azure policy:仅允许 azure 资源组标记中的某些标记值

azure policy : only allow certain tag values in azure resources group tag

我的资源组有一个 environment 标签,其中 仅允许特定值 "dev,test,prod"。我想使用 Azure Policy 强制执行此操作,该策略将 拒绝 所有在其 environment 标记中没有此 "dev,test,prod" 值之一的资源组创建。我的保单代码如下:

{
    "properties": {
        "displayName": "Allowed  tag values for Resource Groups",
        "description": "This policy enables you to restrict the tag values for Resource Groups.",
        "policyType": "Custom",
        "mode": "Indexed",
        "metadata": {
            "version": "1.0.0",
            "category": "Tags"
        },
        "parameters": {
            "allowedTagValues": {
                "type": "array",
                "metadata": {
                    "description": "The list of tag values that can be specified when deploying resource groups",
                    "displayName": "Allowed tag values"
                },
                "defaultValue": [
                    "dev","test","prod"
                ]
            }
        },
        "policyRule": {
            "if": {
                "allOf": [
                    {
                        "field": "type",
                        "equals": "Microsoft.Resources/subscriptions/resourceGroups"
                    },
                    {
                        "field": "tags[environment]",
                        "notIn": "[parameters('allowedTagValues')]"
                    }
                ]
            },
            "then": {
                "effect": "deny"
            }
        }
    },
    "id": "/providers/Microsoft.Authorization/policyDefinitions/xxxxxxx-xxxxxxx-xxxxxxxxxx-xxxxxxx",
    "name": "xxxxxxx-xxxxxxx-xxxxxxxxxx-xxxxxxx"
}

这根本没有任何效果。我也试过这个:

            {
                "not": {
                    "field": "tags[environment]",
                    "in": "[parameters('allowedTagValues')]"
                }
            }

这都不行。

有什么建议吗?

您需要传递标记值 "dev","test","prod" 作为参数 listofallowedTags 的允许值,如下所示。

根据您的要求,我们创建了以下策略定义。我们已经在本地环境中进行了测试,运行良好。

{
  "mode": "All",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Resources/subscriptions/resourceGroups"
        },
        {
          "not": {
            "field": "[concat('tags[', parameters('tagName'), ']')]",
            "in": "[parameters('listofallowedtagValues')]"
          }
        }
      ]
    },
    "then": {
      "effect": "[parameters('effect')]"
    }
  },
  "parameters": {
    "effect": {
      "type": "String",
      "metadata": {
        "displayName": "Effect",
        "description": "Enable or disable the execution of the audit policy"
      },
      "allowedValues": [
        "Audit",
        "Deny",
        "Disabled"
      ],
      "defaultValue": "Deny"
    },
    "tagName": {
      "type": "String",
      "metadata": {
        "displayName": "Tag Name",
        "description": "Name of the tag, such as 'environment'"
      },
      "defaultValue": "environment"
    },
    "listofallowedtagValues": {
      "type": "Array",
      "metadata": {
        "displayName": "Tag Values",
        "description": "Value of the tag, such as 'production'"
      },
      "allowedValues": [
        "dev",
        "test",
        "prod"
      ]
    }
  }
}

注意:如下图所示,自定义策略已分配给订阅。

以下是一些示例输出以供参考:

  • 在下面的示例中,除了 listofallowedtagValues 参数中定义的那 3 个值之外,我们向环境标记传递了一个不同的值,并且在部署资源组时失败,因为它不符合策略要求。

  • 在下面的示例中,我们传递了环境标记值,因为 test 资源组部署成功,因为它满足策略要求。