Azure Policy 模式:将策略定义分组Azure Policy pattern: group policy definitions

一个计划是一组策略定义。An initiative is a group of policy definitions. 通过将相关的策略定义分组到单个对象中,可以创建本应是多个分配的单个分配。By grouping related policy definitions into a single object, you can create a single assignment that would have been multiple assignments.

示例计划定义Sample initiative definition

此计划部署两个策略定义,每个都使用 tagNametagValue 参数。This initiative deploys two policy definitions, each of which takes the tagName and tagValue parameters. 计划本身有两个参数:costCenterValueproductNameValueThe initiative itself has two parameters: costCenterValue and productNameValue. 这些计划参数分别为每个分组的策略定义提供。These initiative parameters are each provided to each of the grouped policy definitions. 此设计可最大程度地重复使用现有策略定义,同时限制在需要的情况下为实施它们而创建的分配数。This design maximizes reuse of the existing policy definitions while limiting the number of assignments created to implement them as needed.

{
   "properties": {
       "displayName": "Billing Tags Policy Initiative",
       "description": "Specify cost Center tag and product name tag",
       "parameters": {
           "costCenterValue": {
               "type": "String",
               "metadata": {
                   "displayName": "required value for Cost Center tag"
               }
           },
           "productNameValue": {
               "type": "String",
               "metadata": {
                   "displayName": "required value for product Name tag"
               }
           }
       },
       "policyDefinitions": [{
               "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62",
               "parameters": {
                   "tagName": {
                       "value": "costCenter"
                   },
                   "tagValue": {
                       "value": "[parameters('costCenterValue')]"
                   }
               }
           },
           {
               "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2a0e14a6-b0a6-4fab-991a-187a4f81c498",
               "parameters": {
                   "tagName": {
                       "value": "costCenter"
                   },
                   "tagValue": {
                       "value": "[parameters('costCenterValue')]"
                   }
               }
           },
           {
               "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62",
               "parameters": {
                   "tagName": {
                       "value": "productName"
                   },
                   "tagValue": {
                       "value": "[parameters('productNameValue')]"
                   }
               }
           },
           {
               "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2a0e14a6-b0a6-4fab-991a-187a4f81c498",
               "parameters": {
                   "tagName": {
                       "value": "productName"
                   },
                   "tagValue": {
                       "value": "[parameters('productNameValue')]"
                   }
               }
           }
       ]
   }
}

说明Explanation

计划参数Initiative parameters

计划可以定义自己的参数,然后将其传递给分组的策略定义。An initiative can define it's own parameters that are then passed to the grouped policy definitions. 在此示例中,costCenterValueproductNameValue 都定义为计划参数。In this example, both costCenterValue and productNameValue are defined as initiative parameters. 分配计划后,会提供这些值。The values are provided when the initiative is assigned.

"parameters": {
   "costCenterValue": {
       "type": "String",
       "metadata": {
           "displayName": "required value for Cost Center tag"
       }
   },
   "productNameValue": {
       "type": "String",
       "metadata": {
           "displayName": "required value for product Name tag"
       }
   }
},

包括策略定义Includes policy definitions

如果策略定义接受参数,则每个包含的策略定义都必须提供 policyDefinitionId 和一个 parameters 数组。Each included policy definition must provide the policyDefinitionId and a parameters array if the policy definition accepts parameters. 在下面的代码片段中,包含的策略定义使用两个参数:tagNametagValueIn the snippet below, the included policy definition takes two parameters: tagName and tagValue. tagName 使用文本进行定义,但 tagValue 使用计划定义的参数 costCenterValuetagName is defined with a literal, but tagValue uses the parameter costCenterValue defined by the initiative. 对值进行这样的传递可提高重用性。This passthrough of values improves reuse.

{
   "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2a0e14a6-b0a6-4fab-991a-187a4f81c498",
   "parameters": {
       "tagName": {
           "value": "costCenter"
       },
       "tagValue": {
           "value": "[parameters('costCenterValue')]"
       }
   }
},

后续步骤Next steps