我想不通一种在单个标签上分配多个被接受的变量的方法。
说我们有“环境标签”
我希望唯一接受的变量是“生产,测试,待定”
但是我只能为每个标签分配一个变量。
我尝试使用预先构建的策略并围绕它们进行构建。因为我刚接触政策。
我有一个标签“环境”
我在子页面上创建了标签环境,因此它显示在下拉菜单中。
我试图在变量部分创建多个变量,但是我只能创建一个。
我可以使它与一个变量(例如生产)一起使用,但是如果我在文本框中分配多个变量,它只是将其添加为一个值,则我尝试使用(“';; :)进行分隔似乎有效。
{
"properties": {
"displayName": "Require tag and its value",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "Enforces a required tag and its value. Does not apply to resource groups.",
"metadata": {
"category": "Tags"
},
"parameters": {
"tagName": {
"type": "String",
"metadata": {
"displayName": "Tag Name",
"description": "Name of the tag, such as 'environment'"
}
},
"tagValue": {
"type": "String",
"metadata": {
"displayName": "Tag Value",
"description": "Value of the tag, such as 'production'"
}
}
},
"policyRule": {
"if": {
"not": {
"field": "[concat('tags[', parameters('tagName'), ']')]",
"equals": "[parameters('tagValue')]"
}
},
"then": {
"effect": "deny"
}
}
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "1e30110a-5ceb-460c-a204-c1c3969c6d62"
}
输入TAG和变量时
"parameters": {
"tagName": {
"type": "String",
"metadata": {
"displayName": "Tag Name",
"description": "Name of the tag, such as 'environment'"
}
"tagValue": {
"type": "String",
"metadata": {
"displayName": "Tag Value",
"description": "Value of the tag, such as 'production'"
}
我想知道是否可以添加辅助标记值“ Tagvalue1,2,3 ect”
"tagValue": {
"type": "String",
"metadata": {
"displayName": "Tag Value",
"description": "Value of the tag, such as 'production'"
}
"tagValue1": {
"type": "String",
"metadata": {
"displayName": "Tag Value",
"description": "Value of the tag, such as 'Testing'"
}
"tagValue2": {
"type": "String",
"metadata": {
"displayName": "Tag Value",
"description": "Value of the tag, such as 'Pending'"
}
该标签的所有其他变量均应被拒绝。 但是我无法使其正常工作。
答案 0 :(得分:0)
您可以从Azure文档站点获取一个示例:https://docs.microsoft.com/en-us/azure/governance/policy/samples/enforce-tag-on-resource-groups
如果该策略不需要任何参数:
{
"properties": {
"displayName": "Enforce tag Environment and its value on resource groups",
"description": "Enforces a required tag and its value on resource groups.",
"mode": "All",
"parameters": {
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"anyOf": [
{
"field": "tags[Environment]",
"notEquals": "Production"
},
{
"field": "tags[Environment]",
"notEquals": "Testing"
},
{
"field": "tags[Environment]",
"notEquals": "Pending"
}
]
}
]
},
"then": {
"effect": "deny"
}
}
}
}
带有参数:
{
"properties": {
"displayName": "Enforce tag and its value on resource groups",
"description": "Enforces a required tag and its value on resource groups.",
"mode": "All",
"parameters": {
"tagName": {
"type": "String",
"metadata": {
"description": "Name of the tag, such as costCenter"
}
},
"tagValue1": {
"type": "String",
"metadata": {
"description": "Value of the tag, such as production"
}
},
"tagValue2": {
"type": "String",
"metadata": {
"description": "Value of the tag, such as testing"
}
},
"tagValue3": {
"type": "String",
"metadata": {
"description": "Value of the tag, such as pending"
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"anyOf" : [
{
"field": "[concat('tags[',parameters('tagName'), ']')]",
"notEquals": "[parameters('tagValue1')]"
},
{
"field": "[concat('tags[',parameters('tagName'), ']')]",
"notEquals": "[parameters('tagValue2')]"
},
{
"field": "[concat('tags[',parameters('tagName'), ']')]",
"notEquals": "[parameters('tagValue3')]"
}
]
}
]
},
"then": {
