策略定义部署错误 "parameter not found"
Error in policy definition deployment "parameter not found"
我正在尝试通过 ARM 模板部署 Azure 策略。这是我的定义文件。我得到的错误是 Status Message: Unable to process template language expressions for resource '/subscriptions/xxx/providers/Microsoft.Authorization/policyDefinitions/deploy-rg-lock' at line '13' and column '9'. 'The template parameter 'tagName' is not found. Please see https://aka.ms/arm-template/#parameters for usage details.' (Code:InvalidTemplate)
{
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"policyDefinitionName": {
"type": "string"
}
},
"resources": [{
"type": "Microsoft.Authorization/policyDefinitions",
"name": "[parameters('policyDefinitionName')]",
"apiVersion": "2019-09-01",
"properties": {
"displayName": "Lock Resource Group based on tags",
"policyType": "Custom",
"mode": "All",
"description": "This policy locks a resource group if the tag mentioned in the parameter is not present",
"metadata": {
"category": "Tags"
},
"parameters": {
"tagName": {
"type": "String",
"metadata": {
"displayName": "Tag Name",
"description": "Tag name to prevent resource lock"
}
},
"tagValue": {
"type": "String",
"metadata": {
"displayName": "Tag Value",
"description": "Tag value to prevent resource lock"
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"field": "[concat('tags[', parameters('tagName'), ']')]",
"notEquals": "[parameters('tagValue')]"
}
]
},
"then": {
"effect": "deployIfNotExists",
"details": {
"type": "Microsoft.Authorization/locks",
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
],
"existenceCondition": {
"field": "Microsoft.Authorization/locks/level",
"equals": "CanNotDelete"
},
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "PolicyDeleteLock",
"type": "Microsoft.Authorization/locks",
"apiVersion": "2016-09-01",
"properties": {
"level": "CanNotDelete",
"notes": "Set by policy RG_ResourceLockCheck"
}
}
],
"outputs": {
"policy": {
"type": "string",
"value": "locked RG"
}
}
}
}
}
}
}
}
}
}]
}
在您的 policyRule 中,您需要使用额外的左括号对 ARM 表达式进行转义,以防止它们在顶层进行计算。例如在第 45 行:
"field": "[concat('tags[', parameters('tagName'), ']')]"
应该变成:
"field": "[[concat('tags[', parameters('tagName'), ']')]"
(请注意,没有额外的右括号。这有点奇怪,但你应该这样做)
对策略规则内的所有 ARM 表达式执行此操作,它应该有效。
您也可以定义参数 tagName 和 tagValue。
所以添加我在下面应用的参数将解决问题。
{
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"policyDefinitionName": {
"type": "string"
},
# define tag name and tag value
"tagName":{
"type": "string"
},
"tagValue": {
"type": "string"
},
"policyDefinitionID": {
"type": "string"
}
},
"resources": [{
"type": "Microsoft.Authorization/policyDefinitions",
"name": "[parameters('policyDefinitionName')]",
"apiVersion": "2019-09-01",
"properties": {
"displayName": "Lock Resource Group based on tags",
"policyType": "Custom",
"mode": "All",
"description": "This policy locks a resource group if the tag mentioned in the parameter is not present",
"metadata": {
"category": "tags"
},
"parameters": {
"": {
"type": "String",
"metadata": {
"displayName": "Cannot Delete",
"description": "Tag name to prevent resource lock"
}
},
"tagValue": {
"type": "String",
"metadata": {
"displayName": "Tag Value",
"description": "Tag value to prevent resource lock"
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"field": "[concat('Tags[', parameters('tagName'), ']')]",
"notEquals": "[parameters('tagValue')]"
}
]
},
"then": {
"effect": "deployIfNotExists",
"details": {
"type": "Microsoft.Authorization/locks",
"roleDefinitionIds": [
"[parameters('policyDefinitionID')]"
],
"existenceCondition": {
"field": "Microsoft.Authorization/locks/level",
"equals": "CanNotDelete"
},
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "PolicyDeleteLock",
"type": "Microsoft.Authorization/locks",
"apiVersion": "2016-09-01",
"properties": {
"level": "CanNotDelete",
"notes": "Set by policy RG_ResourceLockCheck"
}
}
],
"outputs": {
"policy": {
"type": "string",
