0

我想创建一种自动方法来创建需要将默认标记应用于已部署的每个虚拟机的新策略。

目前我有以下

Powershell脚本:

#Remove Policy
#$scope = Get-AzSubscription -SubscriptionName "subscriptionname"
#$SubscriptionID = "/subscriptions/" + $scope.Id
#Remove-AzPolicyAssignment -Name 'apply-default-tag-1' -Scope $SubscriptionID




# Create the Policy Definition (Subscription scope)
$definition = New-AzPolicyDefinition -Name 'default-tags-to-vms' -DisplayName 'Append default tags to VM' -description 'This policy will add default tags to VMs' -Policy 'C:\policy.json' -Parameter 'C:\policy.parameters.json' -Mode All


# Set the scope to a resource group; may also be a resource, subscription, or management group
$scope = Get-AzSubscription -SubscriptionName "DCS-EM-AZ1"
$SubscriptionID = "/subscriptions/" + $scope.Id



# Set the Policy Parameter (JSON format)
$Tag1 = '{ "tagName": { "value":  "Application"}, "tagValue": { "value":  "stackoverflow" } }'
$Tag2 = '{ "tagName": { "value":  "Contact"}, "tagValue": { "value":  "bekind" } }'
$Tag3 = '{ "tagName": { "value":  "Environment"}, "tagValue": {  "value": "tome" } }'
$Tag4 = '{ "tagName": { "value":  "RUNTIME"}, "tagValue": {  "value": "please" } }'




# Create the Policy Assignment
$policyTag1 = New-AzPolicyAssignment -Name 'apply-default-tag-1' -DisplayName 'Apply default tag Application ' -Scope $SubscriptionID -PolicyDefinition $definition -PolicyParameter $Tag1
$policyTag2 = New-AzPolicyAssignment -Name 'apply-default-tag-2' -DisplayName 'Apply default tag Contact '  -Scope $SubscriptionID -PolicyDefinition $definition -PolicyParameter $Tag2
$policyTag3 = New-AzPolicyAssignment -Name 'apply-default-tag-3' -DisplayName 'Apply default tag Environment '  -Scope $SubscriptionID -PolicyDefinition $definition -PolicyParameter $Tag3
$policyTag4 = New-AzPolicyAssignment -Name 'apply-default-tag-4' -DisplayName 'Apply default tag Runtime '  -Scope $SubscriptionID -PolicyDefinition $definition -PolicyParameter $Tag4

JSON 文件 policy.json

{
    "if": {
        "allOf": [{
            "field": "[concat('tags[', parameters('tagName'), ']')]",
            "exists": "false"
        },
        {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
        }
    ]
    },
    "then": {
        "effect": "append",
        "details": [
            {
                "field": "[concat('tags[', parameters('tagName'), ']')]",
                "value": "[parameters('tagValue')]"
            }
        ]
    }
}

策略.参数.json

{
    "tagName": {
        "type": "string",
        "metadata": {
            "description": "Name of the tag, such as costCenter"
        }
    },
    "tagValue": {
        "type": "string",
        "metadata": {
            "description": "Value of the tag, such as headquarter"
        }
    }
}

以上将部署多个 azure 策略分配,每个分配都是标记名和标记值,如果我在订阅中测试部署,我可以看到我的策略有效。当然,它不仅在“它现在可以工作”部分。而且我怎样才能使它高效,以便将来可以在不更改大量代码的情况下平滑添加。

到目前为止我已经尝试过:

我没有使用 powershell,而是在 ARM 模板中创建了策略:

{
    "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "tagName": {
            "type": "array",
            "defaultValue":[  
                "default",
                "location",
                "is",
                "a",
                "problem"
            ]
        },
        "tagValue": {
            "type": "array",
            "defaultValue":[  
                "hello",
                "darkness",
                "my",
                "old",
                "friend"
            ]
        }
    },
    "variables": {},
    "resources": [
        {
            "type": "Microsoft.Authorization/policyDefinitions",
            "name": "[concat('append-tags-to-resource'parameters('tagName')[copyindex('CopyTags')])]",
            "apiVersion": "2018-05-01",
            "properties": {
                "policyType": "Custom",
                "parameters": {},
                "policyRule": {
                    "if": {
                        "field": "[concat('tags[', parameters('tagName')[copyindex('CopyTags')], ']')]",
                        "exists": "false"
                    },
                    "then": {
                        "effect": "append",
                        "details": [
                            {
                                "field": "[concat('tags[', parameters('tagName')[copyindex('CopyTags')], ']')]",
                                "value": "[parameters('tagValue')]"
                            }
                        ]
                    }
                }
            },
            "copy": {
                "name": "CopyTags",
                "count": "[length(parameters('tagName'))]"
            }
        }
    ]
}

这给了我很多错误,因为我找不到有效地将其部署到订阅作为我的范围而不是资源组的方法。(我确实尝试在不提供资源组的情况下部署它,但无法弄清楚部署的去向,没有错误,我作为用户的每个订阅中都没有策略)

有谁知道一种以有效方式添加多个标签的方法。(高效:这样我可以在将来添加更多内容,而无需通过调整数组中的名称和值来进行很多更改)。或者知道实现我的策略 powershell 脚本的更好方法?

4

1 回答 1

0

您应该尝试使用允许您同时添加或替换多个标签的修改操作。

更多信息在这里

于 2020-01-15T22:08:39.443 回答