使用 Azure Devops 部署 Azure 策略 ARM 模板失败
Deploying Azure policy ARM template using Azure Devops fails
我们已经为 "Allowed Locations" 构建了一个 Azure 策略。创建所需的 template.json 和 parameter.json 如下:
Template.json
在将 json 文件上传到 Azure 存储库后尝试 运行 使用 Azure 管道时,出现以下错误
[error]请求内容无效,无法反序列化:'Required 属性 'resources' not found in JSON。路径 'properties.template',第 1 行,位置 222.'.
尽管 template.json 中提到了资源,但它失败并出现此错误。任何人都可以提供任何见解。
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"listOfAllowedLocations": {
"type": "array"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Authorization/policyDefinitions",
"name": "policylocation",
"apiVersion": "2018-03-01",
"properties": {
"policyType": "Custom",
"displayName": "policylocation",
"description": "",
"mode": "all",
"parameters": {
"listOfAllowedLocations": {
"type": "array",
"metadata": {
"description": "The list of locations that can be specified when deploying resources.",
"displayName": "Allowed locations"
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "location",
"notIn": "EastUS"
},
{
"field": "location",
"notEquals": "global"
},
{
"field": "type",
"notEquals": "Microsoft.Compute/virtualMachines"
}
]
},
"then": {
"effect": "deny"
}
}
}
}
]
}
Parameter.json
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-
01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"listOfAllowedLocations": {
"type":"array",
"value": "EastUS"
}
}
}
问题是政策没有利用 listOfAllowedLocations 参数。我会删除它并使参数只是空括号。
当我尝试使用给定的模板和参数文件部署您的策略时,我收到以下错误。
{
"error": {
"code": "InvalidDeploymentParameterType",
"message": "The type of deployment parameter 'listOfAllowedLocations' should not be specified. Please see https://aka.ms/resource-manager-parameter-files for details."
}
}
这意味着您有一个未使用的参数 (listOfAllowedLocations)。虽然对于大多数语言模式来说,有一个未使用的参数可能是可以接受的,但对于政策而言,情况并非如此。首先删除此参数或将此参数添加到您的策略以便使用它。
接下来,根据您收到的误导性错误消息,我对您的部署方法感到好奇。可以通过多种不同方式部署策略。门户、Powershell、REST API,仅举几例。我更喜欢 REST API 方法,因为它在定义和使用方面提供了相当大的灵活性和简单性。如果您选择 REST API,实际上您可以选择两种不同的方法(作为 Azure 部署或作为策略定义),分别是以下端点。
PUT https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Resources/deployments/{deploymentName}?api-version=2019-10-01
文档 - https://docs.microsoft.com/en-us/rest/api/resources/deployments/createorupdate
PUT https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/policyDefinitions/{policyDefinitionName}?api-version=2019-09-01
文档 - https://docs.microsoft.com/en-us/rest/api/resources/policydefinitions/createorupdate
我更喜欢部署路由,因为它使用 azure 部署机制部署策略,提供一致且用户友好的故障排除、重试和检查方法。它还允许您将策略部署为模板文件和参数文件,在部署中嵌套部署(这在更复杂的用例中很有用),并在部署范围和策略范围内指定参数。但是,部署也有一些限制,例如每个订阅和资源组配额(目前为 800)。一些定期的房屋清洁将有助于此。
使用 Azure 部署 REST API 方法我鼓励您根据自己的意图尝试以下操作之一。
选项 1a:您想将 'listOfAllowedLocations' 保留为参数并在您的策略中使用它。您还希望在 DEPLOYMENT 范围内应用该参数,以便生成的部署策略具有静态定义的允许位置列表。
PUT https://management.azure.com/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/Microsoft.Resources/deployments/{deploymentName}?api-version=2019-10-01
正文:
{
"location": "eastus",
"properties": {
"mode": "Incremental",
"parameters": {
"listOfAllowedLocations": {
"value": ["eastus"]
}
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"listOfAllowedLocations": {
"type": "array"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Authorization/policyDefinitions",
"name": "policylocation",
"apiVersion": "2018-03-01",
"properties": {
"policyType": "Custom",
"displayName": "policylocation",
"description": "",
"mode": "all",
"parameters": {},
"policyRule": {
"if": {
"allOf": [
{
"field": "location",
