Azure Policy 模式:value 运算符Azure Policy pattern: the value operator

value 运算符会对参数支持的模板函数或文本进行评估,针对为给定条件提供的值。The value operator evaluates parameters, supported template functions, or literals to a provided value for a given condition.

Warning

如果模板函数 的结果是一个错误,则策略评估会失败。If the result of a template function is an error, policy evaluation fails. 评估失败是一种隐式拒绝A failed evaluation is an implicit deny. 有关详细信息,请参阅避免模板失败For more information, see avoiding template failures.

示例策略定义Sample policy definition

此策略定义添加或替换在资源上的参数 tagName(字符串 )中指定的标记,并从资源所在的资源组继承 tagName 的值。This policy definition adds or replaces the tag specified in the parameter tagName (string) on resources and inherits the value for tagName from the resource group the resource is in. 创建或更新资源时,会进行此评估。This evaluation happens when the resource is created or updated. 充当 modify 效果的修正可以通过修正任务在现有资源上运行。As a modify effect, the remediation may be run on existing resources through a remediation task.

{
   "properties": {
       "displayName": "Inherit a tag from the resource group",
       "policyType": "BuiltIn",
       "mode": "Indexed",
       "description": "Adds or replaces the specified tag and value from the parent resource group when any resource is created or updated. Existing resources can be remediated by triggering a remediation task.",
       "metadata": {
           "category": "Tags"
       },
       "parameters": {
           "tagName": {
               "type": "String",
               "metadata": {
                   "displayName": "Tag Name",
                   "description": "Name of the tag, such as 'environment'"
               }
           }
       },
       "policyRule": {
           "if": {
               "allOf": [{
                       "field": "[concat('tags[', parameters('tagName'), ']')]",
                       "notEquals": "[resourceGroup().tags[parameters('tagName')]]"
                   },
                   {
                       "value": "[resourceGroup().tags[parameters('tagName')]]",
                       "notEquals": ""
                   }
               ]
           },
           "then": {
               "effect": "modify",
               "details": {
                   "roleDefinitionIds": [
                       "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
                   ],
                   "operations": [{
                       "operation": "addOrReplace",
                       "field": "[concat('tags[', parameters('tagName'), ']')]",
                       "value": "[resourceGroup().tags[parameters('tagName')]]"
                   }]
               }
           }
       }
   }
}

说明Explanation

"if": {
   "allOf": [{
           "field": "[concat('tags[', parameters('tagName'), ']')]",
           "notEquals": "[resourceGroup().tags[parameters('tagName')]]"
       },
       {
           "value": "[resourceGroup().tags[parameters('tagName')]]",
           "notEquals": ""
       }
   ]
},

value 运算符用在属性policyRule.if 块中。The value operator is used within the policyRule.if block within properties. 在此示例中,逻辑运算符 allOf 用于说明这两个条件语句都必须为 true 才能产生 modify 效果。In this example, the logical operator allOf is used to state that both conditional statements must be true for the effect, modify, to take place.

value 会对模板函数 resourceGroup() 的结果进行评估,其条件是结果 notEquals 空值。value evaluates the result of the template function resourceGroup() to the condition notEquals of a blank value. 如果在父资源组的 tagName 中提供的标记名称存在,则条件的评估结果为 true。If the tag name provided in tagName on the parent resource group exists, the conditional evaluates to true.

后续步骤Next steps