Azure Policy一项策略分配中有多个标签

问题描述 投票:0回答:1

我想创建一种自动的方式来创建新策略,该策略需要将默认标签应用于已部署的每个虚拟机。

目前我有以下内容

Powershell脚本:

#Remove Policy
#$scope = Get-AzSubscription -SubscriptionName "subscriptionname"
#$SubscriptionID = "/subscriptions/" + $scope.Id
#Remove-AzPolicyAssignment -Name 'apply-default-tag-1' -Scope $SubscriptionID




# Create the Policy Definition (Subscription scope)
$definition = New-AzPolicyDefinition -Name 'default-tags-to-vms' -DisplayName 'Append default tags to VM' -description 'This policy will add default tags to VMs' -Policy 'C:\policy.json' -Parameter 'C:\policy.parameters.json' -Mode All


# Set the scope to a resource group; may also be a resource, subscription, or management group
$scope = Get-AzSubscription -SubscriptionName "DCS-EM-AZ1"
$SubscriptionID = "/subscriptions/" + $scope.Id



# Set the Policy Parameter (JSON format)
$Tag1 = '{ "tagName": { "value":  "Application"}, "tagValue": { "value":  "stackoverflow" } }'
$Tag2 = '{ "tagName": { "value":  "Contact"}, "tagValue": { "value":  "bekind" } }'
$Tag3 = '{ "tagName": { "value":  "Environment"}, "tagValue": {  "value": "tome" } }'
$Tag4 = '{ "tagName": { "value":  "RUNTIME"}, "tagValue": {  "value": "please" } }'




# Create the Policy Assignment
$policyTag1 = New-AzPolicyAssignment -Name 'apply-default-tag-1' -DisplayName 'Apply default tag Application ' -Scope $SubscriptionID -PolicyDefinition $definition -PolicyParameter $Tag1
$policyTag2 = New-AzPolicyAssignment -Name 'apply-default-tag-2' -DisplayName 'Apply default tag Contact '  -Scope $SubscriptionID -PolicyDefinition $definition -PolicyParameter $Tag2
$policyTag3 = New-AzPolicyAssignment -Name 'apply-default-tag-3' -DisplayName 'Apply default tag Environment '  -Scope $SubscriptionID -PolicyDefinition $definition -PolicyParameter $Tag3
$policyTag4 = New-AzPolicyAssignment -Name 'apply-default-tag-4' -DisplayName 'Apply default tag Runtime '  -Scope $SubscriptionID -PolicyDefinition $definition -PolicyParameter $Tag4

JSON文件policy.json

{
    "if": {
        "allOf": [{
            "field": "[concat('tags[', parameters('tagName'), ']')]",
            "exists": "false"
        },
        {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
        }
    ]
    },
    "then": {
        "effect": "append",
        "details": [
            {
                "field": "[concat('tags[', parameters('tagName'), ']')]",
                "value": "[parameters('tagValue')]"
            }
        ]
    }
}

policy.parameters.json

{
    "tagName": {
        "type": "string",
        "metadata": {
            "description": "Name of the tag, such as costCenter"
        }
    },
    "tagValue": {
        "type": "string",
        "metadata": {
            "description": "Value of the tag, such as headquarter"
        }
    }
}

上面将部署多个天蓝色的策略分配,每个分配都是一个标记名和一个标记值,如果我在订阅中测试部署,则我可以看到我的策略有效。当然,它不仅在“现在就可以使用”部分。但是,我又该如何提高效率,以便将来可以在不更改大量代码的情况下添加此函数。

到目前为止我尝试过的:

[不是使用powershell,而是在ARM模板中创建了策略:

{
    "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "tagName": {
            "type": "array",
            "defaultValue":[  
                "default",
                "location",
                "is",
                "a",
                "problem"
            ]
        },
        "tagValue": {
            "type": "array",
            "defaultValue":[  
                "hello",
                "darkness",
                "my",
                "old",
                "friend"
            ]
        }
    },
    "variables": {},
    "resources": [
        {
            "type": "Microsoft.Authorization/policyDefinitions",
            "name": "[concat('append-tags-to-resource'parameters('tagName')[copyindex('CopyTags')])]",
            "apiVersion": "2018-05-01",
            "properties": {
                "policyType": "Custom",
                "parameters": {},
                "policyRule": {
                    "if": {
                        "field": "[concat('tags[', parameters('tagName')[copyindex('CopyTags')], ']')]",
                        "exists": "false"
                    },
                    "then": {
                        "effect": "append",
                        "details": [
                            {
                                "field": "[concat('tags[', parameters('tagName')[copyindex('CopyTags')], ']')]",
                                "value": "[parameters('tagValue')]"
                            }
                        ]
                    }
                }
            },
            "copy": {
                "name": "CopyTags",
                "count": "[length(parameters('tagName'))]"
            }
        }
    ]
}

这给了我很多错误,因为我找不到一种有效地将其部署到订阅(而不是资源组)作为我的范围的方法。(我确实尝试在不提供资源组的情况下进行部署,但无法弄清楚部署的方向,没有错误,我是用户的每个订阅中都没有策略)

没有人知道一种有效添加多个标签的方法。 (高效:这样我就可以在将来增加更多,而无需通过调整数组中的名称和值而进行大量更改)。还是知道实现我的策略Powershell脚本的更好方法?

azure powershell azure-powershell azure-policy
1个回答
0
投票

您应在Azure策略中使用修改效果。这将允许您从单个Azure策略定义ARM模板和单个分配中应用多个标签。

我在这里写了一个博客:http://www.buchatech.com/2019/09/walk-through-use-azure-policy-modify-effect-to-require-tags

您可以从我的GitHub存储库中获取示例Azure策略定义ARM模板以开始使用:https://github.com/Buchatech/Azure-Policy-modify-effect-to-require-tags/blob/master/Required%20Tags%20Azure%20Policy%20Modify%20Effect.json

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.