Azure Policy 模式:部署资源Azure Policy pattern: deploy resources

deployIfNotExists 效果使得在创建或更新不符合要求的资源时能够部署 Azure 资源管理器模板The deployIfNotExists effect makes it possible to deploy an Azure Resource Manager template when creating or updating a resource that isn't compliant. 与使用 deny 效果相比,此方法更好,因为它允许继续创建资源,并确保进行更改以使资源符合要求。This approach can be preferred to using the deny effect as it lets resources continue to be created, but ensures the changes are made to make them compliant.

示例策略定义Sample policy definition

此策略定义使用 field 运算符来计算创建或更新的资源的 typeThis policy definition uses the field operator to evaluate the type of resource created or updated. 当资源是 Microsoft.Network/virtualNetworks 时,策略将在新资源或已更新资源的位置中查找网络观察程序。When that resource is a Microsoft.Network/virtualNetworks, the policy looks for a network watcher in the location of the new or updated resource. 如果找不到匹配的网络观察程序,则会部署资源管理器模板来创建缺少的资源。If a matching network watcher isn't located, the Resource Manager template is deployed to create the missing resource.

{
   "properties": {
       "displayName": "Deploy network watcher when virtual networks are created",
       "mode": "Indexed",
       "description": "This policy creates a network watcher resource in regions with virtual networks. You need to ensure existence of a resource group named networkWatcherRG, which will be used to deploy network watcher instances.",
       "metadata": {
           "category": "Network"
       },
       "parameters": {},
       "policyRule": {
           "if": {
               "field": "type",
               "equals": "Microsoft.Network/virtualNetworks"
           },
           "then": {
               "effect": "DeployIfNotExists",
               "details": {
                   "type": "Microsoft.Network/networkWatchers",
                   "resourceGroupName": "networkWatcherRG",
                   "existenceCondition": {
                       "field": "location",
                       "equals": "[field('location')]"
                   },
                   "roleDefinitionIds": [
                       "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
                   ],
                   "deployment": {
                       "properties": {
                           "mode": "incremental",
                           "template": {
                               "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",
                               "contentVersion": "1.0.0.0",
                               "parameters": {
                                   "location": {
                                       "type": "string"
                                   }
                               },
                               "resources": [{
                                   "apiVersion": "2016-09-01",
                                   "type": "Microsoft.Network/networkWatchers",
                                   "name": "[concat('networkWacher_', parameters('location'))]",
                                   "location": "[parameters('location')]"
                               }]
                           },
                           "parameters": {
                               "location": {
                                   "value": "[field('location')]"
                               }
                           }
                       }
                   }
               }
           }
       }
   }
}

说明Explanation

existenceConditionexistenceCondition

"type": "Microsoft.Network/networkWatchers",
"resourceGroupName": "networkWatcherRG",
"existenceCondition": {
   "field": "location",
   "equals": "[field('location')]"
},

properties.policyRule.then.details 块告诉 Azure Policy 要在 properties.policyRule.if 块中查找与创建或更新的资源相关的哪些内容。The properties.policyRule.then.details block tells Azure Policy what to look for related to the created or updated resource in the properties.policyRule.if block. 在此示例中,资源组 networkWatcherRG 中必须存在 field location 等于新资源或已更新资源的位置的一个网络观察程序。In this example, a network watcher in the resource group networkWatcherRG must exist with field location equal to the location of the new or updated resource. 使用 field() 函数将允许 existenceCondition 访问新的或已更新资源上的属性,具体而言是 location 属性。Using the field() function allows the existenceCondition to access properties on the new or updated resource, specifically the location property.

roleDefinitionIdsroleDefinitionIds

"roleDefinitionIds": [
   "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
],

properties.policyRule.then.details 块中的 roleDefinitionIds array 属性告诉策略定义托管标识需要使用哪些权限来部署所包括的资源管理器模板。The roleDefinitionIds array property in the properties.policyRule.then.details block tells the policy definition which rights the managed identity needs to deploy the included Resource Manager template. 必须设置此属性来包括具有模板部署所需权限的角色,但应使用“最小权限原则”的概念,只应包括必需的操作,不包括任何其他内容。This property must be set to include roles that have the permissions needed by the template deployment, but should use the concept of 'principle of least privilege' and only have the needed operations and nothing more.

部署模板Deployment template

策略定义的 deployment 部分有一个 properties 块,其中定义了三个核心组件:The deployment portion of the policy definition has a properties block that defines the three core components:

  • mode - 此属性设置模板的部署模式mode - This property sets the deployment mode of the template.

  • template - 此属性包括了模板本身。template - This property includes the template itself. 在此示例中,location 模板参数设置新的网络观察程序资源的位置。In this example, the location template parameter sets the location of the new network watcher resource.

    "template": {
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",
    "contentVersion": "1.0.0.0",
    "parameters": {
         "location": {
             "type": "string"
         }
    },
    "resources": [{
         "apiVersion": "2016-09-01",
         "type": "Microsoft.Network/networkWatchers",
         "name": "[concat('networkWacher_', parameters('location'))]",
         "location": "[parameters('location')]"
    }]
    },
    
  • parameters - 此属性定义提供给 template 的参数。parameters - This property defines parameters that are provided to the template. 参数名称必须与在 template 中定义的名称匹配。The parameter names must match what are defined in template. 在此示例中,将此参数命名为 location 以便匹配。In this example, the parameter is named location to match. location 的值再次使用 field() 函数来获取所计算资源(即 policyRule.if 块中的虚拟网络)的值。The value of location uses the field() function again to get the value of the evaluated resource, which is the virtual network in the policyRule.if block.

    "parameters": {
    "location": {
         "value": "[field('location')]"
    }
    }
    

后续步骤Next steps