"notIn": "[parameters('listOfAllowedLocations')]"
},
{
"field": "location",
"notEquals": "global"
},
{
"field": "type",
"notEquals": "Microsoft.Compute/virtualMachines"
}
]
},
"then": {
"effect": "deny"
}
}
}
}
]
}
}
}
选项 1b:您想将 'listOfAllowedLocations' 保留为参数并在您的策略中使用它。您还希望在 POLICY DEFINITION 范围内应用该参数,以便可以在分配时操作生成的允许位置的已部署列表。请注意参数范围和策略资源定义 ('[[') 中参数转义的细微差别。
PUT https://management.azure.com/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/Microsoft.Resources/deployments/{deploymentName}?api-version=2019-10-01
正文:
{
"location": "eastus",
"properties": {
"mode": "Incremental",
"parameters": {},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.Authorization/policyDefinitions",
"name": "policylocation",
"apiVersion": "2018-03-01",
"properties": {
"policyType": "Custom",
"displayName": "policylocation",
"description": "",
"mode": "all",
"parameters": {
"listOfAllowedLocations": {
"type": "array",
"defaultValue": ["eastus"]
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "location",
"notIn": "[[parameters('listOfAllowedLocations')]"
},
{
"field": "location",
"notEquals": "global"
},
{
"field": "type",
"notEquals": "Microsoft.Compute/virtualMachines"
}
]
},
"then": {
"effect": "deny"
}
}
}
}
]
}
}
}
选项 2:允许位置的静态定义。这将基本上绕过通过部署或策略分配传递参数的过程。
{
"location": "eastus",
"properties": {
"mode": "Incremental",
"parameters": {},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.Authorization/policyDefinitions",
"name": "policylocation",
"apiVersion": "2018-03-01",
"properties": {
"policyType": "Custom",
"displayName": "policylocation",
"description": "",
"mode": "all",
"parameters": {},
"policyRule": {
"if": {
"allOf": [
{
"field": "location",
"notIn": ["eastus"]
},
{
"field": "location",
"notEquals": "global"
},
{
"field": "type",
"notEquals": "Microsoft.Compute/virtualMachines"
}
]
},
"then": {
"effect": "deny"
}
}
}
}
]
}
}
}
我们已经为 "Allowed Locations" 构建了一个 Azure 策略。创建所需的 template.json 和 parameter.json 如下: Template.json
在将 json 文件上传到 Azure 存储库后尝试 运行 使用 Azure 管道时,出现以下错误
[error]请求内容无效,无法反序列化:'Required 属性 'resources' not found in JSON。路径 'properties.template',第 1 行,位置 222.'.
尽管 template.json 中提到了资源,但它失败并出现此错误。任何人都可以提供任何见解。
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"listOfAllowedLocations": {
"type": "array"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Authorization/policyDefinitions",
"name": "policylocation",
"apiVersion": "2018-03-01",
"properties": {
"policyType": "Custom",
"displayName": "policylocation",
"description": "",
"mode": "all",
"parameters": {
"listOfAllowedLocations": {
"type": "array",
"metadata": {
"description": "The list of locations that can be specified when deploying resources.",
"displayName": "Allowed locations"
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "location",
"notIn": "EastUS"
},
{
"field": "location",
"notEquals": "global"
},
{
"field": "type",
"notEquals": "Microsoft.Compute/virtualMachines"
}
]
},
"then": {
"effect": "deny"
}
}
}
}
]
}
Parameter.json
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-
01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"listOfAllowedLocations": {
"type":"array",
"value": "EastUS"
}
}
}
问题是政策没有利用 listOfAllowedLocations 参数。我会删除它并使参数只是空括号。
当我尝试使用给定的模板和参数文件部署您的策略时,我收到以下错误。
{
"error": {
"code": "InvalidDeploymentParameterType",
"message": "The type of deployment parameter 'listOfAllowedLocations' should not be specified. Please see https://aka.ms/resource-manager-parameter-files for details."
