2

我正在创建一个 azure 策略来将标签附加到新创建的资源,它适用于大多数组件,但我发现此策略不适用于某些组件,例如:逻辑应用程序。

{
  "mode": "All",
  "parameters": {
    "Environment": {
      "type": "String",
      "metadata": {
        "displayName": "Environment"
      },
      "defaultValue": "dev"
    },
    "Owner": {
      "type": "String",
      "metadata": {
        "displayName": "Owner"
      },
      "defaultValue": "Admin"
    },
    "CostCenter": {
      "type": "String",
      "metadata": {
        "displayName": "CostCenter"
      },
      "defaultValue": "NA"
    }
  },
  "policyRule": {
    "if": {
      "field": "tags",
      "exists": "false"
    },
    "then": {
      "effect": "append",
      "details": [
        {
          "field": "tags",
          "value": {
            "Environment": "[parameters('Environment')]",
            "Owner": "[parameters('Owner')]",
            "CostCenter": "[parameters('CostCenter')]"
          }
        }
      ]
    }
  }
}

我添加了一个类似的策略来将标签应用于资源组,根本不起作用,我不知道发生了什么。

{
  "mode": "All",
  "parameters": {
    "Environment": {
      "type": "String",
      "metadata": {
        "displayName": "Environment"
      },
      "defaultValue": "dev"
    },
    "Owner": {
      "type": "String",
      "metadata": {
        "displayName": "Owner"
      },
      "defaultValue": "admin"
    },
    "CostCenter": {
      "type": "String",
      "metadata": {
        "displayName": "CostCenter"
      },
      "defaultValue": "NA"
    }
  }
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "tags",
          "exists": "false"
        },
        {
          "field": "type",
          "equals": "Microsoft.Resources/subscriptions/resourceGroups"
        }
      ]
    },
    "then": {
      "effect": "append",
      "details": [
        {
          "field": "tags",
          "value": {
            "Environment": "[parameters('Environment')]",
            "Owner": "[parameters('Owner')]",
            "CostCenter": "[parameters('CostCenter')]"
          }
        }
      ]
    }
  }
}
4

1 回答 1

2

自己弄清楚,"exists": "false"我的策略中的条件只会在“tags”属性丢失或为空时触发,因此"tags": {}即使它没有任何标签,资源组或资源也会绕过我的策略。

此外,简单的标签检查是不合理的,应该逐个标签名检查,如果不符合,采取行动追加。

而且我还发现以下语句不适用于资源组,可能是因为它是不规则的做法。

{
  "then": {
    "effect": "append",
    "details": [
      {
        "field": "tags",
        "value": {
          "Environment": "[parameters('Environment')]",
          "Owner": "[parameters('Owner')]",
          "CostCenter": "[parameters('CostCenter')]"
        }
      }
    ]
  }
}

建议改用下面的语句

{
  "then": {
    "effect": "append",
    "details": [
      {
        "field": "tags['Environment']",
        "value": "[parameters('Environment')]"
      },
      {
        "field": "tags['Owner']",
        "value": "[parameters('Owner')]"
      },
      {
        "field": "tags['CostCenter']",
        "value": "[parameters('CostCenter')]"
      }
    ]
  }
}
于 2019-05-10T16:03:30.907 回答