我们为 "允许的位置 "建立了一个Azure策略。创建了所需的模板.json和参数.json,如下所示:模板.json
将json文件上传到Azure repos后,试图使用Azure管道运行时,出现以下错误。
虽然在template.json中提到了resources,但还是以这个错误失败了。谁能给点建议。
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"listOfAllowedLocations": {
"type": "array"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Authorization/policyDefinitions",
"name": "policylocation",
"apiVersion": "2018-03-01",
"properties": {
"policyType": "Custom",
"displayName": "policylocation",
"description": "",
"mode": "all",
"parameters": {
"listOfAllowedLocations": {
"type": "array",
"metadata": {
"description": "The list of locations that can be specified when deploying resources.",
"displayName": "Allowed locations"
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "location",
"notIn": "EastUS"
},
{
"field": "location",
"notEquals": "global"
},
{
"field": "type",
"notEquals": "Microsoft.Compute/virtualMachines"
}
]
},
"then": {
"effect": "deny"
}
}
}
}
]
}
Parameter.json
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-
01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"listOfAllowedLocations": {
"type":"array",
"value": "EastUS"
}
}
}
当我尝试使用给定的模板和参数文件部署您的策略时,我收到以下错误。
{
"error": {
"code": "InvalidDeploymentParameterType",
"message": "The type of deployment parameter 'listOfAllowedLocations' should not be specified. Please see https://aka.ms/resource-manager-parameter-files for details."
}
}
这意味着你有一个未使用的参数 (listOfAllowedLocations) 。 对于大多数语言模式来说,有一个未使用的参数可能是可以的,但对于策略来说,这是不可以的。首先要删除这个参数,或者将这个参数添加到你的策略中,使它被使用。
接下来,根据你收到的误导性错误信息,我对你的部署方法感到好奇。 策略可以有很多不同的部署方式。 Portal、Powershell、REST API,仅举几例。 我更喜欢REST API方法,因为它在定义和使用方面提供了相当大的灵活性和简单性。如果你选择了 REST API,实际上有两种不同的方法可以选择(作为 Azure 部署或作为策略定义),分别是以下这些端点。
PUT https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Resources/deployments/{deploymentName}?api-version=2019-10-01
DOCS - https:/docs.microsoft.comen-usrestapiresourcesdeploymentscreateorupdate。
PUT https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/policyDefinitions/{policyDefinitionName}?api-version=2019-09-01
DOCS - https:/docs.microsoft.comen-usrestapiresourcespoliciesdefinitionscreate或update。
我的首选是部署路线,只是因为它使用 azure 部署机制来部署策略,它提供了一个一致的和用户友好的故障排除、重试和检查的方法。它还允许您将策略部署为模板文件和参数文件,在部署中进行嵌套部署(这在更复杂的用例中很有用),并在部署范围以及策略范围中指定参数。 然而,部署也有一些限制,例如每个订阅和资源组配额(目前为800)。一些定期的内部清理将有助于解决这个问题。
使用 Azure 部署 REST API 方法,我鼓励您根据您的意图尝试以下其中一种方法。
选项 1a:您希望保留 "listOfAllowedLocations "作为参数,并在策略中使用它。您还希望在 DEPLOYMENT 作用域应用该参数,以便最终部署的策略有一个静态定义的允许位置列表。
PUT https://management.azure.com/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/Microsoft.Resources/deployments/{deploymentName}?api-version=2019-10-01
BODY。
{
"location": "eastus",
"properties": {
"mode": "Incremental",
"parameters": {
"listOfAllowedLocations": {
"value": ["eastus"]
}
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"listOfAllowedLocations": {
"type": "array"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Authorization/policyDefinitions",
"name": "policylocation",
"apiVersion": "2018-03-01",
"properties": {
"policyType": "Custom",
"displayName": "policylocation",
"description": "",
"mode": "all",
"parameters": {},
"policyRule": {
"if": {
"allOf": [
{
"field": "location",
"notIn": "[parameters('listOfAllowedLocations')]"
},
{
"field": "location",
"notEquals": "global"
},
{
"field": "type",
"notEquals": "Microsoft.Compute/virtualMachines"
}
]
},
"then": {
"effect": "deny"
}
}
}
}
]
}
}
}
选项1b:你想保留 "listOfAllowedLocations "作为参数,并在策略中使用它。您还希望在POLICY DEFINITION作用域应用该参数,以便在分配时可以操作所部署的允许位置列表。请注意参数的作用域和策略资源定义中参数的转义('[[['))的细微差别。
PUT https://management.azure.com/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/Microsoft.Resources/deployments/{deploymentName}?api-version=2019-10-01
BODY。
{
"location": "eastus",
"properties": {
"mode": "Incremental",
"parameters": {},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.Authorization/policyDefinitions",
"name": "policylocation",
"apiVersion": "2018-03-01",
"properties": {
"policyType": "Custom",
"displayName": "policylocation",
"description": "",
"mode": "all",
"parameters": {
"listOfAllowedLocations": {
"type": "array",
"defaultValue": ["eastus"]
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "location",
"notIn": "[[parameters('listOfAllowedLocations')]"
},
{
"field": "location",
"notEquals": "global"
},
{
"field": "type",
"notEquals": "Microsoft.Compute/virtualMachines"
}
]
},
"then": {
"effect": "deny"
}
}
}
}
]
}
}
}
选项2:静态定义允许的位置。这样基本上可以规避通过部署或策略分配传递参数的过程。
{
"location": "eastus",
"properties": {
"mode": "Incremental",
"parameters": {},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.Authorization/policyDefinitions",
"name": "policylocation",
"apiVersion": "2018-03-01",
"properties": {
"policyType": "Custom",
"displayName": "policylocation",
"description": "",
"mode": "all",
"parameters": {},
"policyRule": {
"if": {
"allOf": [
{
"field": "location",
"notIn": ["eastus"]
},
{
"field": "location",
"notEquals": "global"
},
{
"field": "type",
"notEquals": "Microsoft.Compute/virtualMachines"
}
]
},
"then": {
"effect": "deny"
}
}
}
}
]
}
}
}
问题是策略没有利用listOfAllowedLocations参数。我会把它去掉,让参数只是空的brakets。
这里有一些reasource。https:/review.docs.microsoft.comen-usazuregovernancepolicyconceptsdefinition-structure? branch=pr-en-us-116104。