【发布时间】:2020-04-02 12:45:36
【问题描述】:
尝试创建与 Azure 中的订阅相关联的策略,该策略将拒绝创建没有特定“costCenter”标记的资源组。我为订阅分配了以下策略,其中“coreTagName1”完成为“costCenter”:
"properties": {
"displayName": "manual_test_1",
"policyType": "Custom",
"mode": "Indexed",
"description": "manual test for tag enforcement",
"metadata": {
"category": "test",
"createdBy": "#########",
"createdOn": "2020-04-02T12:27:39.2686671Z",
"updatedBy": "#########",
"updatedOn": "2020-04-02T12:35:32.5608728Z"
},
"parameters": {
"coreTagName1": {
"type": "String",
"metadata": {
"displayName": "tagName to enforce",
"description": "Name of the tag, such as costCenter"
}
}
},
"policyRule": {
"if": {
"anyOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"exists": "false",
"field": "[concat('tags[', parameters('coreTagName1'), ']')]"
}
]
},
"then": {
"effect": "deny"
}
}
},
"id": "/subscriptions/#########/providers/Microsoft.Authorization/policyDefinitions/########",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "#######"
}
但我仍然可以创建资源组而不指定任何标签。我觉得我在我的方法中遗漏了一些基本的东西,但我还不能理解它。
【问题讨论】:
-
策略可能仍处于“未启动”的合规状态。您是否检查了合规性状态?
-
啊,确实是这样。没有意识到分配策略和实际执行之间存在延迟。谢谢。
-
是的!这需要一些时间。编码快乐!