingArray[*].property')] []
[field('Microsoft.Test/resourceType/stringArray')] ["a", "b", "c"]
[field('Microsoft.Test/resourceType/stringArray[*]')] ["a", "b", "c"]
[field('Microsoft.Test/resourceType/objectArray[*]')] [{ "property": "value1", "nestedArray": [ 1, 2 ] }, { "property": "value2", "nestedArray": [ 3, 4 ] }]
[field('Microsoft.Test/resourceType/objectArray[*].property')] ["value1", "value2"]
[field('Microsoft.Test/resourceType/objectArray[*].nestedArray')] [[ 1, 2 ], [ 3, 4 ]]
[field('Microsoft.Test/resourceType/objectArray[*].nestedArray[*]')] [1, 2, 3, 4]

Count 表达式Count expressions

Count 表达式计算有多少数组成员满足某个条件,并将计数与目标值进行比较。Count expressions count how many array members meet a condition and compare the count to a target value. field 条件相比,Count 对于评估数组而言更直观、更通用。Count is more intuitive and versatile for evaluating arrays compared to field conditions. 语法为:The syntax is:

{
  "count": {
    "field": <[*] alias>,
    "where": <optional policy condition expression>
  },
  "equals|greater|less|any other operator": <target value>
}

在未带有“where”条件的情况下使用时,count 只返回数组的长度。When used without a 'where' condition, count simply returns the length of an array. 在使用上一节中的示例资源内容的情况下,以下 count 表达式的求值结果为 true,因为 stringArray 包含三个成员:With the example resource content from the previous section, the following count expression is evaluated to true since stringArray has three members:

{
  "count": {
    "field": "Microsoft.Test/resourceType/stringArray[*]"
  },
  "equals": 3
}

此行为也适用于嵌套数组。This behavior also works with nested arrays. 例如,以下 count 表达式的求值结果为 true,因为在 nestedArray 数组中有四个数组成员:For example, the following count expression is evaluated to true since there there are four array members in the nestedArray arrays:

{
  "count": {
    "field": "Microsoft.Test/resourceType/objectArray[*].nestedArray[*]"
  },
  "greaterOrEquals": 4
}

count 是在 where 条件中发挥作用的。The power of count is in the where condition. 如果指定了它,Azure Policy 将枚举数组成员,并根据条件评估每个成员,计算有多少个数组成员已评估为 trueWhen it's specified, Azure Policy enumerates the array members and evaluate each against the condition, counting how many array members evaluated to true. 具体而言,在每次 where 条件评估的迭代中,Azure Policy 将选择单个数组成员 i,并根据 where 条件评估资源内容,就像 i 是该数组的唯一成员一样。Specifically, in each iteration of the where condition evaluation, Azure Policy selects a single array member i _ and evaluate the resource content against the where condition _as if *i_ is the only member of the array_*. 在每次迭代中仅有一个数组成员可用,这提供了将复杂条件应用于每一单个数组成员的方法。Having only one array member available in each iteration provides a way to apply complex conditions on each individual array member.

示例:Example:

{
  "count": {
    "field": "Microsoft.Test/resourceType/stringArray[*]",
    "where": {
      "field": "Microsoft.Test/resourceType/stringArray[*]",
      "equals": "a"
    }
  },
  "equals": 1
}

为了对 count 表达式求值,Azure Policy 将评估 where 条件 3 次(每个 stringArray 成员一次),计算它被评估为 true 的次数。In order to evaluate the count expression, Azure Policy evaluates the where condition 3 times, once for each member of stringArray, counting how many times it was evaluated to true. 如果 where 条件引用 Microsoft.Test/resourceType/stringArray[*] 数组成员,而不是选择 stringArray 的所有成员,则它每次只选择单个数组成员:When the where condition refers the the Microsoft.Test/resourceType/stringArray[*] array members, instead of selecting all the members of stringArray, it will only select a single array member every time:

迭代Iteration 所选 Microsoft.Test/resourceType/stringArray[*]Selected Microsoft.Test/resourceType/stringArray[*] values where 求值结果where Evaluation result
11 "a" true
22 "b" false
33 "c" false

因此,count 将返回 1And thus the count will return 1.

