我已经按如下方式配置了策略。它不起作用,我正在寻求一些帮助。如何配置此azure策略规则以拒绝基于标记值在资源组中创建存储帐户?
"policyRule": {
"if": {
"allOf": [
{
"anyOf": [
{
"field": "type",
"equals": "Microsoft.resources/subscriptions/resourcegroups"
},
{
"field": "type",
"equals": "Microsoft.storage/storageaccounts"
}
]
},
{
"field": "tags.RestrictStorage",
"equals": "true"
}
]
},
"then": {
"effect": "deny"
}
}
allof
等价于逻辑运算符AND
,而anyOf
相当于OR
算子
由于您想根据添加的标签限制在特定资源组下创建存储帐户,因此它看起来像这样:
"policyRule":
{
"if":
{
"allOf":
[
{
"allOf":
[
{
"field":"type",
"equals":"Microsoft.storage/storageaccounts"
},
{
"field":"type",
"type":"Microsoft.resources/subscriptions/resourcegroups"
}
]
},
{
"field": "tags.RestrictStorage",
"equals": "true"
}
]
},
"then":
{
"effect": "deny"
}
}
参考:
策略定义结构的详细信息-Azure策略| Microsoft Docs
教程:创建自定义策略定义-Azure policy | Microsoft Docs