排查使用 Azure Policy 时出现的错误Troubleshoot errors using Azure Policy

在创建策略定义、使用 SDK 时可能会遇到错误。You may run into errors when creating policy definitions, working with SDK. 本文描述可能会发生的各种错误及其解决方法。This article describes various errors that may occur and how to resolve them.

查找错误详细信息Finding error details

错误详细信息的位置取决于导致错误的操作。The location of error details depends on the action that causes the error.

  • 使用自定义策略时,请尝试在 Azure 门户中获取有关架构的 Lint 分析反馈,或查看生成的符合性数据以了解资源的评估方式。When working with a custom policy, try it in the Azure portal to get linting feedback about the schema or review resulting compliance data to see how resources were evaluated.
  • 使用各种 SDK 时,SDK 提供有关函数失败原因的详细信息。When working with various SDK, the SDK provides details about why the function failed.

常规错误General errors

方案:找不到别名Scenario: Alias not found

问题Issue

Azure Policy 使用别名映射到 Azure 资源管理器属性。Azure Policy uses aliases to map to Azure Resource Manager properties.

原因Cause

策略定义中使用的别名不正确或不存在。An incorrect or non-existent alias is used in a policy definition.

解决方法Resolution

首先,验证资源管理器属性是否有别名。First, validate that the Resource Manager property has an alias. 使用 Visual Studio Code 的 Azure Policy 扩展Azure Resource Graph 或 SDK 来查找可用别名。Use Azure Policy extension for Visual Studio Code, Azure Resource Graph, or SDK to look up available aliases. 如果资源管理器属性没有别名,请创建支持票证。If the alias for a Resource Manager property doesn't exist, create a support ticket.

方案:评估详细信息不是最新的Scenario: Evaluation details not up-to-date

问题Issue

资源处于“未启动”状态或符合性详细信息不是最新的。A resource is in the "Not Started" state or compliance details aren't current.

原因Cause

应用新策略或计划分配大约需要 30 分钟。A new policy or initiative assignment takes around 30 minutes to be applied. 现有分配范围内的新资源或更新的资源大约只需 15 分钟即可使用。New or updated resources within scope of an existing assignment become available around 15 minutes later. 标准符合性扫描每 24 小时进行一次。A standard compliance scan happens every 24 hours. 有关详细信息,请参阅评估触发器For more information, see evaluation triggers.

解决方法Resolution

首先,请等待一段时间来完成评估以及等待 Azure 门户或 SDK 中显示符合性结果。First, wait the appropriate amount of time for an evaluation to complete and compliance results to become available in Azure portal or SDK. 若要使用 Azure PowerShell 或 REST API 开始新的评估扫描,请参阅按需评估扫描To start a new evaluation scan with Azure PowerShell or REST API, see On-demand evaluation scan.

方案:评估与预期不符Scenario: Evaluation not as expected

问题Issue

资源未处于预期有效的评估状态(符合或不符合) 。A resource isn't in the evaluation state, either Compliant or Not-Compliant, that's expected for that resource.

原因Cause

资源不在正确的策略分配范围内,或者策略定义未按预期执行。The resource isn't in the correct scope for the policy assignment or the policy definition doesn't operate as intended.

解决方法Resolution

  • 对于应符合但实际不符合的资源,请先确定不符合性的原因For a non-compliant resource that was expected to be compliant, start by determining reasons for non-compliance. 通过将定义与计算的属性值进行比较,可了解资源不符合的原因。The comparison of the definition to the evaluated property value indicates why a resource was non-compliant.
  • 对于本应不符合但实际符合的资源,请逐个阅读策略定义条件并根据资源属性进行评估。For a compliant resource that was expected to be non-compliant, read the policy definition condition by condition and evaluate against the resources properties. 验证逻辑运算符是否将正确的条件组合在一起,并验证条件不会反转。Validate that logical operators are grouping the right conditions together and that your conditions aren't inverted.

如果策略分配的符合性显示 0/0 资源,表示没有确定在分配范围内适用的资源。If compliance for a policy assignment shows 0/0 resources, no resources were determined to be applicable within the assignment scope. 检查策略定义和分配范围。Check both the policy definition and the assignment scope.

方案:未按预期执行Scenario: Enforcement not as expected

问题Issue

预期由 Azure Policy 处理的资源未被处理,且 Azure 活动日志中没有条目。A resource that's expected to be acted on by Azure Policy isn't and there's no entry in the Azure Activity log.

