我想在资源组上添加标签,但不允许用户编辑/删除它,并允许他们在必要时添加其他标签。我尝试创建如下所示的策略定义,但用户仍然可以编辑标签:
"policyRule": {
"if": {
"allOf": [
{
"value": "resourcegroup().tags['my-lock']",
"equals": "my-lock"
},
{
"field": "type",
"in": ["Microsoft.Resources/tags", Microsoft.Resources/subscriptions/resourceGroups"]
}
]
},
"then": {
"effect": "deny"
}
}
有没有办法阻止用户编辑/删除资源组上某个键的标签?
为什么不直接使用内置策略
Require a tag and its value on resource groups
?
https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8ce3da23-7156-49e4-b145-24f95f9dcb46
它在资源组上强制执行必需的标签及其值。