【发布时间】:2018-10-08 23:11:14
【问题描述】:
我正在尝试在允许的内置位置 Azure 策略中使用。
在我的 ARM 模板定义下
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"listOfAllowedLocations": {
"type": "Array"
}
},
"variables": {},
"resources": [{
"type": "Microsoft.Authorization/policyDefinitions",
"name": "Test",
"apiVersion": "2018-03-01",
"properties": {
"displayName": "Test allowed locations",
"policyType": "BuiltIn",
"description": "This policy enables you to restrict the locations your organization can specify when deploying resources. Use to enforce your geo-compliance requirements.",
"parameters": {
"listOfAllowedLocations": {
"type": "Array",
"metadata": {
"description": "The list of locations that can be specified when deploying resources.",
"strongType": "location",
"displayName": "Allowed locations"
}
}
},
"policyRule": {
"if": {
"not": {
"field": "location",
"in": "[parameters('listOfAllowedLocations')]"
}
},
"then": {
"effect": "Deny"
}
}
}
}],
"outputs": {}
}
当我尝试使用 Visual Studio 部署选项进行部署时出现以下错误
{
"error": {
"code": "InvalidPolicyUri",
"message": "The policy request scope '/subscriptions/xxx/resourcegroups/Test' should be '/', '/subscriptions/id' or '/providers/Microsoft.Management/managementGroups/id'."
}
}
如果有人能指导我使用 Visual Studio 部署策略的正确方法,我将不胜感激。此模板在 VS 部署测试成功后将进入 DevOps 发布管道。
【问题讨论】:
-
能否请将您的
parameters.json文件发布到您定义listOfAllowedLocations的位置 -
错误表示
If you plan to apply this policy definition to multiple subscriptions, the location must be a management group that contains the subscriptions you will assign the initiative or policy to. -
谢谢Joy Wang。我还是一头雾水,能不能多指导一下?
-
我尝试在属性中添加 "scope": "[subscription().id]" 仍然没有成功。
-
你不是想创建一个新的定义吧?要使用内置策略,您只需创建一个策略分配,通过其 Id 引用内置定义(而不是新的策略定义)。
标签: azure cloud policies azure-policy