Azure策略检查空值 [英] Azure Policy check for an empty value

问题描述

我需要使用Azure策略进行标记.我希望用户在创建资源组时需要定义标签.该策略还应检查tagvaule是否为空.

I need an Azure Policy for tagging. I want that a user needs to define a tag when a Resource Groups is created. The Policy should also check that the tagvaule is not empty.

我尝试了以下操作:

{
  "properties": {
    "displayName": "Require a tag Billto and a value that is not empty",
    "policyType": "Custom",
    "mode": "All",
    "description": "Enforces a required tag and its value on resource groups.",
    "metadata": {
      "category": "Tags",
    },
    "parameters": {
      "tagName": {
        "type": "String",
        "metadata": {
          "displayName": "Tag Name",
          "description": "Name of the tag, such as 'Billto'"
        }
      },
      "tagValue": {
        "type": "String",
        "metadata": {
          "displayName": "Tag Value",
          "description": "Value of the tag, such as 'Costcenter'"
        }
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions/resourceGroups"
          },
          {
            "field": "[concat('tags[', parameters('tagName'), ']')]",
            "exists": "false"
          },
          {
            "value": "[concat('tags[', parameters('tagValue'), ']')]",
            "equals": ""
          }
        ]
      },
      "then": {
        "effect": "deny"
      }
    }
  }

有人可以帮助我并给我正确的代码吗?谢谢托马斯

can someone help me and give me the right code? Thanks Thomas

推荐答案

此策略定义将拒绝给定标签具有空值或完全缺少标签的资源组:

This policy definition will deny resource groups which have an empty value for the given tag, or are missing the tag altogether:

{
  "properties": {
    "mode": "All",
    "parameters": {
      "tagName": {
        "type": "String",
        "metadata": {
          "displayName": "Tag Name",
          "description": "Name of the tag, such as 'Billto'"
        }
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions/resourceGroups"
          },
          {
            "anyOf": [
              {
                "field": "[concat('tags[', parameters('tagName'), ']')]",
                "exists": false
              },
              {
                "field": "[concat('tags[', parameters('tagName'), ']')]",
                "equals": ""
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deny"
      }
    }
  }
}

打破现状:

1. parameters('tagName')解析为参数tagName的值.对于本示例的其余部分，我们将使用 Billto 作为标记名称.
2. "field":"[concat('tags ['，parameters('tagName')，']')]" 解析为"field":"tags [Billto]"
3. "field":"tags [Billto]" 将获得 Billto 标记的 value .
4. 如果资源没有 Billto 标记，则 Billto 标记将没有值，因此"exists":false 为true，并且该政策将拒绝.如果 Billto 标记的值为空，则"equals":" 将为true，并且该策略将拒绝.

1. parameters('tagName') resolves to the value of the parameter tagName. For the rest of this example, we'll use Billto as the tag name.
2. "field": "[concat('tags[', parameters('tagName'), ']')]" resolves to "field": "tags[Billto]"
3. "field": "tags[Billto]" will get the value of the Billto tag.
4. If the resource doesn't have a Billto tag, The Billto tag won't have a value, so the "exists" : false will be true and the policy will deny. If the Billto tag's value is empty, then "equals": "" will be true, and the policy will deny.

这篇关于Azure策略检查空值的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！