下面是一个更复杂的表达式:Here's a more complex expression:

{
  "count": {
    "field": "Microsoft.Test/resourceType/objectArray[*]",
    "where": {
      "allOf": [
        {
          "field": "Microsoft.Test/resourceType/objectArray[*].property",
          "equals": "value2"
        },
        {
          "field": "Microsoft.Test/resourceType/objectArray[*].nestedArray[*]",
          "greater": 2
        }
      ]
    }
  },
  "equals": 1
}
迭代Iteration 所选值Selected values where 求值结果where Evaluation result
11 Microsoft.Test/resourceType/objectArray[*].property => "value1"
Microsoft.Test/resourceType/objectArray[*].nestedArray[*] => 1, 2Microsoft.Test/resourceType/objectArray[*].nestedArray[*] => 1, 2
false
22 Microsoft.Test/resourceType/objectArray[*].property => "value2"
Microsoft.Test/resourceType/objectArray[*].nestedArray[*] => 3, 4Microsoft.Test/resourceType/objectArray[*].nestedArray[*] => 3, 4
true

因此,count 会返回 1And thus the count returns 1.

根据整个请求内容(包含仅对当前枚举的数组成员进行的更改)对 where 表达式求值意味着,where 条件还可以引用数组之外的字段:The fact that the where expression is evaluated against the entire request content (with changes only to the array member that is currently being enumerated) means that the where condition can also refer to fields outside the array:

{
  "count": {
    "field": "Microsoft.Test/resourceType/objectArray[*]",
    "where": {
      "field": "tags.env",
      "equals": "prod"
    }
  }
}
迭代Iteration 所选值Selected values where 求值结果where Evaluation result
11 tags.env => "prod" true
22 tags.env => "prod" true

还允许使用嵌套 count 表达式:Nested count expressions are also allowed:

{
  "count": {
    "field": "Microsoft.Test/resourceType/objectArray[*]",
    "where": {
      "allOf": [
        {
          "field": "Microsoft.Test/resourceType/objectArray[*].property",
          "equals": "value2"
        },
        {
          "count": {
            "field": "Microsoft.Test/resourceType/objectArray[*].nestedArray[*]",
            "where": {
              "field": "Microsoft.Test/resourceType/objectArray[*].nestedArray[*]",
              "equals": 3
            },
            "greater": 0
          }
        }
      ]
    }
  }
}
外部循环迭代Outer Loop Iteration 所选值Selected values 内部循环迭代Inner Loop Iteration 所选值Selected values
11 Microsoft.Test/resourceType/objectArray[*].property => "value1
Microsoft.Test/resourceType/objectArray[*].nestedArray[*] => 1, 2Microsoft.Test/resourceType/objectArray[*].nestedArray[*] => 1, 2
11 Microsoft.Test/resourceType/objectArray[*].nestedArray[*] => 1
11 Microsoft.Test/resourceType/objectArray[*].property => "value1
Microsoft.Test/resourceType/objectArray[*].nestedArray[*] => 1, 2Microsoft.Test/resourceType/objectArray[*].nestedArray[*] => 1, 2
22 Microsoft.Test/resourceType/objectArray[*].nestedArray[*] => 2
22 Microsoft.Test/resourceType/objectArray[*].property => "value2
Microsoft.Test/resourceType/objectArray[*].nestedArray[*] => 3, 4Microsoft.Test/resourceType/objectArray[*].nestedArray[*] => 3, 4
11 Microsoft.Test/resourceType/objectArray[*].nestedArray[*] => 3
22 Microsoft.Test/resourceType/objectArray[*].property => "value2
Microsoft.Test/resourceType/objectArray[*].nestedArray[*] => 3, 4Microsoft.Test/resourceType/objectArray[*].nestedArray[*] => 3, 4
22 Microsoft.Test/resourceType/objectArray[*].nestedArray[*] => 4

where 条件内的 field() 函数The field() function inside where conditions

field() 函数在 where 条件内的行为方式基于以下概念:The way field() functions behave when inside a where condition is based on the following concepts:

  1. 数组别名解析为从所有数组成员选择的值的集合。Array aliases are resolved into a collection of values selected from all array members.
  2. 引用数组别名的 field() 函数会返回具有所选值的数组。field() functions referencing array aliases return an array with the selected values.
  3. where 条件内引用计数数组别名将返回一个集合,该集合中包含从当前迭代中评估的数组成员中选择的单个值。Referencing the counted array alias inside the where condition returns a collection with a single value selected from the array member that is evaluated in the current iteration.

