Azure Policy 模式:标记Azure Policy pattern: tags

标记是管理、组织和控制 Azure 资源的重要组成部分。Tags are an important part of managing, organizing, and governing your Azure resources. 利用 Azure Policy,可以通过修改效果和修正任务在新资源和现有资源上大规模配置标记。Azure Policy makes it possible to configure tags on your new and existing resources at scale with the modify effect and remediation tasks.

示例 1:参数化标记Sample 1: Parameterize tags

此策略定义使用两个参数(tagName 和 tagValue)来设置策略分配在资源组上查找的内容。This policy definition uses two parameters, tagName and tagValue to set what the policy assignment is looking for on resource groups. 此格式允许将策略定义用于任意数量的标记名称和标记值组合,但只保留单个策略定义。This format allows the policy definition to be used for any number of tag name and tag value combinations, but only maintain a single policy definition.

备注

尽管此策略定义模式类似于模式:参数 - 示例 #1 中的策略定义模式,但此示例使用 All 模式并以资源组为目标。While this policy definition pattern is similar to the one in Pattern: Parameters - Sample #1, this sample uses mode All and targets resource groups.

{
    "properties": {
        "displayName": "Add or replace a tag on resource groups",
        "mode": "All",
        "description": "Adds or replaces the specified tag and value when any resource group is created or updated. Existing resource groups can be remediated by triggering a remediation task.",
        "metadata": {
            "category": "Tags"
        },
        "parameters": {
            "tagName": {
                "type": "String",
                "metadata": {
                    "displayName": "Tag Name",
                    "description": "Name of the tag, such as 'environment'"
                }
            },
            "tagValue": {
                "type": "String",
                "metadata": {
                    "displayName": "Tag Value",
                    "description": "Value of the tag, such as 'production'"
                }
            }
        },
        "policyRule": {
            "if": {
                "allOf": [{
                        "field": "type",
                        "equals": "Microsoft.Resources/subscriptions/resourceGroups"
                    },
                    {
                        "field": "[concat('tags[', parameters('tagName'), ']')]",
                        "notEquals": "[parameters('tagValue')]"
                    }
                ]
            },
            "then": {
                "effect": "modify",
                "details": {
                    "roleDefinitionIds": [
                        "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
                    ],
                    "operations": [{
                        "operation": "addOrReplace",
                        "field": "[concat('tags[', parameters('tagName'), ']')]",
                        "value": "[parameters('tagValue')]"
                    }]
                }
            }
        }
    }
}

示例 1:说明Sample 1: Explanation

"properties": {
    "displayName": "Add or replace a tag on resource groups",
    "mode": "All",
    "description": "Adds or replaces the specified tag and value when any resource group is created or updated. Existing resource groups can be remediated by triggering a remediation task.",
    "metadata": {
        "category": "Tags"
    },

在此示例中,“模式”设置为“All”,因为它以资源组为目标。In this sample, mode is set to All since it targets a resource group. 在大多数情况下,使用标记时,“模式”应设置为“已编入索引”。In most cases, mode should be set to Indexed when working with tags. 有关详细信息,请参阅模式For more information, see modes.

"if": {
    "allOf": [{
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions/resourceGroups"
        },
        {
            "field": "[concat('tags[', parameters('tagName'), ']')]",
            "notEquals": "[parameters('tagValue')]"
        }
    ]
},

在策略定义的此部分,concat 组合参数化的“tagName”参数和 tags['name'] 格式,以指示“字段”为参数“tagValue”对该标记求值。In this portion of the policy definition, concat combines the parameterized tagName parameter and the tags['name'] format to tell field to evaluate that tag for the parameter tagValue. 由于使用了 notEquals,如果 tags[tagName] 不等于 tagValue,则会触发 modify 效果。As notEquals is used, if tags[tagName] doesn't equal tagValue, the modify effect is triggered.

