azure - 如何通过 templatefile(path,vars) 语法使用 `policy_definition_reference` block

Question

我正在使用 Terraform 设置多个标记策略定义。我已经提到了自定义 json 文件中带有策略定义 ID 和参数的标签定义。

tag_definitions.json

[
  {
    "parameters": {
      "tagName": {
        "value": "cost_center"
      },
      "tagValue": {
        "value": "${cost_center}"
      }
    },
    "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/XXXXXXX-XXXXXXX"
  }
]

ma​​in.tf

resource "azurerm_policy_set_definition" "tag_definition" {
  name         = "${var.subscription_name}-tag-definition"
  display_name = "${var.subscription_name}-tag-definition"
  description  = "Append the default tags definition"
  policy_type  = "Custom"
  policy_definitions = templatefile("${path.module}/templates/tag_definitions.json",
  { cost_center = var.cost_center })
  metadata = <<METADATA
    { "category" : "Tags" }
  METADATA
  lifecycle { ignore_changes = [metadata] }
}

在上面的 main.tf 文件中，policy_definitions 参数现已弃用。相反，我想使用 policy_definition_reference 参数。

我已关注azurerm_policy_set_definition文档。但本文档不包含有关如何使用“policy_definition_reference” block 设置多个策略定义的信息。

我想将 policy_definition_reference block 与我的自定义 tag_definitions.json 文件以及参数值一起使用。

根据以下评论，我尝试使用以下代码。但它没有按预期工作。

tag_definitions_params.json

 [
  {
    "parameters": {
      "tagName": {
        "value": "common.cost_center"
      },
      "tagValue": {
        "value": "${cost_center}"
      }
    }
  },
  {
    "parameters": {
      "tagName": {
        "value": "common.env_type"
      },
      "tagValue": {
        "value": "${env_type}"
      }
    }
  }
]

ma​​in.tf

resource "azurerm_policy_set_definition" "tag_definition" {
  name         = "${var.subscription_name}-tag-definition"
  display_name = "${var.subscription_name}-tag-definition"
  description  = "Append the default tags definition"
  policy_type  = "Custom"
  #policy_definitions = templatefile("${path.module}/templates/tag_definitions.json",
  #{ cost_center = var.cost_center, env_type = var.env_type, owner_accountname = var.owner_accountname, product = var.product })
  policy_definition_reference {
    policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/XXXXXXXX"
    parameter_values     = templatefile("${path.module}/templates/tag_definitions_params.json",
                            { 
                              cost_center = var.cost_center,
                              env_type = var.env_type
                            })
  }
  policy_definition_reference {
    policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/XXXXXXXXX"
    parameter_values     = templatefile("${path.module}/templates/tag_definitions_params.json",
                            { 
                              cost_center = var.cost_center,
                              env_type = var.env_type
                            })
  }
  metadata = <<METADATA
    { "category" : "Tags" }
  METADATA
  lifecycle { ignore_changes = [metadata] }
}

Answer 1

您可以在此处找到有关“policy_definition_reference” block 的信息:

A policy_definition_reference block supports the following:

policy_definition_id - (Required) The ID of the policy definition orpolicy set definition that will be included in this policy setdefinition.

parameter_values - (Optional) Parameter values for the referencedpolicy rule. This field is a JSON string that allows you to assignparameters to this policy rule.

reference_id - (Optional) A unique ID within this policy setdefinition for this policy definition reference.

policy_group_names - (Optional) A list of names of the policydefinition groups that this policy definition reference belongs to.

https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/policy_set_definition#policy_definition_reference

您也可以使用如下:

policy_definition_id ="/providers/Microsoft.Authorization/policyDefinitions/XXXXXXX-XXXXXXX" 
parameter_values = templatefile("${path.module}/templates/tag_definitions_params.json" 

因此，您只需将参数包含在 json 文件中，并使用 policy_definition_id 属性在 terraform 代码中设置策略集的 id。