创建资源组时用于创建标签的 Azure Policy 不起作用
Azure Policy for tag creation when a Resource Group is created is not working
我在 Azure Policy 下创建了具有“修改”效果和“addorreplace”操作的。
我正在通过 Terraform 创建资源组、策略定义、策略分配和角色分配。
我希望在创建资源组并应用策略后立即应用标签(因此基本上资源组将使用标签创建,因为策略分配是资源组级别)。
政策定义如下:
{
"properties": {
"displayName": "Subscription Tags",
"policyType": "Custom",
"mode": "All",
"description": "",
"metadata": {
"category": "General",
"createdBy": "a8cf4bcb-fa6d-4ace-ae63-fbeee97299d4",
"createdOn": "2021-08-26T11:27:02.358131Z",
"updatedBy": null,
"updatedOn": null
},
"parameters": {
"SubscriptionOwner": {
"type": "String",
"metadata": {
"description": "Subscription Owner",
"displayName": "Subscription Owner"
}
},
"SubscriptionOwnerTagName": {
"type": "String",
"metadata": {
"description": "Subscription Owner Tag Name",
"displayName": "Subscription Owner Tag Name"
}
},
"resourceType": {
"type": "String",
"metadata": {
"description": "resourceType",
"displayName": "Resource Type"
}
}
},
"policyRule": {
"if": {
"allof": [
{
"equals": "Microsoft.Resources/subscriptions/resourceGroups",
"field": "type"
},
{
"anyOf": [
{
"anyOf": [
{
"exists": "false",
"field": "[concat('tags[', parameters('SubscriptionOwnerTagName'), ']')]"
},
{
"allOf": [
{
"exists": "true",
"field": "[concat('tags[', parameters('SubscriptionOwnerTagName'), ']')]"
},
{
"field": "[concat('tags[', parameters('SubscriptionOwnerTagName'), ']')]",
"notEquals": "[parameters('SubscriptionOwner')]"
}
]
}
]
}
]
}
]
},
"then": {
"details": {
"operations": [
{
"field": "[concat('tags[', parameters('SubscriptionOwnerTagName'), ']')]",
"operation": "addOrReplace",
"value": "[parameters('SubscriptionOwner')]"
},
{
"field": "[concat('tags[', parameters('resourceType'), ']')]",
"operation": "addOrReplace",
"value": "[resourceGroup().id]"
}
],
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
]
},
"effect": "modify"
}
}
},
"id": "/subscriptions/6e268af1-b2a7-44a7-9a1a-9025889dbe5d/providers/Microsoft.Authorization/policyDefinitions/MyCustomPolicy",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "MyCustomPolicy"
}
问题是,没有使用资源组创建标签,合规性说“不合规”。我必须创建一个补救任务,一旦我 运行 任务,就会创建标签。
我找不到原因,因为 document 说一旦创建资源就应该创建标签。只有现有资源需要修复任务。
任何帮助。
- 现有分配范围内的新资源或更新资源将在大约 15 分钟内可用。
- 一项新政策或倡议
申请作业大约需要 30 分钟。
https://docs.microsoft.com/en-us/azure/governance/policy/troubleshoot/general#cause-1
我在 Azure Policy 下创建了具有“修改”效果和“addorreplace”操作的。
我正在通过 Terraform 创建资源组、策略定义、策略分配和角色分配。 我希望在创建资源组并应用策略后立即应用标签(因此基本上资源组将使用标签创建,因为策略分配是资源组级别)。
政策定义如下:
{
"properties": {
"displayName": "Subscription Tags",
"policyType": "Custom",
"mode": "All",
"description": "",
"metadata": {
"category": "General",
"createdBy": "a8cf4bcb-fa6d-4ace-ae63-fbeee97299d4",
"createdOn": "2021-08-26T11:27:02.358131Z",
"updatedBy": null,
"updatedOn": null
},
"parameters": {
"SubscriptionOwner": {
"type": "String",
"metadata": {
"description": "Subscription Owner",
"displayName": "Subscription Owner"
}
},
"SubscriptionOwnerTagName": {
"type": "String",
"metadata": {
"description": "Subscription Owner Tag Name",
"displayName": "Subscription Owner Tag Name"
}
},
"resourceType": {
"type": "String",
"metadata": {
"description": "resourceType",
"displayName": "Resource Type"
}
}
},
"policyRule": {
"if": {
"allof": [
{
"equals": "Microsoft.Resources/subscriptions/resourceGroups",
"field": "type"
},
{
"anyOf": [
{
"anyOf": [
{
"exists": "false",
"field": "[concat('tags[', parameters('SubscriptionOwnerTagName'), ']')]"
},
{
"allOf": [
{
"exists": "true",
"field": "[concat('tags[', parameters('SubscriptionOwnerTagName'), ']')]"
},
{
"field": "[concat('tags[', parameters('SubscriptionOwnerTagName'), ']')]",
"notEquals": "[parameters('SubscriptionOwner')]"
}
]
}
]
}
]
}
]
},
"then": {
"details": {
"operations": [
{
"field": "[concat('tags[', parameters('SubscriptionOwnerTagName'), ']')]",
"operation": "addOrReplace",
"value": "[parameters('SubscriptionOwner')]"
},
{
"field": "[concat('tags[', parameters('resourceType'), ']')]",
"operation": "addOrReplace",
"value": "[resourceGroup().id]"
}
],
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
]
},
"effect": "modify"
}
}
},
"id": "/subscriptions/6e268af1-b2a7-44a7-9a1a-9025889dbe5d/providers/Microsoft.Authorization/policyDefinitions/MyCustomPolicy",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "MyCustomPolicy"
}
问题是,没有使用资源组创建标签,合规性说“不合规”。我必须创建一个补救任务,一旦我 运行 任务,就会创建标签。
我找不到原因,因为 document 说一旦创建资源就应该创建标签。只有现有资源需要修复任务。
任何帮助。
- 现有分配范围内的新资源或更新资源将在大约 15 分钟内可用。
- 一项新政策或倡议 申请作业大约需要 30 分钟。
https://docs.microsoft.com/en-us/azure/governance/policy/troubleshoot/general#cause-1