我正在尝试创建一个 Azure 策略,该策略会将级别为“CanNotDelete”的资源锁部署到订阅内的资源组。
目前该策略 100% 合规,但该策略尚未创建任何锁定。
我的 JSON policy.rules 文件中有以下内容;
{
"if": {
"field": "type",
"equals": "Microsoft.Resources/resourceGroups"
},
"then": {
"effect": "deployIfNotExists",
"details": {
"type": "Microsoft.Authorization/locks",
"existenceCondition": {
"field": "Microsoft.Authorization/locks/level",
"equals": "CanNotDelete"
},
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/0000-0000-0000-0000-0000000"
],
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",
"contentVersion": "1.0.0.0",
"parameters": {
"location": {
"type": "string"
}
},
"resources": [
{
"type": "Microsoft.Authorization/locks",
"apiVersion": "2017-04-01",
"name": "ResourceLock",
"properties": {
"level": "CanNotDelete",
"notes": "Prevent accidental deletion of resource groups"
}
}
]
}
}
}
}
}
}
设法通过两项更改使其发挥作用;
- if 语句路径 - Microsoft.Resources/subscriptions/resourceGroups
- 由于某种原因未创建托管身份,这是“deployIfNotExists”策略效果所必需的。
我希望对遇到同样问题的人有所帮助
本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系:hwhale#tublm.com(使用前将#替换为@)