1

我们为“允许的位置”构建了一项 Azure 策略。创建了所需的 template.json 和 parameter.json,如下所示: Template.json

在将 json 文件上传到 Azure 存储库后尝试使用 Azure 管道运行时,出现以下错误

[错误]请求内容无效,无法反序列化:在 JSON 中找不到“必需属性”资源。路径“properties.template”,第 1 行,位置 222。

尽管在 template.json 中提到了资源,但它失败并出现此错误。任何人都可以提供任何见解。

   {
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
   "contentVersion": "1.0.0.0",
  "parameters": {
      "listOfAllowedLocations": {
  "type": "array"
    }
  },
  "variables": {},
  "resources": [
   {
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "policylocation",
  "apiVersion": "2018-03-01",
  "properties": {
    "policyType": "Custom",
    "displayName": "policylocation",
    "description": "",
    "mode": "all",
    "parameters": {
      "listOfAllowedLocations": {
        "type": "array",
        "metadata": {
          "description": "The list of locations that can be specified when deploying resources.",
          "displayName": "Allowed locations"
        }
      }
    },
"policyRule": {
  "if": {
    "allOf": [
      {
        "field": "location",
        "notIn": "EastUS"
      },
      {
        "field": "location",
        "notEquals": "global"
      },
      {
        "field": "type",
        "notEquals": "Microsoft.Compute/virtualMachines"
      }
    ]
  },
  "then": {
    "effect": "deny"
  }
}
  }
}
  ]
}

参数.json

   {
 "$schema": "https://schema.management.azure.com/schemas/2015-01- 
  01/deploymentParameters.json#",
 "contentVersion": "1.0.0.0",
 "parameters": {
"listOfAllowedLocations": {
  "type":"array",
  "value": "EastUS"
   }
   }
 }
4

2 回答 2

1

当我尝试使用给定的模板和参数文件部署您的策略时,我收到以下错误。

{
    "error": {
        "code": "InvalidDeploymentParameterType",
        "message": "The type of deployment parameter 'listOfAllowedLocations' should not be specified. Please see https://aka.ms/resource-manager-parameter-files for details."
    }
}

这意味着您有一个未使用的参数 (listOfAllowedLocations)。虽然对于大多数语言模式来说,有一个未使用的参数可能是可以的,但对于策略来说却不是。首先删除此参数或将此参数添加到您的策略以便使用它。

接下来,根据您收到的误导性错误消息,我很好奇您的部署方法。可以通过多种不同方式部署策略。门户、Powershell、REST API,仅举几例。我更喜欢 REST API 方法,因为它在定义和使用方面提供了相当多的灵活性和简单性。如果您选择了 REST API,那么实际上您可以选择两种不同的方法(作为 Azure 部署或作为策略定义),它们分别是以下端点。

PUT https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Resources/deployments/{deploymentName}?api-version=2019-10-01

文档 - https://docs.microsoft.com/en-us/rest/api/resources/deployments/createorupdate

PUT https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/policyDefinitions/{policyDefinitionName}?api-version=2019-09-01

文档 - https://docs.microsoft.com/en-us/rest/api/resources/policydefinitions/createorupdate

我的首选是部署路线,因为它使用 azure 部署机制来部署策略,该策略提供了一致且用户友好的故障排除、重试和检查方法。它还允许您将策略部署为模板文件和参数文件,在部署中嵌套部署(这在更复杂的用例中可能很有用),并在部署范围和策略范围内指定参数。但是,部署也有一些限制,例如每个订阅和资源组配额(当前为 800)。一些定期的房屋清洁将对此有所帮助。

使用 Azure 部署 REST API 方法,我鼓励您尝试以下方法之一,具体取决于您的意图。

选项 1a:您希望将“listOfAllowedLocations”保留为参数并在您的策略中使用它。您还希望在 DEPLOYMENT 范围内应用该参数,以便生成的已部署策略具有静态定义的允许位置列表。

PUT https://management.azure.com/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/Microsoft.Resources/deployments/{deploymentName}?api-version=2019-10-01

身体:

