教程:通过 Azure Policy 管理标记治理Tutorial: Manage tag governance with Azure Policy

标记是将 Azure 资源组整理到分类中的关键部分。Tags are a crucial part of organizing your Azure resources into a taxonomy.

无论你使用标记的方式和原因是什么,重要的是你可以在 Azure 资源上快速添加、更改和删除这些标记。No matter how or why you use tags, it's important that you can quickly add, change, and remove those tags on your Azure resources.

Azure Policy 的修改效果旨在帮助管理标记,而无论你处于资源调控的哪个阶段。Azure Policy's Modify effect is designed to aid in the governance of tags no matter what stage of resource governance you are in. “修改”在以下情况下有帮助 :Modify helps when:

  • 你不熟悉云,并且没有标记治理经验You're new to the cloud and have no tag governance
  • 已经拥有数以千计的资源,但没有标记治理经验Already have thousands of resources with no tag governance
  • 已经具有需要更改的现有分类Already have an existing taxonomy that you need changed

在本教程中,你将完成以下任务:In this tutorial, you'll complete the following tasks:

  • 确定业务要求Identify your business requirements
  • 将每个要求映射到策略定义Map each requirement to a policy definition
  • 将标记策略分组为一个计划Group the tag policies into an initiative

先决条件Prerequisites

需要一个 Azure 订阅才能完成此教程。To complete this tutorial, you need an Azure subscription. 如果没有订阅,请在开始之前创建一个试用帐户If you don't have one, create a trial account before you begin.

确定要求Identify requirements

与任何良好的治理控制实现一样,要求应源自业务需求,并且在创建技术控制之前应该得到充分理解。Like any good implementation of governance controls, the requirements should come from your business needs and be well understood before creating technical controls. 对于本方案教程,以下各项是我们的业务要求:For this scenario tutorial, the following items are our business requirements:

  • 所有资源上有两个所需标记:CostCenter 和 Env Two required tags on all resources: CostCenter and Env
  • “CostCenter”必须在所有容器和单个资源上 CostCenter must exist on all containers and individual resources
    • 资源继承自它们所在的容器,但可以单独重写Resources inherit from the container they're in, but may be individually overridden
  • “Env”必须在所有容器和单个资源上 Env must exist on all containers and individual resources
    • 资源根据容器命名方案确定环境,并且不能重写Resources determine environment by container naming scheme and may not be overridden
    • 容器中的所有资源都属于相同环境All resources in a container are part of the same environment

配置 CostCenter 标记Configure the CostCenter tag

就特定于由 Azure Policy 管理的 Azure 环境而言,CostCenter 标记要求如下 :In terms specific to an Azure environment managed by Azure Policy, the CostCenter tag requirements call for the following:

  • 拒绝缺少 CostCenter 标记的资源组 Deny resource groups missing the CostCenter tag
  • 修改资源以在缺少 CostCenter 标记时从父资源组添加此标记 Modify resources to add the CostCenter tag from the parent resource group when missing

拒绝缺少 CostCenter 标记的资源组Deny resource groups missing the CostCenter tag

由于资源组的“CostCenter”不能由资源组的名称确定,因此必须在创建资源组的请求中定义标记 。Since the CostCenter for a resource group can't be determined by the name of the resource group, it must have the tag defined on the request to create the resource group. 具有拒绝效果的以下策略规则会阻止创建或更新没有 CostCenter 标记的资源组 :The following policy rule with the Deny effect prevents the creation or updating of resource groups that don't have the CostCenter tag:

"if": {
    "allOf": [{
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions/resourceGroups"
        },
        {
            "field": "tags['CostCenter']",
            "exists": false
        }
    ]
},
"then": {
    "effect": "deny"
}

Note

由于此策略规则以资源组为目标,策略定义上的“模式”必须是“全部”,而不是“已编入索引” 。As this policy rule targets a resource group, the mode on the policy definition must be 'All' instead of 'Indexed'.

修改资源以在缺少 CostCenter 标记时继承此标记Modify resources to inherit the CostCenter tag when missing

第二个“CostCenter”需要的是任何资源在缺少标记时从父资源组继承标记 。The second CostCenter need is for any resources to inherit the tag from the parent resource group when it's missing. 如果已在资源上定义了标记,则即使该标记与父资源组不同,也必须将其单独保留。If the tag is already defined on the resource, even if different from the parent resource group, it must be left alone. 以下策略规则使用修改The following policy rule uses Modify:

"policyRule": {
    "if": {
        "field": "tags['CostCenter']",
        "exists": "false"
    },
    "then": {
        "effect": "modify",
        "details": {
            "roleDefinitionIds": [
                "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
            ],
            "operations": [{
                "operation": "add",
                "field": "tags['CostCenter']",
                "value": "[resourcegroup().tags['CostCenter']]"
            }]
        }
    }
}

此策略规则使用“add”操作,而不是“addOrReplace”,因为我们不想要在修正现有资源时更改标记值 。This policy rule uses the add operation instead of addOrReplace as we don't want to alter the tag value if it's present when remediating existing resources. 它还使用 [resourcegroup()] 模板函数从父资源组获取标记值。It also uses the [resourcegroup()] template function to get the tag value from the parent resource group.

Note

由于此策略规则以支持标记的资源为目标,因此策略定义上的模式必须为“已编入索引” 。As this policy rule targets resources that support tags, the mode on the policy definition must be 'Indexed'. 此配置还确保此策略跳过资源组。This configuration also ensures this policy skips resource groups.

