我正在使用 ARM 模板处理基础架构即代码 (IaC),并且正在创建策略计划并将其分配给订阅。在下面的代码中,我为倡议分配了两个定义,并且模板正常工作,创建了倡议定义并将其分配给我的订阅。在代码中您看到第一个定义为名为“效果”的参数。这是预定义参数的名称。但是第二个定义有一个参数,也称为“效果”。如何在倡议中定义第二个参数,我可以将其用于第二个定义?
我正在使用 New-AzDeployment 部署模板,我们将使用 AzDo for IaC。
{
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"variables": {
"scopeResourceId": "[subscription().id]",
"policySetDefinitionLocation": "westeurope",
"policyInitiativeDefinitionName": "MyDefinition",
"policyInitiativeAssignmentName": "MyDefinitionAssignment",
"policyInitiativeDisplayName": "My Definition",
"policyDefinitionIdStorageAccountsEnableHttps": "404c3081-a854-4457-ae30-26a93ef643f9",
"policyDefinitionIdStorageAccountsTrustMicrosoftServices": "c9d007d0-c057-4772-b18c-01e546713bcd"
},
"resources": [
{
"type": "Microsoft.Authorization/policySetDefinitions",
"apiVersion": "2019-09-01",
"name": "[variables('policyInitiativeDefinitionName')]",
"properties": {
"displayName": "[variables('policyInitiativeDisplayName')]",
"policyType": "Custom",
"parameters": {
"effect": {
"type": "string",
"metadata": {
"displayName": "Secure transfer to storage accounts should be enabled",
"description": "Enable of disable the monitoring of secure transfer for storage accounts"
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Audit"
}
},
"policyDefinitions": [
{
"policyDefinitionId": "[tenantResourceId('Microsoft.Authorization/policyDefinitions', variables('policyDefinitionIdStorageAccountsEnableHttps'))]",
"parameters": {
"effect": {
"value": "Audit"
}
}
},
{
"policyDefinitionId": "[tenantResourceId('Microsoft.Authorization/policyDefinitions', variables('policyDefinitionIdStorageAccountsTrustMicrosoftServices'))]"
}
]
}
},
{
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2019-09-01",
"name": "[variables('policyInitiativeAssignmentName')]",
"location": "[variables('policySetDefinitionLocation')]",
"dependsOn": [
"[variables('policyInitiativeDefinitionName')]"
],
"properties": {
"scope": "[variables('scopeResourceId')]",
"policyDefinitionId": "[extensionResourceId(variables('scopeResourceId'), 'Microsoft.Authorization/policySetDefinitions', variables('policyInitiativeDefinitionName'))]",
"displayName": "[variables('policyInitiativeDisplayName')]",
"parameters": {
"effect": {
"value": "Deny"
}
}
}
}
]
}
下面是我正在寻找的一个例子。我不能将这两个参数命名为“效果”,因为不能有重复的参数。但我认为我不能将参数命名为“effect1”(如下例所示),因为我收到错误消息:“策略集定义'MyDefinition'正在尝试分配参数'effect1'在策略定义中定义”。
{
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"variables": {
"scopeResourceId": "[subscription().id]",
"policySetDefinitionLocation": "westeurope",
"policyInitiativeDefinitionName": "MyDefinition",
"policyInitiativeAssignmentName": "MyDefinitionAssignment",
"policyInitiativeDisplayName": "My Definition",
"policyDefinitionIdStorageAccountsEnableHttps": "404c3081-a854-4457-ae30-26a93ef643f9",
"policyDefinitionIdStorageAccountsTrustMicrosoftServices": "c9d007d0-c057-4772-b18c-01e546713bcd"
},
"resources": [
{
"type": "Microsoft.Authorization/policySetDefinitions",
"apiVersion": "2019-09-01",
"name": "[variables('policyInitiativeDefinitionName')]",
"properties": {
"displayName": "[variables('policyInitiativeDisplayName')]",
"policyType": "Custom",
"parameters": {
"effect": {
"type": "string",
"metadata": {
"displayName": "Secure transfer to storage accounts should be enabled",
"description": "Enable of disable the monitoring of secure transfer for storage accounts"
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Audit"
},
"effect1": {
"type": "string",
"metadata": {
"displayName": "Storage accounts should allow access from trusted Microsoft services",
"description": "Enable of disable the monitoring of allowing access from trusted Microsoft services for storage accounts"
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Audit"
}
},
"policyDefinitions": [
{
"policyDefinitionId": "[tenantResourceId('Microsoft.Authorization/policyDefinitions', variables('policyDefinitionIdStorageAccountsEnableHttps'))]",
"parameters": {
"effect": {
"value": "Audit"
}
}
},
{
"policyDefinitionId": "[tenantResourceId('Microsoft.Authorization/policyDefinitions', variables('policyDefinitionIdStorageAccountsTrustMicrosoftServices'))]",
"parameters": {
"effect1": {
"value": "Audit"
}
}
}
]
}
},
{
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2019-09-01",
"name": "[variables('policyInitiativeAssignmentName')]",
"location": "[variables('policySetDefinitionLocation')]",
"dependsOn": [
"[variables('policyInitiativeDefinitionName')]"
],
"properties": {
"scope": "[variables('scopeResourceId')]",
"policyDefinitionId": "[extensionResourceId(variables('scopeResourceId'), 'Microsoft.Authorization/policySetDefinitions', variables('policyInitiativeDefinitionName'))]",
"displayName": "[variables('policyInitiativeDisplayName')]",
"parameters": {
"effect": {
"value": "Deny"
},
"effect1": {
"value": "Deny"
}
}
}
}
]
}