此行为意味着,当使用 field() 函数在 where 条件中引用计数数组成员时,它将返回一个具有单个成员的数组。This behavior means that when referring to the counted array member with a field() function inside the where condition, it returns an array with a single member. 虽然这可能并不直观,但它与下面的理念一致:数组别名始终返回所选属性的集合。While this may not be intuitive, it's consistent with the idea that array aliases always return a collection of selected properties. 下面是一个示例:Here's an example:

{
  "count": {
    "field": "Microsoft.Test/resourceType/stringArray[*]",
    "where": {
      "field": "Microsoft.Test/resourceType/stringArray[*]",
      "equals": "[field('Microsoft.Test/resourceType/stringArray[*]')]"
    }
  },
  "equals": 0
}
迭代Iteration 表达式值Expression values where 求值结果where Evaluation result
11 Microsoft.Test/resourceType/stringArray[*] => "a"
[field('Microsoft.Test/resourceType/stringArray[*]')] => [ "a" ]
false
22 Microsoft.Test/resourceType/stringArray[*] => "b"
[field('Microsoft.Test/resourceType/stringArray[*]')] => [ "b" ]
false
33 Microsoft.Test/resourceType/stringArray[*] => "c"
[field('Microsoft.Test/resourceType/stringArray[*]')] => [ "c" ]
false

因此,当需要使用 field() 函数访问计数数组别名的值时,执行此操作的方法是使用 first() 模板函数来包装它:Therefore, when there's a need to access the value of the counted array alias with a field() function, the way to do so is to wrap the it with a first() template function:

{
  "count": {
    "field": "Microsoft.Test/resourceType/stringArray[*]",
    "where": {
      "field": "Microsoft.Test/resourceType/stringArray[*]",
      "equals": "[first(field('Microsoft.Test/resourceType/stringArray[*]'))]"
    }
  }
}
迭代Iteration 表达式值Expression values where 求值结果where Evaluation result
11 Microsoft.Test/resourceType/stringArray[*] => "a"
[first(field('Microsoft.Test/resourceType/stringArray[*]'))] => "a"
true
22 Microsoft.Test/resourceType/stringArray[*] => "b"
[first(field('Microsoft.Test/resourceType/stringArray[*]'))] => "b"
true
33 Microsoft.Test/resourceType/stringArray[*] => "c"
[first(field('Microsoft.Test/resourceType/stringArray[*]'))] => "c"
true

如需有用的示例,请参阅 Count 示例For useful examples, see Count examples.

修改数组Modifying arrays

创建或更新期间,追加修改操作会更改资源的属性。The append and modify alter properties on a resource during creation or update. 使用数组属性时,这些效果的行为取决于操作是否尝试修改 [*] 别名:When working with array properties, the behavior of these effects depends on whether the operation is trying to modify the [*] alias or not:

备注

目前,预览版中可使用 modify 效果和别名。Using the modify effect with aliases is currently in preview.

AliasAlias 效果Effect 业务成效Outcome
Microsoft.Storage/storageAccounts/networkAcls.ipRules append 如果丢失,Azure Policy 将追加效果详细信息中指定的整个数组。Azure Policy appends the entire array specified in the effect details if missing.
Microsoft.Storage/storageAccounts/networkAcls.ipRules 使用 add 操作 modifymodify with add operation 如果丢失,Azure Policy 将追加效果详细信息中指定的整个数组。Azure Policy appends the entire array specified in the effect details if missing.
Microsoft.Storage/storageAccounts/networkAcls.ipRules 使用 addOrReplace 操作 modifymodify with addOrReplace operation 如果缺失,Azure Policy 将追加效果详细信息中指定的整个数组,或替换现有数组。Azure Policy appends the entire array specified in the effect details if missing or replaces the existing array.
Microsoft.Storage/storageAccounts/networkAcls.ipRules[*] append Azure Policy 将追加效果详细信息中指定的数组成员。Azure Policy appends the array member specified in the effect details.
Microsoft.Storage/storageAccounts/networkAcls.ipRules[*] 使用 add 操作 modifymodify with add operation Azure Policy 将追加效果详细信息中指定的数组成员。Azure Policy appends the array member specified in the effect details.
Microsoft.Storage/storageAccounts/networkAcls.ipRules[*] 使用 addOrReplace 操作 modifymodify with addOrReplace operation Azure Policy 删除所有现有的数组成员,并追加效果详细信息中指定的数组成员。Azure Policy removes all existing array members and appends the array member specified in the effect details.
Microsoft.Storage/storageAccounts/networkAcls.ipRules[*].action append Azure Policy 为每个数组成员的 action 属性追加一个值。Azure Policy appends a value to the action property of each array member.
Microsoft.Storage/storageAccounts/networkAcls.ipRules[*].action 使用 add 操作 modifymodify with add operation Azure Policy 为每个数组成员的 action 属性追加一个值。Azure Policy appends a value to the action property of each array member.
Microsoft.Storage/storageAccounts/networkAcls.ipRules[*].action 使用 addOrReplace 操作 modifymodify with addOrReplace operation Azure Policy 追加或替换每个数组成员的现有 action 属性。Azure Policy appends or replaces the existing action property of each array member.

有关详细信息,请参阅追加示例For more information, see the append examples.

后续步骤Next steps