Azure Policy 模式:逻辑运算符Azure Policy pattern: logical operators

策略定义可以包含多个条件语句。A policy definition can contain several conditional statements. 可能需要每个语句都为 true,或者只需其中一些语句为 true。You might need each statement to be true or only need some of them to be true. 为了满足这些需求,语言提供与 notallOfanyOf 相对应的逻辑运算符To support these needs, the language has logical operators for not, allOf, and anyOf. 它们是可选的,可以通过嵌套来创建复杂的方案。They're optional and can be nested to create complex scenarios.

示例 1:一个逻辑运算符Sample 1: One logical operator

此策略定义会评估 CosmosDB 帐户,看是否配置了自动故障转移和多个写入位置。This policy definition evaluates CosmosDB accounts to see if automatic failovers and multiple write locations are configured. 如果尚未配置上述项目,则当创建或更新不合规的资源时,审核会触发并创建一个日志条目。When they aren't, the audit triggers and creates a log entry when the non-compliant resource is created or updated.

{
 "properties": {
   "mode": "all",
   "displayName": "Audit Automatic Failover for CosmosDB accounts",
   "description": "This policy audits Automatic Failover for CosmosDB accounts",
   "policyRule": {
     "if": {
       "allOf": [{
           "field": "type",
           "equals": "Microsoft.DocumentDB/databaseAccounts"
         },
         {
           "field": "Microsoft.DocumentDB/databaseAccounts/enableAutomaticFailover",
           "equals": "false"
         },
         {
           "field": "Microsoft.DocumentDB/databaseAccounts/enableMultipleWriteLocations",
           "equals": "false"
         }
       ]
     },
     "then": {
       "effect": "audit"
     }
   },
   "parameters": {},
   "metadata": {}
 }
}

示例 1:说明Sample 1: Explanation

"policyRule": {
 "if": {
   "allOf": [{
       "field": "type",
       "equals": "Microsoft.DocumentDB/databaseAccounts"
     },
     {
       "field": "Microsoft.DocumentDB/databaseAccounts/enableAutomaticFailover",
       "equals": "false"
     },
     {
       "field": "Microsoft.DocumentDB/databaseAccounts/enableMultipleWriteLocations",
       "equals": "false"
     }
   ]
 },
 "then": {

policyRule.if 块使用单个 allOf 来确保所有三个条件都为 true。The policyRule.if block uses a single allOf to ensure that all three conditions are true. 仅当所有这些条件的评估结果都为 true 时,才会执行审核效果触发器。Only when all of these conditions evaluate to true does the audit effect trigger.

示例 2:多个逻辑运算符Sample 2: Multiple logical operators

此策略定义用于评估命名模式的资源。This policy definition evaluates resources for a naming pattern. 如果资源不匹配,系统会拒绝它。If a resource doesn't match, it's denied.

{
   "properties": {
       "displayName": "Match multiple name patterns.",
       "description": "Allows one of multiple naming patterns for resources.",
       "mode": "Indexed",
       "policyRule": {
           "if": {
               "allOf": [{
                       "not": {
                           "field": "name",
                           "match": "contoso??????"
                       }
                   },
                   {
                       "not": {
                           "field": "name",
                           "match": "contoso-???-##"
                       }
                   }
               ]
           },
           "then": {
               "effect": "deny"
           }
       }
   }
}

示例 2:说明Sample 2: Explanation

"if": {
   "allOf": [{
           "not": {
               "field": "name",
               "match": "contoso??????"
           }
       },
       {
           "not": {
               "field": "name",
               "match": "contoso-???-##"
           }
       }
   ]
},

policyRule.if 块也包含单个 allOf,但每个条件都使用 not 逻辑运算符进行包装。This policyRule.if block also includes a single allOf, but each condition is wrapped with the not logical operator. 系统会先评估 not 逻辑运算符中的条件,然后评估该 not,以便确定整个子句是 true 还是 false。The conditional inside the not logical operator evaluates first and then evaluates the not to determine if the entire clause is true or false. 如果 not 逻辑运算符的评估结果为 true,则会触发策略效果。If both not logical operators evaluate to true, the policy effect triggers.

示例 3:组合逻辑运算符Sample 3: Combining logical operators

此策略定义评估 Java Spring 帐户,以查看跟踪是否已启用或是否处于成功状态。This policy definition evaluates Java Spring accounts to see if either trace isn't enabled or if trace isn't in a successful state.

{
   "properties": {
       "displayName": "Audit Azure Spring Cloud instances where distributed tracing is not enabled",
       "description": "Distributed tracing tools in Azure Spring Cloud allow debugging and monitoring the complex interconnections between microservices in an application. Distributed tracing tools should be enabled and in a healthy state.",
       "mode": "Indexed",
       "policyRule": {
           "if": {
               "allOf": [{
                       "field": "type",
                       "equals": "Microsoft.AppPlatform/Spring"
                   },
                   {
                       "anyOf": [{
                               "field": "Microsoft.AppPlatform/Spring/trace.enabled",
                               "notEquals": "true"
                           },
                           {
                               "field": "Microsoft.AppPlatform/Spring/trace.state",
                               "notEquals": "Succeeded"
                           }
                       ]
                   }
               ]
           },
           "then": {
               "effect": "audit"
           }
       }
   }
}

示例 3:说明Sample 3: Explanation

"policyRule": {
   "if": {
       "allOf": [{
               "field": "type",
               "equals": "Microsoft.AppPlatform/Spring"
           },
           {
               "anyOf": [{
                       "field": "Microsoft.AppPlatform/Spring/trace.enabled",
                       "notEquals": "true"
                   },
                   {
                       "field": "Microsoft.AppPlatform/Spring/trace.state",
                       "notEquals": "Succeeded"
                   }
               ]
           }
       ]
   },
   "then": {
       "effect": "audit"
   }
}

此 policyRule.if 块同时包含 allOf 和 anyOf 逻辑运算符。This policyRule.if block includes both the allOf and anyOf logical operators. 只要一个包含的条件为 true,anyOf 逻辑运算符就会计算为 true。The anyOf logical operator evaluates true as long as one included condition is true. 由于 type 位于 allOf 的核心,因此它必须始终计算为 true。As the type is at the core of the allOf, it must always evaluate true. 如果 type 和 anyOf 中的条件之一均为 true,则会触发策略效果。If the type and one of the conditions in the anyOf are true, the policy effect triggers.

后续步骤Next steps