Azure Policy 模式:效果

Azure Policy 有很多效果,这些效果决定了服务对不合规资源的反应。 某些效果很简单,并且在策略定义中无需其他属性,而另一些效果则需要多个属性。

示例 1:简单效果

此策略定义检查评估的资源上是否存在参数 tagName 中定义的标记。 如果标记尚不存在,则会触发 modify 效果,添加一个使用参数 tagValue 中的值的标记。

{
    "properties": {
        "displayName": "Add a tag to resource groups",
        "policyType": "BuiltIn",
        "mode": "All",
        "description": "Adds the specified tag and value when any resource group missing this tag is created or updated. Existing resource groups can be remediated by triggering a remediation task. If the tag exists with a different value it will not be changed.",
        "metadata": {
            "version": "1.0.0",
            "category": "Tags"
        },
        "parameters": {
            "tagName": {
                "type": "String",
                "metadata": {
                    "displayName": "Tag Name",
                    "description": "Name of the tag, such as 'environment'"
                }
            },
            "tagValue": {
                "type": "String",
                "metadata": {
                    "displayName": "Tag Value",
                    "description": "Value of the tag, such as 'production'"
                }
            }
        },
        "policyRule": {
            "if": {
                "allOf": [{
                        "field": "type",
                        "equals": "Microsoft.Resources/subscriptions/resourceGroups"
                    },
                    {
                        "field": "[concat('tags[', parameters('tagName'), ']')]",
                        "exists": "false"
                    }
                ]
            },
            "then": {
                "effect": "modify",
                "details": {
                    "roleDefinitionIds": [
                        "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
                    ],
                    "operations": [{
                        "operation": "add",
                        "field": "[concat('tags[', parameters('tagName'), ']')]",
                        "value": "[parameters('tagValue')]"
                    }]
                }
            }
        }
    }
}

示例 1:说明

"effect": "modify",
"details": {
    "roleDefinitionIds": [
        "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
    ],
    "operations": [{
        "operation": "add",
        "field": "[concat('tags[', parameters('tagName'), ']')]",
        "value": "[parameters('tagValue')]"
    }]
}

modify 效果需要 policyRule.then.details 块,该块定义 roleDefinitionIds 和 operations 。 这些参数会告知 Azure Policy 需要哪些角色才能添加标记和修正资源,以及要使用哪些“修改”操作。 在此示例中,“add”和“operation”等参数用于设置标记和值。

示例 2:复杂效果

此策略定义会审核每个虚拟机中是否存在参数 publishertype 中定义的扩展不存在的情况。 它使用 auditIfNotExists 检查与虚拟机相关的资源,看是否存在与定义的参数匹配的实例。 此示例检查“扩展” 类型。

{
    "type": "Microsoft.Authorization/policyDefinitions",
    "name": "audit-vm-extension",
    "properties": {
        "displayName": "Audit if extension does not exist",
        "description": "This policy audits if a required extension doesn't exist.",
        "parameters": {
            "publisher": {
                "type": "String",
                "metadata": {
                    "description": "The publisher of the extension",
                    "displayName": "Extension Publisher"
                }
            },
            "type": {
                "type": "String",
                "metadata": {
                    "description": "The type of the extension",
                    "displayName": "Extension Type"
                }
            }
        },
        "policyRule": {
            "if": {
                "allOf": [{
                        "field": "type",
                        "equals": "Microsoft.Compute/virtualMachines"
                    },
                    {
                        "field": "Microsoft.Compute/imagePublisher",
                        "in": [
                            "MicrosoftWindowsServer"
                        ]
                    },
                    {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                            "WindowsServer"
                        ]
                    }
                ]
            },
            "then": {
                "effect": "auditIfNotExists",
                "details": {
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "existenceCondition": {
                        "allOf": [{
                                "field": "Microsoft.Compute/virtualMachines/extensions/publisher",
                                "equals": "[parameters('publisher')]"
                            },
                            {
                                "field": "Microsoft.Compute/virtualMachines/extensions/type",
                                "equals": "[parameters('type')]"
                            }
                        ]
                    }
                }
            }
        }
    }
}

示例 2:说明

"details": {
    "type": "Microsoft.Compute/virtualMachines/extensions",
    "existenceCondition": {
        "allOf": [{
                "field": "Microsoft.Compute/virtualMachines/extensions/publisher",
                "equals": "[parameters('publisher')]"
            },
            {
                "field": "Microsoft.Compute/virtualMachines/extensions/type",
                "equals": "[parameters('type')]"
            }
        ]
    }
}

auditIfNotExists 效果需要 policyRule.then.details 块来定义要查找的 typeexistenceCondition。 existenceCondition 使用策略语言元素(如逻辑运算符)来确定是否存在匹配的相关资源。 在此示例中,对照每个别名检查的值在参数中定义。

后续步骤