配置 Env 标记Configure the Env tag

就特定于由 Azure Policy 管理的 Azure 环境而言,Env 标记要求如下 :In terms specific to an Azure environment managed by Azure Policy, the Env tag requirements call for the following:

  • 根据资源组的命名方案修改资源组上的 Env 标记 Modify the Env tag on the resource group based on the naming scheme of the resource group
  • 将资源组中所有资源的 Env 标记修改为与父资源组相同 Modify the Env tag on all resources in the resource group to the same as the parent resource group

基于名称修改资源组 Env 标记Modify resource groups Env tag based on name

对于在 Azure 环境中存在的每个环境,需要修改策略。A Modify policy is required for each environment that exists in your Azure environment. 每个策略的“修改”策略类似于以下策略定义:The Modify policy for each looks something like this policy definition:

"policyRule": {
    "if": {
        "allOf": [{
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions/resourceGroups"
        },
        {
            "field": "name",
            "like": "prd-*"
        }
    ]
    },
    "then": {
        "effect": "modify",
        "details": {
            "roleDefinitionIds": [
                "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
            ],
            "operations": [{
                "operation": "addOrReplace",
                "field": "tags['Env']",
                "value": "Production"
            }]
        }
    }
}

Note

由于此策略规则以资源组为目标,策略定义上的“模式”必须是“全部”,而不是“已编入索引” 。As this policy rule targets a resource group, the mode on the policy definition must be 'All' instead of 'Indexed'.

此策略只将资源组与用于 prd- 生产资源的示例命名方案匹配。This policy only matches resource groups with the sample naming scheme used for production resources of prd-. 更复杂的命名方案可以通过几个“匹配”条件而不是本例中的单个“类似”条件来实现 。More complex naming scheme's can be achieved with several match conditions instead of the single like in this example.

修改资源以继承 Env 标记Modify resources to inherit the Env tag

业务需求要求所有资源都具有与其父资源组相同的 Env 标记 。The business requirement calls for all resources to have the Env tag that their parent resource group does. 无法重写此标记,因此我们将使用具有修改效果的 addOrReplace 操作 。This tag can't be overridden, so we'll use the addOrReplace operation with the Modify effect. 示例“修改”策略类似于以下规则:The sample Modify policy looks like the following rule:

"policyRule": {
    "if": {
        "anyOf": [{
            "field": "tags['Env']",
            "notEquals": "[resourcegroup().tags['Env']]"
        },
        {
            "field": "tags['Env']",
            "exists": false
        }
    ]
    },
    "then": {
        "effect": "modify",
        "details": {
            "roleDefinitionIds": [
                "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
            ],
            "operations": [{
                "operation": "addOrReplace",
                "field": "tags['Env']",
                "value": "[resourcegroup().tags['Env']]"
            }]
        }
    }
}

Note

由于此策略规则以支持标记的资源为目标,因此策略定义上的模式必须为“已编入索引” 。As this policy rule targets resources that support tags, the mode on the policy definition must be 'Indexed'. 此配置还确保此策略跳过资源组。This configuration also ensures this policy skips resource groups.

此策略规则查找没有 Env 标记的父资源组值或缺少 Env 标记的任何资源 。This policy rule looks for any resource that doesn't have its parent resource groups value for the Env tag or is missing the Env tag. 匹配资源的 Env 标记设置为了父资源组值,即使标记已在资源上但具有不同的值也是如此 。Matching resources have their Env tag set to the parent resource groups value, even if the tag already existed on the resource but with a different value.

分配计划并修正资源Assign the initiative and remediate resources

创建上述标记策略后,将它们加入到标记治理的单个计划中,并将其分配给管理组或订阅。Once the tag policies above are created, join them into a single initiative for tag governance and assign them to a management group or subscription. 该计划和包含的策略随后会评估现有资源的合规性,并改变与策略规则中的“if”属性相匹配的新资源或更新资源的请求 。The initiative and included policies then evaluate compliance of existing resources and alters requests for new or updated resources that match the if property in the policy rule. 但是,该策略不会自动使用定义的标记更改更新现有的不合规资源。However, the policy doesn't automatically update existing non-compliant resources with the defined tag changes.

deployIfNotExists 策略一样,“修改”策略使用修正任务来更改现有的不合规资源 。Like deployIfNotExists policies, the Modify policy uses remediation tasks to alter existing non-compliant resources. 按照有关如何修正资源的说明来识别不合规的“修改”资源,然后将标记更正为已定义的分类 。Follow the directions on How-to remediate resources to identify your non-compliant Modify resources and correct the tags to your defined taxonomy.

清理资源Clean up resources

如果今后不再使用本教程中的资源,请使用以下步骤删除前面创建的所有分配或定义:If you're done working with resources from this tutorial, use the following steps to delete any of the assignments or definitions created above:

  1. 在“Azure Policy”页左侧的“创作”下选择“定义”(如果尝试删除分配,则选择“分配”) 。Select Definitions (or Assignments if you're trying to delete an assignment) under Authoring in the left side of the Azure Policy page.

  2. 搜索要删除的新计划或策略定义(或分配)。Search for the new initiative or policy definition (or assignment) you want to remove.

  3. 右键单击定义(或分配)对应的行或选择其末尾的省略号,然后选择“删除定义”(或“删除分配”)。 Right-click the row or select the ellipses at the end of the definition (or assignment), and select Delete definition (or Delete assignment).

审阅Review

本教程介绍了以下任务:In this tutorial, you learned about the following tasks:

  • 确定了业务要求Identified your business requirements
  • 将每个要求映射到策略定义Mapped each requirement to a policy definition
  • 将标记策略分组为一个计划Grouped the tag policies into an initiative

后续步骤Next steps

若要了解有关策略定义结构的详细信息,请查看以下文章:To learn more about the structures of policy definitions, look at this article: