Azure 使用 terraform 設置有效值的資源組所需標簽的自定義策略

Question

我正在為以下要求尋找 terraform 代碼。

例如我想有2個標簽，我們可以稍后增加標簽

環境 = [DEV、STG、PRD]

AskID = [123,ABC,234]

我希望將此策略應用於多個訂閱。

同樣，我們可以為資源組中的多個資源設置有效值的資源的 require 標簽使用相同類型的策略。

標簽值也應該區分大小寫。 我們能得到這方面的幫助嗎

Answer 1

下面是一個示例，說明如何創建需要資源組上的“環境”和標簽的策略，並為每個標簽指定允許值列表：

data "azurerm_client_config" "current" {}
provider "azurerm" {
    features {}
}

resource "azurerm_policy_definition" "example" {
  name         = "tags-on-resource-groups"
  policy_type  = "Custom"
  mode         = "All"
  display_name = "my-policy-definition"

  policy_rule = <<POLICY_RULE
  {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Resources/subscriptions/resourceGroups"
        },
        {
          "not": {
            "field": "tags.Environment",
            "in": [
              "DEV",
              "STG",
              "PRD"
            ]
          }
        },
        {
          "not": {
            "field": "tags.AskID",
            "in": [
              "123",
              "ABC",
              "234"
            ]
          }
        }
      ]
    },
    "then": {
      "effect": "deny"
    }
  }
  POLICY_RULE
}

resource "azurerm_resource_group" "example" {
  name     = "**********"
  location = "West Europe"
}

data "azurerm_billing_enrollment_account_scope" "example" {
  billing_account_name    = "******"
  enrollment_account_name = "******"
}
resource "azurerm_subscription" "example" {
  subscription_name = "Subscription Name"
  billing_scope_id  = data.azurerm_billing_enrollment_account_scope.example.id
}

data "azurerm_policy_assignment" "example" {
  name                 = "tags-on-resource-groups"
  scope_id             = azurerm_subscription.example.id

}

根據運行計划

terraform plan

注意：由於特權訪問“用戶無權在此注冊帳戶上創建訂閱”，因此在運行代碼時會出現訪問問題。

參考本教程#Using Terraform and Azure Policies Manage Tag governance from @kunal.parkar886 for azure policy creation 。