Azure 自定义标签策略，排除资源类型

Question

I did an azure custom policy that discover object not compliant, with custom missing tag, on my subscription.我做了一个 azure 自定义策略，发现 object 不合规，自定义缺少标签，我的订阅。

I got to much error from this policy becouse it discover also oms agent, extension etc..我从这个政策中得到了很多错误，因为它还发现了 oms 代理、扩展等。

Here the json:这里是 json：

    {
  "mode": "All",
  "policyRule": {
    "if": {
      "anyOf": [
        {
          "field": "tags['TAG1']",
          "exists": false
        },
        {
          "field": "tags['TAG2']",
          "exists": false
        }
      ]
    },
    "then": {
      "effect": "audit"
    }
  },
  "parameters": {}
  }

it search all resources and audit it if they are not with that tag.它会搜索所有资源并对其进行审核（如果它们不带有该标签）。

Is possibile to specified exclusion for specific resources type?是否可以针对特定资源类型指定排除项？ For example Microsoft.Compute/virtualMachines/extensions etc...例如 Microsoft.Compute/virtualMachines/extensions 等...

Thanks谢谢

Answer 1

This way you can mention all the resource types in "notEquals" operator for which you do not want to check for tags.这样，您可以在“notEquals”运算符中提及您不想检查标签的所有资源类型。

{
      "if": {
        "allOf": [
          {
            "field": "type",
            "notEquals": "Microsoft.Security/assessments"
          },
          {
            "field": "type",
            "notEquals": "Microsoft.Compute/VirtualMachines"
          },
          {
            "anyOf": [
              {
                "field": "tags['TAG1']",
                "exists": false
              },
              {
                "field": "tags['TAG2']",
                "exists": false
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "audit"
      }
    }

Answer 2

Thanks it works: I'm trying to add other exclusion for type like below but i got error:谢谢它有效：我正在尝试为以下类型添加其他排除项，但出现错误：

{
  "mode": "All",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "not": {
            "field": "type",
            "equals": "Microsoft.Security/assessments"
          },
          {
            "field": "type",
            "equals": "Microsoft.Compute/VirtualMachines"
          }
        },
                  {
            "anyOf": [
              {
                "field": "tags['TAG1']",
                "exists": false
              },
              {
                "field": "tags['TAG2']",
                "exists": false
              }
            ]
          }
        ]
      },
    "then": {
      "effect": "audit"
    }
  },
  "parameters": {}
}

is possible to exclude more object in the same policy??是否可以在同一策略中排除更多 object？

Answer 3

Using "mode": "indexed" instead of "mode": "All" will only match resources that support location and tags.使用"mode": "indexed"而不是"mode": "All"只会匹配支持位置和标签的资源。

Source: https://docs.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure#resource-manager-modes资料来源： https://docs.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure#resource-manager-modes

Azure 自定义标签策略，排除资源类型

问题描述

2 个解决方案

解决方案1
1 已采纳 2020-05-06 14:17:26

解决方案2
0 2020-05-08 15:50:46

解决方案3
0 2022-01-12 08:28:49

Azure 自定义标签策略，排除资源类型

问题描述

2 个解决方案

解决方案1 1 已采纳 2020-05-06 14:17:26

解决方案2 0 2020-05-08 15:50:46

解决方案3 0 2022-01-12 08:28:49

解决方案1
1 已采纳 2020-05-06 14:17:26

解决方案2
0 2020-05-08 15:50:46

解决方案3
0 2022-01-12 08:28:49