原因Cause

已为 enforcementMode“禁用”配置了策略分配。The policy assignment has been configured for enforcementMode of Disabled. 当强制模式处于禁用状态时,不会强制实施策略效果,并且活动日志中没有条目。While enforcement mode is disabled, the policy effect isn't enforced and there is no entry in the Activity log.

解决方法Resolution

将 enforcementMode 更新为“启用”。Update enforcementMode to Enabled. 执行此更改后,Azure Policy 能够处理此策略分配中的资源,并将条目发送到活动日志。This change lets Azure Policy act on the resources in this policy assignment and send entries to Activity log. 如果已启用 enforcementMode,请参阅评估与预期不符,了解操作过程。If enforcementMode is already enabled, see Evaluation not as expected for courses of action.

方案:被 Azure Policy 拒绝Scenario: Denied by Azure Policy

问题Issue

拒绝创建或更新资源。Creation or update of a resource is denied.

原因Cause

向新资源或更新的资源所在的范围执行的策略分配符合设有拒绝效果的策略定义的条件。A policy assignment to the scope your new or updated resource is in meets the criteria of a policy definition with a Deny effect. 符合这些定义的资源将无法创建或更新。Resources meetings these definitions are prevented from being created or updated.

解决方法Resolution

拒绝策略分配中的错误消息包括策略定义和策略分配 ID。The error message from a deny policy assignment includes the policy definition and policy assignment IDs. 如果消息中的错误信息丢失,还可在活动日志中找到。If the error information in the message is missed, it's also available in the Activity log. 使用此信息可获取更多详细信息,以了解资源限制和调整请求中的资源属性以使其匹配允许的值。Use this information to get more details to understand the resource restrictions and adjust the resource properties in your request to match allowed values.

模板错误Template errors

方案:策略支持的、由模板处理的函数Scenario: Policy supported functions processed by template

问题Issue

Azure Policy 支持大量 Azure 资源管理器模板(ARM 模板)函数以及仅在策略定义中可用的函数。Azure Policy supports a number of Azure Resource Manager template (ARM template) functions and functions that are only available in a policy definition. 资源管理器将这些函数作为部署的一部分而不是作为策略定义的一部分进行处理。Resource Manager processes these functions as part of a deployment instead of as part of a policy definition.

原因Cause

如果使用受支持的函数(如 parameter()resourceGroup()),可在部署时生成函数的处理结果,而不是将函数留给策略定义和 Azure Policy 引擎来处理。Using supported functions, such as parameter() or resourceGroup(), results in the processed outcome of the function at deployment time instead of leaving the function for the policy definition and Azure Policy engine to process.

解决方法Resolution

若要传递函数使其成为策略定义的一部分,请使用 [ 转义整个字符串,以便使属性看起来像是 [[resourceGroup().tags.myTag]To pass a function through to be part of a policy definition, escape the entire string with [ such that the property looks like [[resourceGroup().tags.myTag]. 转义字符会导致资源管理器在处理模板时将值视为字符串。The escape character causes Resource Manager to treat the value as a string when processing the template. 然后,Azure Policy 将函数放置在策略定义中,使其能够按预期的动态方式执行。Azure Policy then places the function into the policy definition allowing it to be dynamic as expected. 有关详细信息,请参阅 Azure 资源管理器模板中的语法和表达式For more information, see Syntax and expressions in Azure Resource Manager templates.

加载项安装错误Add-on installation errors

方案:使用了 Helm Chart 的安装过程在密码处失败Scenario: Install using Helm Chart fails on password

问题Issue

helm install azure-policy-addon 命令失败,并显示下列其中一个消息:The helm install azure-policy-addon command fails with one of the following messages:

  • !: event not found
  • Error: failed parsing --set data: key "<key>" has no value (cannot end with ,)

原因Cause

生成的密码包含 Helm Chart 要用于拆分的逗号 (,)。The generated password includes a comma (,) that Helm Chart is splitting on.

解决方法Resolution

使用反斜杠 (\) 运行 helm install azure-policy-addon 时,转义密码值中的逗号 (,)。Escape the comma (,) in the password value when running helm install azure-policy-addon with a backslash (\).

后续步骤Next steps

如果你的问题未在本文中列出,或者无法解决问题,请访问以下渠道之一获取更多支持:If you didn't see your problem or are unable to solve your issue, visit one of the following channels for more support:

  • 通过 Microsoft Q&A 获得专家提供的答案。Get answers from experts through Microsoft Q&A.
  • 如需更多帮助,可以提交 Azure 支持事件。If you need more help, you can file an Azure support incident. 请转到 Azure 支持站点并选择 获取支持Go to the Azure support site and select Get Support.