如何创建验证资源组名称的Azure策略 [英] How can I create an Azure policy that validates Resource Group Names

问题描述

我正在尝试创建一个可以在订阅级别分配的Azure策略，并控制订阅中资源组的命名.

I am trying to create an Azure policy which I can assign at the subscription level, and control the naming of the resource groups in the subscription.

策略需要定位到资源类型或限制其应用，否则它们将全局应用于所有资源.

Policies need to target a resource type or otherwise limit their application, else they apply globally to all resources.

我可以使用哪种资源类型(或其他方法)将验证仅限于资源组名称?

What resource type (or other method) can I use to limit my validation to the resource group name only?

这是我正在尝试的:

$definition = New-AzureRmPolicyDefinition -Name resourceGroupNamePatterns 
   -Description "Restrict resource group names to allowed prefixes only" -Policy '{
    "if": {
        "allOf": [
          {
            "not": {
              "field": "name",
              "like": "Pattern1-*"
            }
          },
          {
            "not": {
              "field": "name",
              "like": "Pattern2-*"
            }
          },
          {
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions/resourcegroups"
          }
        ]
    },
    "then": {
        "effect": "deny"
    }
}'

推荐答案

不确定此问题是否仍然相关，但是在发布Azure策略时不支持对资源组进行评估.

Not sure if this question is still relevant, but at the time of posting Azure Policy did not support evaluation on resource groups.

问题中提供的策略定义正确.

The policy definition provided in the question is correct.

请尝试更新您的Powershell版本，并更新策略定义.默认为mode: all，这将启用对资源组的策略评估.

Please try updating your powershell version, and updating the policy definition. It will default to mode: all which in turn will enable policy evaluation on resource groups.

有关策略模式的文档: https://docs. microsoft.com/en-us/azure/azure-policy/policy-definition

Documentation about Policy mode: https://docs.microsoft.com/en-us/azure/azure-policy/policy-definition

模式

该模式确定将为策略评估哪些资源类型.支持的模式为:

The mode determines which resource types will be evaluated for a policy. The supported modes are:

• 全部:评估资源组和所有资源类型
• 索引:仅评估支持标签和位置的资源类型

• all: evaluate resource groups and all resource types
• indexed: only evaluate resource types that support tags and location

我们建议您将模式设置为全部.通过门户创建的所有策略定义都使用全部"模式.如果使用PowerShell或Azure CLI，则需要指定mode参数并将其设置为all.

We recommend that you set mode to all. All policy definitions created through the portal use the all mode. If you use PowerShell or Azure CLI, you need to specify the mode parameter and set it to all.

这篇关于如何创建验证资源组名称的Azure策略的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！