0

我正在使用 ARM 模板处理基础架构即代码 (IaC),并且正在创建策略计划并将其分配给订阅。在下面的代码中,我为倡议分配了两个定义,并且模板正常工作,创建了倡议定义并将其分配给我的订阅。在代码中您看到第一个定义为名为“效果”的参数。这是预定义参数的名称。但是第二个定义有一个参数,也称为“效果”。如何在倡议中定义第二个参数,我可以将其用于第二个定义?

我正在使用 New-AzDeployment 部署模板,我们将使用 AzDo for IaC。

{
  "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "variables": {
    "scopeResourceId": "[subscription().id]",
    "policySetDefinitionLocation": "westeurope",
    "policyInitiativeDefinitionName": "MyDefinition",
    "policyInitiativeAssignmentName": "MyDefinitionAssignment",
    "policyInitiativeDisplayName": "My Definition",

    "policyDefinitionIdStorageAccountsEnableHttps": "404c3081-a854-4457-ae30-26a93ef643f9",
    "policyDefinitionIdStorageAccountsTrustMicrosoftServices": "c9d007d0-c057-4772-b18c-01e546713bcd"
  },
  "resources": [
    {
      "type": "Microsoft.Authorization/policySetDefinitions",
      "apiVersion": "2019-09-01",
      "name": "[variables('policyInitiativeDefinitionName')]",
      "properties": {
        "displayName": "[variables('policyInitiativeDisplayName')]",
        "policyType": "Custom",
        "parameters": {
          "effect": {
            "type": "string",
            "metadata": {
              "displayName": "Secure transfer to storage accounts should be enabled",
              "description": "Enable of disable the monitoring of secure transfer for storage accounts"
            },
            "allowedValues": [
              "Audit",
              "Deny",
              "Disabled"
            ],
            "defaultValue": "Audit"
          }
        },
        "policyDefinitions": [
          {
            "policyDefinitionId": "[tenantResourceId('Microsoft.Authorization/policyDefinitions', variables('policyDefinitionIdStorageAccountsEnableHttps'))]",
            "parameters": {
              "effect": {
                "value": "Audit"
              }
            }
          },
          {
            "policyDefinitionId": "[tenantResourceId('Microsoft.Authorization/policyDefinitions', variables('policyDefinitionIdStorageAccountsTrustMicrosoftServices'))]"
          }
        ]
      }
    },
    {
      "type": "Microsoft.Authorization/policyAssignments",
      "apiVersion": "2019-09-01",
      "name": "[variables('policyInitiativeAssignmentName')]",
      "location": "[variables('policySetDefinitionLocation')]",
      "dependsOn": [
        "[variables('policyInitiativeDefinitionName')]"
      ],
      "properties": {
        "scope": "[variables('scopeResourceId')]",
        "policyDefinitionId": "[extensionResourceId(variables('scopeResourceId'), 'Microsoft.Authorization/policySetDefinitions', variables('policyInitiativeDefinitionName'))]",
        "displayName": "[variables('policyInitiativeDisplayName')]",
        "parameters": {
          "effect": {
            "value": "Deny"
          }
        }
      }
    }
  ]
}

下面是我正在寻找的一个例子。我不能将这两个参数命名为“效果”,因为不能有重复的参数。但我认为我不能将参数命名为“effect1”(如下例所示),因为我收到错误消息:“策略集定义'MyDefinition'正在尝试分配参数'effect1'在策略定义中定义”

{
    "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "variables": {
        "scopeResourceId": "[subscription().id]",
        "policySetDefinitionLocation": "westeurope",
        "policyInitiativeDefinitionName": "MyDefinition",
        "policyInitiativeAssignmentName": "MyDefinitionAssignment",
        "policyInitiativeDisplayName": "My Definition",

        "policyDefinitionIdStorageAccountsEnableHttps": "404c3081-a854-4457-ae30-26a93ef643f9",
        "policyDefinitionIdStorageAccountsTrustMicrosoftServices": "c9d007d0-c057-4772-b18c-01e546713bcd"
    },
    "resources": [
        {
            "type": "Microsoft.Authorization/policySetDefinitions",
            "apiVersion": "2019-09-01",
            "name": "[variables('policyInitiativeDefinitionName')]",
            "properties": {
                "displayName": "[variables('policyInitiativeDisplayName')]",
                "policyType": "Custom",
                "parameters": {
                    "effect": {
                        "type": "string",
                        "metadata": {
                            "displayName": "Secure transfer to storage accounts should be enabled",
                            "description": "Enable of disable the monitoring of secure transfer for storage accounts"
                        },
                        "allowedValues": [
                            "Audit",
                            "Deny",
                            "Disabled"
                        ],
                        "defaultValue": "Audit"
                    },
                    "effect1": {
                        "type": "string",
                        "metadata": {
                            "displayName": "Storage accounts should allow access from trusted Microsoft services",
                            "description": "Enable of disable the monitoring of allowing access from trusted Microsoft services for storage accounts"
                        },
                        "allowedValues": [
                            "Audit",
                            "Deny",
                            "Disabled"
                        ],
                        "defaultValue": "Audit"
                    }
                },
                "policyDefinitions": [
                    {
                        "policyDefinitionId": "[tenantResourceId('Microsoft.Authorization/policyDefinitions', variables('policyDefinitionIdStorageAccountsEnableHttps'))]",
                        "parameters": {
                            "effect": {
                                "value": "Audit"
                            }
                        }
                    },
                    {
                        "policyDefinitionId": "[tenantResourceId('Microsoft.Authorization/policyDefinitions', variables('policyDefinitionIdStorageAccountsTrustMicrosoftServices'))]",
                        "parameters": {
                            "effect1": {
                                "value": "Audit"
                            }
                        }
                    }
                ]
            }
        },
        {
            "type": "Microsoft.Authorization/policyAssignments",
            "apiVersion": "2019-09-01",
            "name": "[variables('policyInitiativeAssignmentName')]",
            "location": "[variables('policySetDefinitionLocation')]",
            "dependsOn": [
                "[variables('policyInitiativeDefinitionName')]"
            ],
            "properties": {
                "scope": "[variables('scopeResourceId')]",
                "policyDefinitionId": "[extensionResourceId(variables('scopeResourceId'), 'Microsoft.Authorization/policySetDefinitions', variables('policyInitiativeDefinitionName'))]",
                "displayName": "[variables('policyInitiativeDisplayName')]",
                "parameters": {
                    "effect": {
                        "value": "Deny"
                    },
                    "effect1": {
                        "value": "Deny"
                    }
                }
            }
        }
    ]
}
4

0 回答 0