如何通过策略将Azure资源锁应用于资源组 [英] How to apply Azure resource locks to Resource Groups via Policy
本文介绍了如何通过策略将Azure资源锁应用于资源组的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我正在尝试创建一个Azure策略,该策略将向订阅中的资源组部署级别为"CanNotDelete"的资源锁.
I'm trying to create an Azure policy which will deploy a resource lock with the level of 'CanNotDelete' to resource groups within a subscription.
当前该策略100%兼容,但是该策略尚未创建任何锁.
Currently the policy is 100% compliant but no locks have been created by the policy.
我的JSON policy.rules文件中包含以下内容;
I have the following in my JSON policy.rules file;
{
"if": {
"field": "type",
"equals": "Microsoft.Resources/resourceGroups"
},
"then": {
"effect": "deployIfNotExists",
"details": {
"type": "Microsoft.Authorization/locks",
"existenceCondition": {
"field": "Microsoft.Authorization/locks/level",
"equals": "CanNotDelete"
},
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/0000-0000-0000-0000-0000000"
],
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",
"contentVersion": "1.0.0.0",
"parameters": {
"location": {
"type": "string"
}
},
"resources": [
{
"type": "Microsoft.Authorization/locks",
"apiVersion": "2017-04-01",
"name": "ResourceLock",
"properties": {
"level": "CanNotDelete",
"notes": "Prevent accidental deletion of resource groups"
}
}
]
}
}
}
}
}
}
推荐答案
设法通过两个更改使它起作用;
managed to get this working with two changes;
- if语句路径-Microsoft.Resources/subscriptions/resourceGroups
- 由于某种原因未创建托管标识,这对于'deployIfNotExists'策略效果是必需的.
我希望对遇到相同问题的所有人有所帮助
I hope that helps anyone who runs into the same issue
这篇关于如何通过策略将Azure资源锁应用于资源组的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