"operations": [{
    "operation": "addOrReplace",
    "field": "[concat('tags[', parameters('tagName'), ']')]",
    "value": "[parameters('tagValue')]"
}]

此处的 addOrReplace 操作使用与使用参数化标记值相同的格式,在已求值资源组上将标记创建或更新为所需的值。Here, the same format for using the parameterized tag values is used by the addOrReplace operation to create or update the tag to the desired value on the evaluated resource group.

示例 2:从资源组继承标记值Sample 2: Inherit tag value from resource group

此策略定义使用参数 tagName 来确定要从父资源组继的标记的值。This policy definition uses the parameter tagName to determine which tag's value to inherit from the parent resource group.

{
    "properties": {
        "displayName": "Inherit a tag from the resource group",
        "mode": "Indexed",
        "description": "Adds or replaces the specified tag and value from the parent resource group when any resource is created or updated. Existing resources can be remediated by triggering a remediation task.",
        "metadata": {
            "category": "Tags"
        },
        "parameters": {
            "tagName": {
                "type": "String",
                "metadata": {
                    "displayName": "Tag Name",
                    "description": "Name of the tag, such as 'environment'"
                }
            }
        },
        "policyRule": {
            "if": {
                "allOf": [{
                        "field": "[concat('tags[', parameters('tagName'), ']')]",
                        "notEquals": "[resourceGroup().tags[parameters('tagName')]]"
                    },
                    {
                        "value": "[resourceGroup().tags[parameters('tagName')]]",
                        "notEquals": ""
                    }
                ]
            },
            "then": {
                "effect": "modify",
                "details": {
                    "roleDefinitionIds": [
                        "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
                    ],
                    "operations": [{
                        "operation": "addOrReplace",
                        "field": "[concat('tags[', parameters('tagName'), ']')]",
                        "value": "[resourceGroup().tags[parameters('tagName')]]"
                    }]
                }
            }
        }
    }
}

示例 2:说明Sample 2: Explanation

"properties": {
    "displayName": "Inherit a tag from the resource group",
    "mode": "Indexed",
    "description": "Adds or replaces the specified tag and value from the parent resource group when any resource is created or updated. Existing resources can be remediated by triggering a remediation task.",
    "metadata": {
        "category": "Tags"
    },

在此示例中,“模式”设置为“已编入索引”,因为即使它从资源组获取值,也不会以资源组或订阅为目标。In this sample, mode is set to Indexed since it doesn't target a resource group or subscription even though it gets the value from a resource group. 有关详细信息,请参阅模式For more information, see modes.

"if": {
    "allOf": [{
            "field": "[concat('tags[', parameters('tagName'), ']')]",
            "notEquals": "[resourceGroup().tags[parameters('tagName')]]"
        },
        {
            "value": "[resourceGroup().tags[parameters('tagName')]]",
            "notEquals": ""
        }
    ]
},

policyRule.if 使用 concat(如 示例 #1)来计算 tagName 的值,但使用 resourceGroup() 函数将其与父资源组上相同标记的值进行比较。The policyRule.if uses concat like Sample #1 to evaluate the tagName's value, but uses the resourceGroup() function to compare it to the value of the same tag on the parent resource group. 此处的第二个子句检查资源组上的标记是否具有值并且不为 null。The second clause here checks that the tag on the resource group has a value and isn't null.

"operations": [{
    "operation": "addOrReplace",
    "field": "[concat('tags[', parameters('tagName'), ']')]",
    "value": "[resourceGroup().tags[parameters('tagName')]]"
}]

此处要分配给资源上的 tagName 标记的值还使用 resourceGroup() 函数从父资源组获取值。Here, the value being assigned to the tagName tag on the resource also uses the resourceGroup() function to get the value from the parent resource group. 这样一来,你可以从父资源组继承标记。In this way, you can inherit tags from parent resource groups. 如果你已创建资源但未添加标记,则相同的策略定义和修复任务可以更新现有资源。If you already created the resource but didn't add the tag, this same policy definition and a remediation task can update existing resources.

后续步骤Next steps