{
    "location": "eastus",
    "properties": {
        "mode": "Incremental",
        "parameters": {
            "listOfAllowedLocations": {
                "value": ["eastus"]
            }
        },
        "template": {
            "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
            "contentVersion": "1.0.0.0",
            "parameters": {
                "listOfAllowedLocations": {
                    "type": "array"
                }
            },
            "variables": {},
            "resources": [
                {
                    "type": "Microsoft.Authorization/policyDefinitions",
                    "name": "policylocation",
                    "apiVersion": "2018-03-01",
                    "properties": {
                        "policyType": "Custom",
                        "displayName": "policylocation",
                        "description": "",
                        "mode": "all",
                        "parameters": {},
                        "policyRule": {
                            "if": {
                                "allOf": [
                                    {
                                        "field": "location",
                                        "notIn": "[parameters('listOfAllowedLocations')]"
                                    },
                                    {
                                        "field": "location",
                                        "notEquals": "global"
                                    },
                                    {
                                        "field": "type",
                                        "notEquals": "Microsoft.Compute/virtualMachines"
                                    }
                                ]
                            },
                            "then": {
                                "effect": "deny"
                            }
                        }
                    }
                }
            ]
        }
    }
}

选项 1b:您希望将“listOfAllowedLocations”保留为参数并在您的策略中使用它。您还希望在 POLICY DEFINITION 范围内应用该参数,以便可以在分配时操作生成的已部署允许位置列表。请注意策略资源定义 ('[[') 中参数范围和参数转义的细微差别。

PUT https://management.azure.com/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/Microsoft.Resources/deployments/{deploymentName}?api-version=2019-10-01

身体:

{
    "location": "eastus",
    "properties": {
        "mode": "Incremental",
        "parameters": {},
        "template": {
            "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
            "contentVersion": "1.0.0.0",
            "parameters": {},
            "variables": {},
            "resources": [
                {
                    "type": "Microsoft.Authorization/policyDefinitions",
                    "name": "policylocation",
                    "apiVersion": "2018-03-01",
                    "properties": {
                        "policyType": "Custom",
                        "displayName": "policylocation",
                        "description": "",
                        "mode": "all",
                        "parameters": {
                            "listOfAllowedLocations": {
                                "type": "array",
                                "defaultValue": ["eastus"]
                            }
                        },
                        "policyRule": {
                            "if": {
                                "allOf": [
                                    {
                                        "field": "location",
                                        "notIn": "[[parameters('listOfAllowedLocations')]"
                                    },
                                    {
                                        "field": "location",
                                        "notEquals": "global"
                                    },
                                    {
                                        "field": "type",
                                        "notEquals": "Microsoft.Compute/virtualMachines"
                                    }
                                ]
                            },
                            "then": {
                                "effect": "deny"
                            }
                        }
                    }
                }
            ]
        }
    }
}

选项 2:允许位置的静态定义。这将基本上绕过通过部署或策略分配传递参数的过程。

{
    "location": "eastus",
    "properties": {
        "mode": "Incremental",
        "parameters": {},
        "template": {
            "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
            "contentVersion": "1.0.0.0",
            "parameters": {},
            "variables": {},
            "resources": [
                {
                    "type": "Microsoft.Authorization/policyDefinitions",
                    "name": "policylocation",
                    "apiVersion": "2018-03-01",
                    "properties": {
                        "policyType": "Custom",
                        "displayName": "policylocation",
                        "description": "",
                        "mode": "all",
                        "parameters": {},
                        "policyRule": {
                            "if": {
                                "allOf": [
                                    {
                                        "field": "location",
                                        "notIn": ["eastus"]
                                    },
                                    {
                                        "field": "location",
                                        "notEquals": "global"
                                    },
                                    {
                                        "field": "type",
                                        "notEquals": "Microsoft.Compute/virtualMachines"
                                    }
                                ]
                            },
                            "then": {
                                "effect": "deny"
                            }
                        }
                    }
                }
            ]
        }
    }
}
于 2020-05-22T15:03:08.720 回答
0

问题是该策略没有利用 listOfAllowedLocations 参数。我会删除它并使参数只是空括号。

这是一些资源: https ://review.docs.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure ?branch=pr-en-us-116104

于 2020-05-21T20:27:55.287 回答