Azure Policy 模式:效果Azure Policy pattern: effects

Azure Policy 有很多效果,这些效果决定了服务对不合规资源的反应。Azure Policy has a number of effects that determine how the service reacts to non-compliant resources. 某些效果很简单,并且在策略定义中无需其他属性,而另一些效果则需要多个属性。Some effects are simple and require no additional properties in the policy definition while others require several properties.

示例 1:简单效果Sample 1: Simple effect

此策略定义检查评估的资源上是否存在参数 tagName 中定义的标记。This policy definition checks to see if the tag defined in parameter tagName exists on the evaluated resource. 如果标记尚不存在,则会触发 modify 效果,添加一个使用参数 tagValue 中的值的标记。If the tag doesn't yet exist, the modify effect is triggered to add the tag with the value in parameter tagValue.

{
   "properties": {
       "displayName": "Add a tag to resource groups",
       "policyType": "BuiltIn",
       "mode": "All",
       "description": "Adds the specified tag and value when any resource group missing this tag is created or updated. Existing resource groups can be remediated by triggering a remediation task. If the tag exists with a different value it will not be changed.",
       "metadata": {
           "version": "1.0.0",
           "category": "Tags"
       },
       "parameters": {
           "tagName": {
               "type": "String",
               "metadata": {
                   "displayName": "Tag Name",
                   "description": "Name of the tag, such as 'environment'"
               }
           },
           "tagValue": {
               "type": "String",
               "metadata": {
                   "displayName": "Tag Value",
                   "description": "Value of the tag, such as 'production'"
               }
           }
       },
       "policyRule": {
           "if": {
               "allOf": [{
                       "field": "type",
                       "equals": "Microsoft.Resources/subscriptions/resourceGroups"
                   },
                   {
                       "field": "[concat('tags[', parameters('tagName'), ']')]",
                       "exists": "false"
                   }
               ]
           },
           "then": {
               "effect": "modify",
               "details": {
                   "roleDefinitionIds": [
                       "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
                   ],
                   "operations": [{
                       "operation": "add",
                       "field": "[concat('tags[', parameters('tagName'), ']')]",
                       "value": "[parameters('tagValue')]"
                   }]
               }
           }
       }
   }
}

示例 1:说明Sample 1: Explanation

"then": {
"effect": "modify",
"details": {
   "roleDefinitionIds": [
       "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
   ],
   "operations": [{
       "operation": "add",
       "field": "[concat('tags[', parameters('tagName'), ']')]",
       "value": "[parameters('tagValue')]"
   }]
}

modify 效果需要 policyRule.then.details 块,该块定义 roleDefinitionIds 和 operations 。A modify effect requires the policyRule.then.details block that defines roleDefinitionIds and operations. 这些参数会告知 Azure Policy 需要哪些角色才能添加标记和修正资源,以及要使用哪些“修改”操作。These parameters inform Azure Policy what roles are needed to add the tag and remediate the resource and which modify operation to use. 在此示例中,“add”和“operation”等参数用于设置标记和值。In this example, the add operation and the parameters are used to set the tag and its value.

示例 2:复杂效果Sample 2: Complex effect

此策略定义会审核每个虚拟机中是否存在参数 publishertype 中定义的扩展不存在的情况。This policy definition audits each virtual machine for when an extension, defined in parameters publisher and type , doesn't exist. 它使用 auditIfNotExists 检查与虚拟机相关的资源,看是否存在与定义的参数匹配的实例。It uses auditIfNotExists to check a resource related to the virtual machine to see if an instance exists that matches the defined parameters. 此示例检查“扩展” 类型。This example checks the extensions type.

{
   "type": "Microsoft.Authorization/policyDefinitions",
   "name": "audit-vm-extension",
   "properties": {
       "displayName": "Audit if extension does not exist",
       "description": "This policy audits if a required extension doesn't exist.",
       "parameters": {
           "publisher": {
               "type": "String",
               "metadata": {
                   "description": "The publisher of the extension",
                   "displayName": "Extension Publisher"
               }
           },
           "type": {
               "type": "String",
               "metadata": {
                   "description": "The type of the extension",
                   "displayName": "Extension Type"
               }
           }
       },
       "policyRule": {
           "if": {
               "allOf": [{
                       "field": "type",
                       "equals": "Microsoft.Compute/virtualMachines"
                   },
                   {
                       "field": "Microsoft.Compute/imagePublisher",
                       "in": [
                           "MicrosoftWindowsServer"
                       ]
                   },
                   {
                       "field": "Microsoft.Compute/imageOffer",
                       "in": [
                           "WindowsServer"
                       ]
                   }
               ]
           },
           "then": {
               "effect": "auditIfNotExists",
               "details": {
                   "type": "Microsoft.Compute/virtualMachines/extensions",
                   "existenceCondition": {
                       "allOf": [{
                               "field": "Microsoft.Compute/virtualMachines/extensions/publisher",
                               "equals": "[parameters('publisher')]"
                           },
                           {
                               "field": "Microsoft.Compute/virtualMachines/extensions/type",
                               "equals": "[parameters('type')]"
                           }
                       ]
                   }
               }
           }
       }
   }
}

示例 2:说明Sample 2: Explanation

"details": {
   "type": "Microsoft.Compute/virtualMachines/extensions",
   "existenceCondition": {
       "allOf": [{
               "field": "Microsoft.Compute/virtualMachines/extensions/publisher",
               "equals": "[parameters('publisher')]"
           },
           {
               "field": "Microsoft.Compute/virtualMachines/extensions/type",
               "equals": "[parameters('type')]"
           }
       ]
   }
}

auditIfNotExists 效果需要 policyRule.then.details 块来定义要查找的 typeexistenceConditionAn auditIfNotExists effect requires the policyRule.then.details block to define both a type and the existenceCondition to look for. existenceCondition 使用策略语言元素(如 逻辑运算符)来确定是否存在匹配的相关资源。The existenceCondition uses policy language elements, such as logical operators, to determine if a matching related resource exists. 在此示例中,对照每个别名检查的值在参数中定义。In this example, the values checked against each alias are defined in parameters.

后续步骤Next steps