Azure策略:仅允许Azure资源组标记中某些标记值

kgsdhlau  于 2022-11-17  发布在  其他
关注(0)|答案(1)|浏览(156)

我的资源组具有environment标记,其中仅允许特定值"dev,test,prod"。我希望使用Azure策略强制执行此操作,该策略将拒绝所有在其environment标记中不具有此"dev,test,prod"值之一的资源组创建。我的策略代码如下:

{
    "properties": {
        "displayName": "Allowed  tag values for Resource Groups",
        "description": "This policy enables you to restrict the tag values for Resource Groups.",
        "policyType": "Custom",
        "mode": "Indexed",
        "metadata": {
            "version": "1.0.0",
            "category": "Tags"
        },
        "parameters": {
            "allowedTagValues": {
                "type": "array",
                "metadata": {
                    "description": "The list of tag values that can be specified when deploying resource groups",
                    "displayName": "Allowed tag values"
                },
                "defaultValue": [
                    "dev","test","prod"
                ]
            }
        },
        "policyRule": {
            "if": {
                "allOf": [
                    {
                        "field": "type",
                        "equals": "Microsoft.Resources/subscriptions/resourceGroups"
                    },
                    {
                        "field": "tags[environment]",
                        "notIn": "[parameters('allowedTagValues')]"
                    }
                ]
            },
            "then": {
                "effect": "deny"
            }
        }
    },
    "id": "/providers/Microsoft.Authorization/policyDefinitions/xxxxxxx-xxxxxxx-xxxxxxxxxx-xxxxxxx",
    "name": "xxxxxxx-xxxxxxx-xxxxxxxxxx-xxxxxxx"
}

这根本没有任何效果,我也试过这个:

{
                "not": {
                    "field": "tags[environment]",
                    "in": "[parameters('allowedTagValues')]"
                }
            }

这两种方法都不起作用。
有什么建议吗?

pieyvz9o

pieyvz9o1#

您需要传递标记值"dev","test","prod"作为参数listofallowedTags的允许值,如下所示。
根据您的要求,我们创建了以下策略定义。我们已在本地环境中对此进行了测试,该定义运行良好。

{
  "mode": "All",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Resources/subscriptions/resourceGroups"
        },
        {
          "not": {
            "field": "[concat('tags[', parameters('tagName'), ']')]",
            "in": "[parameters('listofallowedtagValues')]"
          }
        }
      ]
    },
    "then": {
      "effect": "[parameters('effect')]"
    }
  },
  "parameters": {
    "effect": {
      "type": "String",
      "metadata": {
        "displayName": "Effect",
        "description": "Enable or disable the execution of the audit policy"
      },
      "allowedValues": [
        "Audit",
        "Deny",
        "Disabled"
      ],
      "defaultValue": "Deny"
    },
    "tagName": {
      "type": "String",
      "metadata": {
        "displayName": "Tag Name",
        "description": "Name of the tag, such as 'environment'"
      },
      "defaultValue": "environment"
    },
    "listofallowedtagValues": {
      "type": "Array",
      "metadata": {
        "displayName": "Tag Values",
        "description": "Value of the tag, such as 'production'"
      },
      "allowedValues": [
        "dev",
        "test",
        "prod"
      ]
    }
  }
}

**注意:**如下图所示,自定义策略已分配给订阅。

以下是一些示例输出以供参考:

  • 在下面的示例中,我们向环境标记传递了一个不同于listofallowedtagValues参数中定义的3个值的值,而部署资源组时由于不满足策略要求而失败。

  • 在下面的示例中,我们已将环境标记值传递为test资源组部署已成功,因为它满足策略要求。

相关问题