我想创建一个自定义Azure策略JSON,该JSON可以读取Azure资源并确保它遵循我们的标准化命名约定。例如,我正在尝试为虚拟机,云服务和Redis缓存设置它。
{
"if": {
"allof": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"not": {
"anyOf": [
{
"field": "name",
"match": "gz?????????#?##"
}
]
}
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
"if": {
"allof": [
{
"field": "type",
"equals": "Microsoft.ClassicCompute/domainNames"
},
{
"not": {
"anyOf": [
{
"field": "name",
"match": "GZ?-??????-??#-???-??????-###"
}
]
}
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
"if": {
"allof": [
{
"field": "type",
"equals": "Microsoft.Cache/Redis"
},
{
"not": {
"anyOf": [
{
"field": "name",
"match": "gz?????????#???###"
}
]
}
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
}
我不认为Azure允许存在多个IF,例如我试图设置它的方式。我要它做的是这样:
如果资源是VM,但不符合该约定,则进行审核。 如果资源是云服务,并且与该约定不匹配,请进行审核。 如果资源是Redis缓存,但与该约定不匹配,请进行审核。
答案 0 :(得分:0)
您应该使用initiative(策略集定义)来组织多个相关策略,如下所示。与具有每种资源类型的条件的单个策略定义相比,这将更易于维护,并使您可以看到整个命名约定策略集和每个单独策略的合规性结果。
例如:
"properties": {
"displayName": "Naming conventions",
"policyType": "Custom",
"parameters": {
"effect": {
"type": "String",
"defaultValue": "Audit"
}
},
"policyDefinitions": [
{
"policyDefinitionId": "/subscriptions/<SUBSCRIPTION ID>/providers/Microsoft.Authorization/policyDefinitions/<YOUR VIRTUAL MACHINE NAMING CONVENTION POLICY ID>",
"parameters": {
"effect": {
"value": "[parameters('effect')]"
}
}
},
{
"policyDefinitionId": "/subscriptions/<SUBSCRIPTION ID>/providers/Microsoft.Authorization/policyDefinitions/<YOUR DOMAIN NAME NAMING CONVENTION POLICY ID>",
"parameters": {
"effect": {
"value": "[parameters('effect')]"
}
}
}
]
}
}
我不推荐这样做,但是如果必须在一个定义中组合多个类型,则可以使用anyOf,例如:
{
"if": {
"anyOf": [
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"not": {
"field": "name",
"match": "gz?????????#?##"
}
}
]
},
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.ClassicCompute/domainNames"
},
{
"not": {
"field": "name",
"match": "GZ?-??????-??#-???-??????-###"
}
}
]
}
]
},
"then" : {
"effect" : "audit"
}
}