[英]Azure custom policy for require tags for resource groups with valid value set using terraform
我正在為以下要求尋找 terraform 代碼。
例如我想有2個標簽,我們可以稍后增加標簽
環境 = [DEV、STG、PRD]
AskID = [123,ABC,234]
我希望將此策略應用於多個訂閱。
同樣,我們可以為資源組中的多個資源設置有效值的資源的 require 標簽使用相同類型的策略。
標簽值也應該區分大小寫。 我們能得到這方面的幫助嗎
下面是一個示例,說明如何創建需要資源組上的“環境”和標簽的策略,並為每個標簽指定允許值列表:
data "azurerm_client_config" "current" {}
provider "azurerm" {
features {}
}
resource "azurerm_policy_definition" "example" {
name = "tags-on-resource-groups"
policy_type = "Custom"
mode = "All"
display_name = "my-policy-definition"
policy_rule = <<POLICY_RULE
{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"not": {
"field": "tags.Environment",
"in": [
"DEV",
"STG",
"PRD"
]
}
},
{
"not": {
"field": "tags.AskID",
"in": [
"123",
"ABC",
"234"
]
}
}
]
},
"then": {
"effect": "deny"
}
}
POLICY_RULE
}
resource "azurerm_resource_group" "example" {
name = "**********"
location = "West Europe"
}
data "azurerm_billing_enrollment_account_scope" "example" {
billing_account_name = "******"
enrollment_account_name = "******"
}
resource "azurerm_subscription" "example" {
subscription_name = "Subscription Name"
billing_scope_id = data.azurerm_billing_enrollment_account_scope.example.id
}
data "azurerm_policy_assignment" "example" {
name = "tags-on-resource-groups"
scope_id = azurerm_subscription.example.id
}
根據運行計划
terraform plan
注意:由於特權訪問“用戶無權在此注冊帳戶上創建訂閱”,因此在運行代碼時會出現訪問問題。
參考本教程#Using Terraform and Azure Policies Manage Tag governance from @kunal.parkar886 for azure policy creation 。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.