"value": "locked RG"
}
}
}
}
}
}
}
}
}
}]
}
它会在给出命令后执行
我正在尝试通过 ARM 模板部署 Azure 策略。这是我的定义文件。我得到的错误是 Status Message: Unable to process template language expressions for resource '/subscriptions/xxx/providers/Microsoft.Authorization/policyDefinitions/deploy-rg-lock' at line '13' and column '9'. 'The template parameter 'tagName' is not found. Please see https://aka.ms/arm-template/#parameters for usage details.' (Code:InvalidTemplate)
{
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"policyDefinitionName": {
"type": "string"
}
},
"resources": [{
"type": "Microsoft.Authorization/policyDefinitions",
"name": "[parameters('policyDefinitionName')]",
"apiVersion": "2019-09-01",
"properties": {
"displayName": "Lock Resource Group based on tags",
"policyType": "Custom",
"mode": "All",
"description": "This policy locks a resource group if the tag mentioned in the parameter is not present",
"metadata": {
"category": "Tags"
},
"parameters": {
"tagName": {
"type": "String",
"metadata": {
"displayName": "Tag Name",
"description": "Tag name to prevent resource lock"
}
},
"tagValue": {
"type": "String",
"metadata": {
"displayName": "Tag Value",
"description": "Tag value to prevent resource lock"
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"field": "[concat('tags[', parameters('tagName'), ']')]",
"notEquals": "[parameters('tagValue')]"
}
]
},
"then": {
"effect": "deployIfNotExists",
"details": {
"type": "Microsoft.Authorization/locks",
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
],
"existenceCondition": {
"field": "Microsoft.Authorization/locks/level",
"equals": "CanNotDelete"
},
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "PolicyDeleteLock",
"type": "Microsoft.Authorization/locks",
"apiVersion": "2016-09-01",
"properties": {
"level": "CanNotDelete",
"notes": "Set by policy RG_ResourceLockCheck"
}
}
],
"outputs": {
"policy": {
"type": "string",
"value": "locked RG"
}
}
}
}
}
}
}
}
}
}]
}
在您的 policyRule 中,您需要使用额外的左括号对 ARM 表达式进行转义,以防止它们在顶层进行计算。例如在第 45 行:
"field": "[concat('tags[', parameters('tagName'), ']')]"
应该变成:
"field": "[[concat('tags[', parameters('tagName'), ']')]"
(请注意,没有额外的右括号。这有点奇怪,但你应该这样做)
对策略规则内的所有 ARM 表达式执行此操作,它应该有效。
您也可以定义参数 tagName 和 tagValue。
所以添加我在下面应用的参数将解决问题。
{
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"policyDefinitionName": {
"type": "string"
},
# define tag name and tag value
"tagName":{
"type": "string"
},
"tagValue": {
"type": "string"
},
"policyDefinitionID": {
"type": "string"
}
},
"resources": [{
"type": "Microsoft.Authorization/policyDefinitions",
"name": "[parameters('policyDefinitionName')]",
"apiVersion": "2019-09-01",
"properties": {
"displayName": "Lock Resource Group based on tags",
"policyType": "Custom",
"mode": "All",
"description": "This policy locks a resource group if the tag mentioned in the parameter is not present",
"metadata": {
"category": "tags"
},
"parameters": {
"": {
"type": "String",
"metadata": {
"displayName": "Cannot Delete",
"description": "Tag name to prevent resource lock"
}
},
"tagValue": {
"type": "String",
"metadata": {
"displayName": "Tag Value",
"description": "Tag value to prevent resource lock"
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"field": "[concat('Tags[', parameters('tagName'), ']')]",
"notEquals": "[parameters('tagValue')]"
}
]
},
"then": {
"effect": "deployIfNotExists",
"details": {
"type": "Microsoft.Authorization/locks",
"roleDefinitionIds": [
"[parameters('policyDefinitionID')]"
],
"existenceCondition": {
"field": "Microsoft.Authorization/locks/level",
"equals": "CanNotDelete"
},
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "PolicyDeleteLock",
"type": "Microsoft.Authorization/locks",
"apiVersion": "2016-09-01",
"properties": {
"level": "CanNotDelete",
"notes": "Set by policy RG_ResourceLockCheck"
}
}
],
"outputs": {
"policy": {
"type": "string",
"value": "locked RG"
}
}
}
}
}
}
}
}
}
}]
}
它会在给出命令后执行