我正在尝试编写一个Azure策略,该策略将自动将每个Application Insights资源链接到我的AMPLS示例。
为了做到这一点,策略应该查看Microsoft.Insights/components/PrivateLinkScopedResources[*].ResourceId字段,如果它不包含我的AMPLS资源ID,它应该触发部署并部署子资源。不幸的是,此资源不是Application Insights资源的子资源,而是AMPLS资源。子资源的资源类型为Microsoft.Insights/privateLinkScopes/scopedResources
因此,策略需要部署以下模板:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Insights/privateLinkScopes/scopedResources",
"apiVersion": "2021-07-01-preview",
"name": "[format('{0}/{1}', 'my-ampls', 'my-test-app-insights')]",
"properties": {
"linkedResourceId": "/subscriptions/<sub ID here>/resourceGroups/<resource group here>/providers/microsoft.insights/components/my-test-app-insights"
}
}
]
}问题是,AMPLS资源与Application Insights资源处于不同的订阅中。我不知道如何将策略的部署范围从Application Insights资源的资源组更改为AMPLS资源的资源组。
此处的文档:https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effects#deployifnotexists讨论了DeploymentScope属性,但它只能有两个值之一:ResourceGroup和Subscription,它不允许您选择不同的订阅和/或资源组,而不是在if type字段中指定的资源所在的资源组。我提出了以下策略定义,但显然它不起作用,因为部署正在错误的订阅/资源组中查找AMPLs资源。
{
"mode": "Indexed",
"policyRule": {
"if": {
"field": "type",
"equals": "microsoft.insights/components"
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "microsoft.insights/components",
"existenceCondition": {
"field": "Microsoft.Insights/components/PrivateLinkScopedResources[*].ResourceId",
"equals": "[parameters('ampls')]"
},
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"deployment": {
"properties": {
"mode": "Incremental",
"template": {
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"resourceName": {
"type": "String"
},
"ampls": {
"type": "String"
},
"location": {
"type": "String"
},
"resourceId": {
"type": "String"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Insights/privateLinkScopes/scopedResources",
"apiVersion": "2021-07-01-preview",
"name": "[format('{0}/{1}', '[parameters('amplsName')]', 'parameters('resourceName')')]",
"location": "Global",
"dependsOn": [],
"properties": {
"linkedResourceId": "[parameters('resourceId')]"
}
}
],
"outputs": {}
},
"parameters": {
"ampls": {
"value": "[parameters('ampls')]"
},
"location": {
"value": "[field('location')]"
},
"resourceName": {
"value": "[field('name')]"
},
"resourceId": {
"value": "[field('id')]"
}
}
}
}
}
}
},
"parameters": {
"ampls": {
"type": "String",
"metadata": {
"displayName": "AMPLS Resource ID",
"description": "Enter AMPLS Resource ID",
"strongType": "Microsoft.Insights/privateLinkScopes"
}
},
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists"
}
}
}
1条答案
按热度按时间2w3kk1z51#
Microsoft确认该策略只能将资源部署到匹配资源的资源组中。但是,部署也是一种资源,它可以在嵌套模板中包含任何其他资源。您所需要做的就是部署一个
Microsoft.Resources/deployments类型的资源,并将您的资源嵌套在其中。这样,您就可以部署到策略分配托管ID有权访问的任何订阅和资源组。