[英]Update-AzADApplication: A positional parameter cannot be found that accepts argument $True - Azure Az Powershell Module
[英]Powershell Az to create Azure Policy in an Initiative That Accepts An Array Parameters
获得一个 powershell 脚本,该脚本创建 Azure 策略并将其分配给具有单个参数的计划。 我无法创建采用值数组的 Initiative 参数并将其链接到 Initiative。
我们不希望创建资源组,除非它具有三个强制性标记:Security Owner、tagTwo 和 tagThree。 因此,创建了一个 Azure 策略计划,其中包含一个检查标签是否存在的策略规则。 我喜欢这种设计模式,因为如果我们有额外的标签作为资源组的要求,那么我们将添加到 Initiative Parameter 而不是创建新的 Policy。
这是我到目前为止所拥有的。 json 文件中的策略规则 (append_rg_tag.json)
{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"field": "[concat('tags[', parameters('tagName'), ']')]",
"exists": "false"
}
]
},
"then": {
"effect": "deny"
}
}
json 文件中的策略参数 (append_tag_parameters.json)
{
"tagName": {
"type": "String",
"metadata": {
"displayName": "Tag Name",
"description": "Name of the tag, such as 'Security Owner'"
}
}
}
将它们放在一起,这里是创建 Azure 策略的 powershell 脚本,并创建策略并将其分配给 Initiative
# Create a new policy definition
$defParams = @{
Name = "TagResourceGroup"
DisplayName = "Deny Resource Group without a Tag"
Description = "Deny Resource Group without a Tag"
Metadata = '{"category":"Tags"}'
Parameter = "append_tag_parameters.json"
Policy = "append_rg_tag.json"
}
$definition = New-AzPolicyDefinition @defParams
# Create an initiative for tags
$PolicyDefinition = @"
[
{
"policyDefinitionId": "$($definition.ResourceId)",
"parameters": {
"tagName": {
"value": "Security Owner"
}
}
}
]
"@
$initiativeParams = @{
Name = "TagsSetResourceGroups"
DisplayName = "Need Tag For Resource Group"
Description = "Need Tag For Resource Group"
Metadata = '{"category":"Tags"}'
# Parameter = '{ Think something goes here, but am stuck}'
PolicyDefinition = $PolicyDefinition
}
$initiative = New-AzPolicySetDefinition @initiativeParams
# Assign the initiave to the subscription
$assignParams = @{
Name = "NeedTagForResourceGroup"
DisplayName = "Tags for Resource Groups"
Scope = "/subscriptions/$((Get-AzContext).Subscription.Id)"
# PolicyParameterObject = @{Think something goes here, but am stuck}
PolicySetDefinition = $initiative
}
New-AzPolicyAssignment @assignParams
这是它在 Azure 中的样子
如果我在 Azure 门户中手动创建,倡议参数将如下所示
感谢您的阅读和帮助!!
作为解决方法和简化策略; 如果资源组没有这三个标签名称,则以下将拒绝创建资源组
deny_rg_tag.json
{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"anyOf": [
{
"field": "[concat('tags[', parameters('tagName01'), ']')]",
"exists": "false"
},
{
"field": "[concat('tags[', parameters('tagName02'), ']')]",
"exists": "false"
},
{
"field": "[concat('tags[', parameters('tagName03'), ']')]",
"exists": "false"
}
]
}
]
},
"then": {
"effect": "deny"
}
}
deny_tag_parameters.json
{
"tagName01": {
"type": "String",
"metadata": {
"displayName": "Tag Name 01",
"description": "Resource Group should have a tag "
}
},
"tagName02": {
"type": "String",
"metadata": {
"displayName": "Tag Name 02",
"description": "Resource Group should have a tag "
}
},
"tagName03": {
"type": "String",
"metadata": {
"displayName": "Tag Name 03",
"description": "Resource Group should have a tag "
}
}
}
把它放在一起
$defParams = @{
Name = "TagResourceGroup"
DisplayName = "Deny Resource Group without a Tag"
Description = "Deny Resource Group without a Tag"
Metadata = '{"category":"Tags"}'
Parameter = "deny_tag_parameters.json"
Policy = "deny_rg_tag.json"
}
$definition = New-AzPolicyDefinition @defParams
# Create the Policy Assignment
New-AzPolicyAssignment -Name 'Resource Group Require Tags' `
-DisplayName 'Resource Group Require Tags' `
-Scope "/subscriptions/$((Get-AzContext).Subscription.Id)" `
-PolicyDefinition $definition
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.