"effect": "deny"
}
}
}
}
如果要通过Azure门户创建策略,则无需在displayName
内复制description
和properties
:
答案 1 :(得分:0)
我认为您需要使用in
属性。来自示例:
"parameters": {
"allowedLocations": {
"type": "array",
"metadata": {
"description": "The list of allowed locations for resources.",
"displayName": "Allowed locations",
"strongType": "location"
},
"defaultValue": [ "westus2" ],
"allowedValues": [
"eastus2",
"westus2",
"westus"
]
}
}
然后您可以引用它:
{
"field": "location",
"in": "[parameters('allowedLocations')]"
}
答案 2 :(得分:0)
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"anyOf": [
{
"field": "tags[Environment]",
"notEquals": "Production"
},
{
"field": "tags[Environment]",
"notEquals": "Testing"
},
{
"field": "tags[Environment]",
"notEquals": "Pending"
}
]
}
]
},
"then": {
"effect": "deny"
}
},
"parameters": {}
}
到目前为止,感谢您的出色帮助,但是尽管验证了我输入的值,但在验证新VM时却出现以下错误:pending,Testing或Production
{
"code": "InvalidTemplateDeployment",
"message": "The template deployment failed because of policy violation. Please see details for more information.",
"details": [
{
"code": "RequestDisallowedByPolicy",
"target": "tester123",
"message": "Resource 'tester123' was disallowed by policy. Policy identifiers: '[{\"policyAssignment\":{\"name\":\"Enforce tag Environment\",\"id\":\"/subscriptions/f3434458-6c34-41bf-b159-04eff84fb1b8/providers/Microsoft.Authorization/policyAssignments/363b1c045401446eafdd29bf\"},\"policyDefinition\":{\"name\":\"Enforce tag Environment\",\"id\":\"/subscriptions/f3434458-6c34-41bf-b159-04eff84fb1b8/providers/Microsoft.Authorization/policyDefinitions/7be665bc-57a5-451d-b159-6cabcfd1042a\"}}]'.",
"additionalInfo": [
{
"type": "PolicyViolation",
"info": {
"policyDefinitionDisplayName": "Enforce tag Environment",
"evaluationDetails": {
"evaluatedExpressions": [
{
"result": "True",
"expressionKind": "Field",
"expression": "type",
"path": "type",
"expressionValue": "Microsoft.Compute/virtualMachines",
"targetValue": "Microsoft.Compute/virtualMachines",
"operator": "Equals"
},
{
"result": "True",
"expressionKind": "Field",
"expression": "tags[Environment]",
"path": "tags[Environment]",
"expressionValue": "Testing",
"targetValue": "Production",
"operator": "NotEquals"
}
]
},
"policyDefinitionId": "/subscriptions/f3434458-6c34-41bf-b159-04eff84fb1b8/providers/Microsoft.Authorization/policyDefinitions/7be665bc-57a5-451d-b159-6cabcfd1042a",
"policyDefinitionName": "7be665bc-57a5-451d-b159-6cabcfd1042a",
"policyDefinitionEffect": "deny",
"policyAssignmentId": "/subscriptions/f3434458-6c34-41bf-b159-04eff84fb1b8/providers/Microsoft.Authorization/policyAssignments/363b1c045401446eafdd29bf",
"policyAssignmentName": "363b1c045401446eafdd29bf",
"policyAssignmentDisplayName": "Enforce tag Environment",
"policyAssignmentScope": "/subscriptions/f3434458-6c34-41bf-b159-04eff84fb1b8",
"policyAssignmentParameters": {}
}
}
]
}
]
}
至少在我看来,我由于目标值错误而失败。但是,我认为策略定义中定义的3个选项中的任何一个都可以吗? Atleast我想出了如何只针对我们的VM,或者至少我认为我做到了。
答案 3 :(得分:0)
有一种用于限制基本值的解决方案,称为“ allowedValues ”: https://docs.microsoft.com/pl-pl/azure/governance/policy/concepts/definition-structure
with tab( rid,id ) as
(
select 8100,161 from dual union all
select 8101,2 from dual union all
select 8102,2 from dual union all
select 8103,2 from dual union all
select 8104,156 from dual
), t2 as
(
select t.*, lag(id,1,0) over (order by rid) lg
from tab t
)
select rid, id, sum(case when lg!=id then 1 else 0 end) over (order by rid) as row_num
from t2