Azure Policy 模式:字段属性Azure Policy pattern: field properties

field 运算符会对指定属性或别名进行评估,针对为给定条件提供的值。The field operator evaluates the specified property or alias to a provided value for a given condition.

示例策略定义Sample policy definition

此策略定义使你能够定义满足组织的地理位置要求的允许区域。This policy definition enables you to define allowed regions that meet your organization's geo-location requirements. 允许的资源在参数 listOfAllowedLocations(数组) 中定义。The allowed resources are defined in parameter listOfAllowedLocations (array). 与定义匹配的资源会被拒绝Resources that match the definition are denied.

{
   "properties": {
       "displayName": "Allowed locations",
       "policyType": "BuiltIn",
       "description": "This policy enables you to restrict the locations your organization can specify when deploying resources. Use to enforce your geo-compliance requirements. Excludes resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and resources that use the 'global' region.",
       "mode": "Indexed",
       "parameters": {
           "listOfAllowedLocations": {
               "type": "Array",
               "metadata": {
                   "description": "The list of locations that can be specified when deploying resources.",
                   "strongType": "location",
                   "displayName": "Allowed locations"
               }
           }
       },
       "policyRule": {
           "if": {
               "allOf": [{
                       "field": "location",
                       "notIn": "[parameters('listOfAllowedLocations')]"
                   },
                   {
                       "field": "location",
                       "notEquals": "global"
                   },
                   {
                       "field": "type",
                       "notEquals": "Microsoft.AzureActiveDirectory/b2cDirectories"
                   }
               ]
           },
           "then": {
               "effect": "Deny"
           }
       }
   }
}

说明Explanation

   "if": {
       "allOf": [{
               "field": "location",
               "notIn": "[parameters('listOfAllowedLocations')]"
           },
           {
               "field": "location",
               "notEquals": "global"
           },
           {
               "field": "type",
               "notEquals": "Microsoft.AzureActiveDirectory/b2cDirectories"
           }
       ]
   },
   "then": {
       "effect": "Deny"
   }
}

field 运算符在逻辑运算符 allOf 中使用三次。The field operator is used three times within the logical operator allOf.

  • 第一次使用时,会通过 listOfAllowedLocations 参数的 notIn 条件评估 location 属性。The first use evaluates the location property with the notIn condition to the listOfAllowedLocations parameter. notIn 适用是因为它预期的是数组 ,而参数为数组 。notIn works as it expects an array and the parameter is an array. 如果创建的或更新的资源的 location 不在批准项列表中,则此元素的评估结果为 true。If the location of the created or updated resource isn't in the approved list, this element evaluates to true.
  • 第二次使用也评估 location 属性,但使用 notEquals 条件来查看资源是否为全局 资源。The second use also evaluates the location property, but uses the notEquals condition to see if the resource is global. 如果创建的或更新的资源的 location 不是全局的,则此元素的评估结果为 true。 If the location of the created or updated resource isn't global, this element evaluates to true.
  • 最后一次使用评估 type 属性,并使用 notEquals 条件来验证资源类型是否为 Microsoft.AzureActiveDirectory/b2cDirectoriesThe last use evaluates the type property and uses the notEquals condition to validate the resource type isn't Microsoft.AzureActiveDirectory/b2cDirectories. 如果为否,则此元素的评估结果为 true。If it isn't, this element evaluates to true.

如果 allOf 逻辑运算符中的所有三个条件语句均为 true,则 Azure Policy 会阻止资源的创建或更新。If all three condition statements in the allOf logical operator evaluate true, the resource creation or update is blocked by Azure Policy.

后续步骤Next steps