[英]How to create Azure Policy?
I have written some automation (using az command line) that creates virtual machines for us.我已经编写了一些为我们创建虚拟机的自动化程序(使用 az 命令行)。
However, since users have contributor access to the various subscriptions they login to the portal and create the vm's manually.但是,由于用户对各种订阅具有贡献者访问权限,因此他们登录到门户并手动创建虚拟机。
I would like to prevent the users from creating the vms by logging into the portal.我想阻止用户通过登录门户创建虚拟机。
How do I leverage Azure Policy to enforce this?我如何利用 Azure 策略来执行此操作?
I tried to reproduce this scenario on my end and was able to restrict users with Contributor Role from creating VM via Portal.我试图在我这边重现这个场景,并且能够限制具有贡献者角色的用户通过门户创建 VM。
I created one Policy Definition like below: -我创建了一个如下所示的策略定义:-
"parameters": {},
"policyRule":
{
"if": {
"anyOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"field": "Microsoft.Authorization/roleAssignments/roleDefinitionId",
"contains": "a8f97275-2685-41ce-a61d-dc550cd090f8"
}
]
},
"then":
{
"effect": "deny"
}
}
And assigned this policy at the subscription level: -
并在订阅级别分配此策略:-
I have one user with Contributor role like below:我有一个具有如下贡献者角色的用户:
Now, when the user with Contributor
role tried to create a VM, the VM creation was disallowed by the Policy like below:现在,当具有
Contributor
角色的用户尝试创建虚拟机时,虚拟机创建被如下策略禁止:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.