Powershell Az 在接受数组参数的计划中创建 Azure 策略

Question

获得一个 powershell 脚本，该脚本创建 Azure 策略并将其分配给具有单个参数的计划。 我无法创建采用值数组的 Initiative 参数并将其链接到 Initiative。

我们不希望创建资源组，除非它具有三个强制性标记：Security Owner、tagTwo 和 tagThree。 因此，创建了一个 Azure 策略计划，其中包含一个检查标签是否存在的策略规则。 我喜欢这种设计模式，因为如果我们有额外的标签作为资源组的要求，那么我们将添加到 Initiative Parameter 而不是创建新的 Policy。

这是我到目前为止所拥有的。 json 文件中的策略规则 (append_rg_tag.json)

{
"if": {
    "allOf": [
        {
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions/resourceGroups"
        },
        {
            "field": "[concat('tags[', parameters('tagName'), ']')]",
            "exists": "false"
        }
    ]
},
"then": {
    "effect": "deny"
}
}

json 文件中的策略参数 (append_tag_parameters.json)

{
"tagName": {
    "type": "String",
    "metadata": {
        "displayName": "Tag Name",
        "description": "Name of the tag, such as 'Security Owner'"
    }
}
}

将它们放在一起，这里是创建 Azure 策略的 powershell 脚本，并创建策略并将其分配给 Initiative

# Create a new policy definition
$defParams = @{
Name = "TagResourceGroup"
DisplayName = "Deny Resource Group without a Tag"
Description = "Deny Resource Group without a Tag"
Metadata = '{"category":"Tags"}'
Parameter = "append_tag_parameters.json"
Policy = "append_rg_tag.json"
}
$definition = New-AzPolicyDefinition @defParams

# Create an initiative for tags
    $PolicyDefinition = @"
[
    {
        "policyDefinitionId": "$($definition.ResourceId)",
        "parameters": {
            "tagName": {
                "value": "Security Owner"
            }
        }
    }
]
"@

$initiativeParams = @{
    Name = "TagsSetResourceGroups"
    DisplayName = "Need Tag For Resource Group"
    Description = "Need Tag For Resource Group"
    Metadata = '{"category":"Tags"}'
    # Parameter = '{ Think something goes here, but am stuck}'
    PolicyDefinition = $PolicyDefinition
}

$initiative = New-AzPolicySetDefinition @initiativeParams

# Assign the initiave to the subscription

$assignParams = @{
    Name = "NeedTagForResourceGroup"
    DisplayName = "Tags for Resource Groups"
    Scope = "/subscriptions/$((Get-AzContext).Subscription.Id)"
    # PolicyParameterObject = @{Think something goes here, but am stuck}
    PolicySetDefinition = $initiative
}

New-AzPolicyAssignment @assignParams

这是它在 Azure 中的样子

如果我在 Azure 门户中手动创建，倡议参数将如下所示

感谢您的阅读和帮助！！

Answer 1

作为解决方法和简化策略； 如果资源组没有这三个标签名称，则以下将拒绝创建资源组

deny_rg_tag.json

{
    "if": {
        "allOf": [
                {
                    "field": "type",
                    "equals": "Microsoft.Resources/subscriptions/resourceGroups"
                },
                {
                    "anyOf": [
                        {
                            "field": "[concat('tags[', parameters('tagName01'), ']')]",
                            "exists": "false"                      
                        },
                        {
                            "field": "[concat('tags[', parameters('tagName02'), ']')]",
                            "exists": "false"                      
                        },
                        {
                            "field": "[concat('tags[', parameters('tagName03'), ']')]",
                            "exists": "false"                      
                        }
                    ]
                }
        ]
    },
    "then": {
      "effect": "deny"
    }
}

deny_tag_parameters.json

{
    "tagName01": {
      "type": "String",
      "metadata": {
        "displayName": "Tag Name 01",
        "description": "Resource Group should have a tag "
      }
  },
    "tagName02": {
      "type": "String",
      "metadata": {
        "displayName": "Tag Name 02",
        "description": "Resource Group should have a tag "
      }
  },
    "tagName03": {
      "type": "String",
      "metadata": {
        "displayName": "Tag Name 03",
        "description": "Resource Group should have a tag "
      }
  }
}

把它放在一起

$defParams = @{
    Name = "TagResourceGroup"
    DisplayName = "Deny Resource Group without a Tag"
    Description = "Deny Resource Group without a Tag"
    Metadata = '{"category":"Tags"}'
    Parameter = "deny_tag_parameters.json"
    Policy = "deny_rg_tag.json"
}

$definition = New-AzPolicyDefinition @defParams

# Create the Policy Assignment
New-AzPolicyAssignment -Name 'Resource Group Require Tags' `
                       -DisplayName 'Resource Group Require Tags' `
                       -Scope "/subscriptions/$((Get-AzContext).Subscription.Id)" `
                       -PolicyDefinition $definition

Powershell Az 在接受数组参数的计划中创建 Azure 策略

问题描述

1 个解决方案

解决方案1
0 2022-03-05 03:38:48

Powershell Az 在接受数组参数的计划中创建 Azure 策略

问题描述

1 个解决方案

解决方案1 0 2022-03-05 03:38:48

解决方案1
0 2022-03-05 03:38:48