Azure策略：仅允许Azure资源组标记中某些标记值

kgsdhlau 于 2022-11-17 发布在其他

关注(0)|答案(1)|浏览(143)

我的资源组具有environment标记，其中仅允许特定值："dev,test,prod"。我希望使用Azure策略强制执行此操作，该策略将拒绝所有在其environment标记中不具有此"dev,test,prod"值之一的资源组创建。我的策略代码如下：

{
    "properties": {
        "displayName": "Allowed  tag values for Resource Groups",
        "description": "This policy enables you to restrict the tag values for Resource Groups.",
        "policyType": "Custom",
        "mode": "Indexed",
        "metadata": {
            "version": "1.0.0",
            "category": "Tags"
        },
        "parameters": {
            "allowedTagValues": {
                "type": "array",
                "metadata": {
                    "description": "The list of tag values that can be specified when deploying resource groups",
                    "displayName": "Allowed tag values"
                },
                "defaultValue": [
                    "dev","test","prod"
                ]
            }
        },
        "policyRule": {
            "if": {
                "allOf": [
                    {
                        "field": "type",
                        "equals": "Microsoft.Resources/subscriptions/resourceGroups"
                    },
                    {
                        "field": "tags[environment]",
                        "notIn": "[parameters('allowedTagValues')]"
                    }
                ]
            },
            "then": {
                "effect": "deny"
            }
        }
    },
    "id": "/providers/Microsoft.Authorization/policyDefinitions/xxxxxxx-xxxxxxx-xxxxxxxxxx-xxxxxxx",
    "name": "xxxxxxx-xxxxxxx-xxxxxxxxxx-xxxxxxx"
}

这根本没有任何效果，我也试过这个：

{
                "not": {
                    "field": "tags[environment]",
                    "in": "[parameters('allowedTagValues')]"
                }
            }

这两种方法都不起作用。
有什么建议吗？

Azure

来源：https://stackoverflow.com/questions/70001407/azure-policy-only-allow-certain-tag-values-in-azure-resources-group-tag

1条答案

按热度按时间

pieyvz9o1#

您需要传递标记值"dev","test","prod"作为参数listofallowedTags的允许值，如下所示。
根据您的要求，我们创建了以下策略定义。我们已在本地环境中对此进行了测试，该定义运行良好。

{
  "mode": "All",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Resources/subscriptions/resourceGroups"
        },
        {
          "not": {
            "field": "[concat('tags[', parameters('tagName'), ']')]",
            "in": "[parameters('listofallowedtagValues')]"
          }
        }
      ]
    },
    "then": {
      "effect": "[parameters('effect')]"
    }
  },
  "parameters": {
    "effect": {
      "type": "String",
      "metadata": {
        "displayName": "Effect",
        "description": "Enable or disable the execution of the audit policy"
      },
      "allowedValues": [
        "Audit",
        "Deny",
        "Disabled"
      ],
      "defaultValue": "Deny"
    },
    "tagName": {
      "type": "String",
      "metadata": {
        "displayName": "Tag Name",
        "description": "Name of the tag, such as 'environment'"
      },
      "defaultValue": "environment"
    },
    "listofallowedtagValues": {
      "type": "Array",
      "metadata": {
        "displayName": "Tag Values",
        "description": "Value of the tag, such as 'production'"
      },
      "allowedValues": [
        "dev",
        "test",
        "prod"
      ]
    }
  }
}

**注意：**如下图所示，自定义策略已分配给订阅。