}
}
这意味着您有一个未使用的参数 (listOfAllowedLocations)。虽然对于大多数语言模式来说,有一个未使用的参数可能是可以接受的,但对于政策而言,情况并非如此。首先删除此参数或将此参数添加到您的策略以便使用它。
接下来,根据您收到的误导性错误消息,我对您的部署方法感到好奇。可以通过多种不同方式部署策略。门户、Powershell、REST API,仅举几例。我更喜欢 REST API 方法,因为它在定义和使用方面提供了相当大的灵活性和简单性。如果您选择 REST API,实际上您可以选择两种不同的方法(作为 Azure 部署或作为策略定义),分别是以下端点。
PUT https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Resources/deployments/{deploymentName}?api-version=2019-10-01
文档 - https://docs.microsoft.com/en-us/rest/api/resources/deployments/createorupdate
PUT https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/policyDefinitions/{policyDefinitionName}?api-version=2019-09-01
文档 - https://docs.microsoft.com/en-us/rest/api/resources/policydefinitions/createorupdate
我更喜欢部署路由,因为它使用 azure 部署机制部署策略,提供一致且用户友好的故障排除、重试和检查方法。它还允许您将策略部署为模板文件和参数文件,在部署中嵌套部署(这在更复杂的用例中很有用),并在部署范围和策略范围内指定参数。但是,部署也有一些限制,例如每个订阅和资源组配额(目前为 800)。一些定期的房屋清洁将有助于此。
使用 Azure 部署 REST API 方法我鼓励您根据自己的意图尝试以下操作之一。
选项 1a:您想将 'listOfAllowedLocations' 保留为参数并在您的策略中使用它。您还希望在 DEPLOYMENT 范围内应用该参数,以便生成的部署策略具有静态定义的允许位置列表。
PUT https://management.azure.com/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/Microsoft.Resources/deployments/{deploymentName}?api-version=2019-10-01
正文:
{
"location": "eastus",
"properties": {
"mode": "Incremental",
"parameters": {
"listOfAllowedLocations": {
"value": ["eastus"]
}
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"listOfAllowedLocations": {
"type": "array"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Authorization/policyDefinitions",
"name": "policylocation",
"apiVersion": "2018-03-01",
"properties": {
"policyType": "Custom",
"displayName": "policylocation",
"description": "",
"mode": "all",
"parameters": {},
"policyRule": {
"if": {
"allOf": [
{
"field": "location",
"notIn": "[parameters('listOfAllowedLocations')]"
},
{
"field": "location",
"notEquals": "global"
},
{
"field": "type",
"notEquals": "Microsoft.Compute/virtualMachines"
}
]
},
"then": {
"effect": "deny"
}
}
}
}
]
}
}
}
选项 1b:您想将 'listOfAllowedLocations' 保留为参数并在您的策略中使用它。您还希望在 POLICY DEFINITION 范围内应用该参数,以便可以在分配时操作生成的允许位置的已部署列表。请注意参数范围和策略资源定义 ('[[') 中参数转义的细微差别。
PUT https://management.azure.com/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/Microsoft.Resources/deployments/{deploymentName}?api-version=2019-10-01
正文:
{
"location": "eastus",
"properties": {
"mode": "Incremental",
"parameters": {},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.Authorization/policyDefinitions",
"name": "policylocation",
"apiVersion": "2018-03-01",
"properties": {
"policyType": "Custom",
"displayName": "policylocation",
"description": "",
"mode": "all",
"parameters": {
"listOfAllowedLocations": {
"type": "array",
"defaultValue": ["eastus"]
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "location",
"notIn": "[[parameters('listOfAllowedLocations')]"
},
{
"field": "location",
"notEquals": "global"
},
{
"field": "type",
"notEquals": "Microsoft.Compute/virtualMachines"
}
]
},
"then": {
"effect": "deny"
}
}
}
}
]
}
}
}
选项 2:允许位置的静态定义。这将基本上绕过通过部署或策略分配传递参数的过程。
{
"location": "eastus",
"properties": {
"mode": "Incremental",
"parameters": {},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.Authorization/policyDefinitions",
"name": "policylocation",
"apiVersion": "2018-03-01",
"properties": {
"policyType": "Custom",
"displayName": "policylocation",
"description": "",
"mode": "all",
"parameters": {},
"policyRule": {
"if": {
"allOf": [
{
"field": "location",
"notIn": ["eastus"]
},
{
"field": "location",
"notEquals": "global"
},
{
"field": "type",
"notEquals": "Microsoft.Compute/virtualMachines"
}
]
},
"then": {
"effect": "deny"
}
}
}
}
]
}
}
}