我正在尝试创建一个自动过程,一旦SQL服务器部署,将SQL Server上的Azure Active Directory添加到Azure组。我还想添加一个安全组。我正在考虑使用Azure策略来实现这一点。政策规则是什么样的?如果有更好的Azure服务/功能来实现我的任务,它是什么?
以下是对我有用的示例策略定义,它评估并提供现有资源上的投诉和非投诉资源。另外请注意,在评估周期中,带有"DeployIfNotExists"的策略定义匹配资源被标记为不兼容的效果,但对该资源不采取任何操作。现有的不合规资源可以通过修复任务进行修复。
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Sql/servers"
}
]
},
"then": {
"effect": "deployIfNotExists",
"details": {
"type": "Microsoft.Sql/servers/administrators",
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Sql/servers/administrators/administratorType",
"equals": "ActiveDirectory"
},
{
"field": "Microsoft.Sql/servers/administrators/login",
"equals": "xxxx@xxxxxx.com"
},
{
"field": "Microsoft.Sql/servers/administrators/sid",
"equals": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx"
},
{
"field": "Microsoft.Sql/servers/administrators/tenantId",
"equals": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx"
}
]
},
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"location": {
"type": "string"
},
"sqlServerName": {
"type": "string"
}
},
"variables": {},
"resources": [
{
"name": "[parameters('sqlServerName')]",
"type": "Microsoft.Sql/servers",
"apiVersion": "2019-06-01-preview",
"location": "[parameters('location')]",
"resources": [
{
"type": "Microsoft.Sql/servers/administrators",
"apiVersion": "2019-06-01-preview",
"name": "[concat(parameters('sqlServerName'), '/ActiveDirectory')]",
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', parameters('sqlServerName'))]"
],
"properties": {
"administratorType": "ActiveDirectory",
"login": "xxxx@xxxxxx.com",
"sid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx",
"tenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx"
}
}
]
}
]
},
"parameters": {
"sqlServerName": {
"value": "[field('Name')]"
},
"location": {
"value": "[field('Location')]"
}
}
}
},
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635"
]
}
}
},
"parameters": {}
}