Azure Policy 模式:参数Azure Policy pattern: parameters

可以将策略定义设置为动态,减少使用参数所需的策略定义的数量。A policy definition can be made dynamic to reduce the number of policy definitions that are needed by using parameters. 参数在策略分配过程中定义。The parameter is defined during policy assignment. 参数有一组预定义的属性,这些属性描述参数及其使用方式。Parameters have a set of pre-defined properties that describe the parameter and how it's used.

示例 1:字符串参数Sample 1: String parameters

此策略定义使用两个参数(tagNametagValue)来设置策略分配在资源上查找的内容。This policy definition uses two parameters, tagName and tagValue to set what the policy assignment is looking for on resources. 此格式允许将策略用于任意数量的标记名称和标记值组合,但只保留单个策略定义。This format allows the policy to be used for any number of tag name and tag value combinations, but only maintain a single policy definition.

{
   "properties": {
       "displayName": "Require tag and its value",
       "policyType": "BuiltIn",
       "mode": "Indexed",
       "description": "Enforces a required tag and its value. Does not apply to resource groups.",
       "parameters": {
           "tagName": {
               "type": "String",
               "metadata": {
                   "description": "Name of the tag, such as costCenter"
               }
           },
           "tagValue": {
               "type": "String",
               "metadata": {
                   "description": "Value of the tag, such as headquarter"
               }
           }
       },
       "policyRule": {
           "if": {
               "not": {
                   "field": "[concat('tags[', parameters('tagName'), ']')]",
                   "equals": "[parameters('tagValue')]"
               }
           },
           "then": {
               "effect": "deny"
           }
       }
   }
}

示例 1:说明Sample 1: Explanation

"tagName": {
   "type": "String",
   "metadata": {
       "description": "Name of the tag, such as costCenter"
   }
},

在策略定义的此部分,我们将 tagName 参数定义为 string,并提供说明,方便其使用。In this portion of the policy definition, the tagName parameter is defined as a string and a description is provided for its use.

然后,我们在 policyRule.if 块中使用该参数,将策略设置为动态。The parameter is then used in the policyRule.if block to make the policy dynamic. 在这里,它用于定义所计算的字段,该字段是值为 tagName 的标记。Here, it's used to define the field that is evaluated, which is a tag with the value of tagName.

"if": {
   "not": {
       "field": "[concat('tags[', parameters('tagName'), ']')]",
       "equals": "[parameters('tagValue')]"
   }
},

示例 2:数组参数Sample 2: Array parameters

此策略定义使用单个参数 (listOfBandwidthinMbps),目的是检查 Express Route 线路资源是否已将带宽设置配置为已批准的值之一。This policy definition uses a single parameter, listOfBandwidthinMbps, to check if the Express Route Circuit resource has configured the bandwidth setting to one of the approved values. 如果它不匹配,系统会拒绝创建或更新资源。If it doesn't match, the creation or update to the resource is denied.

{
   "properties": {
       "displayName": "Allowed Express Route bandwidth",
       "description": "This policy enables you to specify a set of express route bandwidths that your organization can deploy.",
       "parameters": {
           "listOfBandwidthinMbps": {
               "type": "Array",
               "metadata": {
                   "description": "The list of SKUs that can be specified for express route.",
                   "displayName": "Allowed Bandwidth"
               }
           }
       },
       "policyRule": {
           "if": {
               "allOf": [{
                       "field": "type",
                       "equals": "Microsoft.Network/expressRouteCircuits"
                   },
                   {
                       "not": {
                           "field": "Microsoft.Network/expressRouteCircuits/serviceProvider.bandwidthInMbps",
                           "in": "[parameters('listOfBandwidthinMbps')]"
                       }
                   }
               ]
           },
           "then": {
               "effect": "Deny"
           }
       }
   }
}

示例 2:说明Sample 2: Explanation

"listOfBandwidthinMbps": {
   "type": "Array",
   "metadata": {
       "description": "The list of SKUs that can be specified for express route.",
       "displayName": "Allowed Bandwidth"
   }
}

在策略定义的此部分,我们将 listOfBandwidthinMbps 参数定义为 array,并提供说明,方便其使用。In this portion of the policy definition, the listOfBandwidthinMbps parameter is defined as an array and a description is provided for its use. 作为 array,它有多个要匹配的值。As an array, it has multiple values to match.

然后,我们在 policyRule.if 块中使用该参数。The parameter is then used in the policyRule.if block. 作为 array 参数,必须使用 array 条件innotInAs an array parameter, an array condition's in or notIn must be used. 在这里,我们将其用于 serviceProvider.bandwidthInMbps 别名,作为定义的值之一。Here, it's used against the serviceProvider.bandwidthInMbps alias as one of the defined values.

"not": {
   "field": "Microsoft.Network/expressRouteCircuits/serviceProvider.bandwidthInMbps",
   "in": "[parameters('listOfBandwidthinMbps')]"
}

后续步骤Next steps