azure policy:仅允许 azure 资源组标记中的某些标记值
azure policy : only allow certain tag values in azure resources group tag
我的资源组有一个 environment 标签,其中 仅允许特定值 :"dev,test,prod"。我想使用 Azure Policy 强制执行此操作,该策略将 拒绝 所有在其 environment 标记中没有此 "dev,test,prod" 值之一的资源组创建。我的保单代码如下:
{
"properties": {
"displayName": "Allowed tag values for Resource Groups",
"description": "This policy enables you to restrict the tag values for Resource Groups.",
"policyType": "Custom",
"mode": "Indexed",
"metadata": {
"version": "1.0.0",
"category": "Tags"
},
"parameters": {
"allowedTagValues": {
"type": "array",
"metadata": {
"description": "The list of tag values that can be specified when deploying resource groups",
"displayName": "Allowed tag values"
},
"defaultValue": [
"dev","test","prod"
]
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"field": "tags[environment]",
"notIn": "[parameters('allowedTagValues')]"
}
]
},
"then": {
"effect": "deny"
}
}
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/xxxxxxx-xxxxxxx-xxxxxxxxxx-xxxxxxx",
"name": "xxxxxxx-xxxxxxx-xxxxxxxxxx-xxxxxxx"
}
这根本没有任何效果。我也试过这个:
{
"not": {
"field": "tags[environment]",
"in": "[parameters('allowedTagValues')]"
}
}
这都不行。
有什么建议吗?
您需要传递标记值 "dev","test","prod" 作为参数 listofallowedTags 的允许值,如下所示。
根据您的要求,我们创建了以下策略定义。我们已经在本地环境中进行了测试,运行良好。
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"not": {
"field": "[concat('tags[', parameters('tagName'), ']')]",
"in": "[parameters('listofallowedtagValues')]"
}
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the audit policy"
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Deny"
},
"tagName": {
"type": "String",
"metadata": {
"displayName": "Tag Name",
"description": "Name of the tag, such as 'environment'"
},
"defaultValue": "environment"
},
"listofallowedtagValues": {
"type": "Array",
"metadata": {
"displayName": "Tag Values",
"description": "Value of the tag, such as 'production'"
},
"allowedValues": [
"dev",
"test",
"prod"
]
}
}
}
注意:如下图所示,自定义策略已分配给订阅。
以下是一些示例输出以供参考:
- 在下面的示例中,除了
listofallowedtagValues 参数中定义的那 3 个值之外,我们向环境标记传递了一个不同的值,并且在部署资源组时失败,因为它不符合策略要求。
- 在下面的示例中,我们传递了环境标记值,因为
test 资源组部署成功,因为它满足策略要求。
我的资源组有一个 environment 标签,其中 仅允许特定值 :"dev,test,prod"。我想使用 Azure Policy 强制执行此操作,该策略将 拒绝 所有在其 environment 标记中没有此 "dev,test,prod" 值之一的资源组创建。我的保单代码如下:
{
"properties": {
"displayName": "Allowed tag values for Resource Groups",
"description": "This policy enables you to restrict the tag values for Resource Groups.",
"policyType": "Custom",
"mode": "Indexed",
"metadata": {
"version": "1.0.0",
"category": "Tags"
},
"parameters": {
"allowedTagValues": {
"type": "array",
"metadata": {
"description": "The list of tag values that can be specified when deploying resource groups",
"displayName": "Allowed tag values"
},
"defaultValue": [
"dev","test","prod"
]
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"field": "tags[environment]",
"notIn": "[parameters('allowedTagValues')]"
}
]
},
"then": {
"effect": "deny"
}
}
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/xxxxxxx-xxxxxxx-xxxxxxxxxx-xxxxxxx",
"name": "xxxxxxx-xxxxxxx-xxxxxxxxxx-xxxxxxx"
}
这根本没有任何效果。我也试过这个:
{
"not": {
"field": "tags[environment]",
"in": "[parameters('allowedTagValues')]"
}
}
这都不行。
有什么建议吗?
您需要传递标记值 "dev","test","prod" 作为参数 listofallowedTags 的允许值,如下所示。
根据您的要求,我们创建了以下策略定义。我们已经在本地环境中进行了测试,运行良好。
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"not": {
"field": "[concat('tags[', parameters('tagName'), ']')]",
"in": "[parameters('listofallowedtagValues')]"
}
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the audit policy"
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Deny"
},
"tagName": {
"type": "String",
"metadata": {
"displayName": "Tag Name",
"description": "Name of the tag, such as 'environment'"
},
"defaultValue": "environment"
},
"listofallowedtagValues": {
"type": "Array",
"metadata": {
"displayName": "Tag Values",
"description": "Value of the tag, such as 'production'"
},
"allowedValues": [
"dev",
"test",
"prod"
]
}
}
}
注意:如下图所示,自定义策略已分配给订阅。
以下是一些示例输出以供参考:
- 在下面的示例中,除了
listofallowedtagValues参数中定义的那 3 个值之外,我们向环境标记传递了一个不同的值,并且在部署资源组时失败,因为它不符合策略要求。
- 在下面的示例中,我们传递了环境标记值,因为
test资源组部署成功,因为它满足策略要求。