Azure Policy Deny:如果资源组名称中不存在标签之一 [英] Azure Policy Deny :if one of the tag not present in the resource group name

查看:138
本文介绍了Azure Policy Deny:如果资源组名称中不存在标签之一的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我创建了一个Azure策略,如果用户未使用键"Env"或"use"指定标签,则我想拒绝创建资源组

I've created an Azure Policy, i wanted to deny the resource group creation if user doesn't specify tag with key "Env" or "use"

但是,当我用Env标签创建资源组时,它阻止了我,仅当我同时添加env和use标签时,它才允许我使用.

But when i create the resource group with Env tag it blocks me, it only allows me when i add both the tag which is env and use.

根据我的理解,天蓝色策略中的"anyof"被用作"OR",但我的代码却没有同样的效果

As per my understanding "anyof" in azure policy is used as "OR" but my code isn't behaving the same wa

{
  "if": {
    "allOf": [
      {
        "field": "type",
        "equals": "Microsoft.Resources/subscriptions/resourceGroups"
      },
      {
        "anyof": [
          {
            "field": "tags.Env",
            "exists": false
          },
          {
            "field": "tags.use",
            "exists": false
          }
        ]
      }
    ]
  },
  "then": {
    "effect": "deny"
  }
}

基于Chris的建议,我已经处理了标签名称和值,但是这给了我政策上的错误,并且没有采用不接受"

Based on the Chris's suggestion I've worked on the tag name and values but it is giving me an error in the policy and it is not taking the "NOT"

{
  "mode": "all",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Resources/subscriptions/resourceGroups"
        },
        {
          "not":{
        {
          "field": "tags.Env",
          "equals" : "Prod"
        },
        {
          "field": "tags.OS",
          "equals" : "windows"
        }
                  }
        }
      ]
    },
    "then": {
      "effect": "deny"
    }
  },
  "parameters": {}
}

推荐答案

现在,就像您提到的,该策略正在评估"tags.Env不存在或tag.use不存在".如果任何一个标签都不存在,您将被拒绝.

Right now, like you mentioned, the policy is evaluating if "tags.Env doesn't exist OR tags.use doesn't exist". If either tag does not exist you will be denied.

您要拒绝的是"tags.Env不存在且tag.use不存在".这意味着它们都丢失了,而这正是您要防止的.

What you want is to deny if "tags.Env doesn't exist AND tags.use doesn't exist". That would imply that they are both missing which is what you are trying to prevent.

{
  "if": {
    "allOf": [
      {
        "field": "type",
        "equals": "Microsoft.Resources/subscriptions/resourceGroups"
      },
      {
         "field": "tags.Env",
         "exists": false
       },
       {
         "field": "tags.use",
         "exists": false
       }
    ]
  },
  "then": {
    "effect": "deny"
  }
}

这篇关于Azure Policy Deny:如果资源组名称中不存在标签之一的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