个人中心
gpt4 book ai didi

json - 使用 Terraform 创建 Azure 策略

转载 作者:行者123 更新时间:2023-12-03 02:05:30 25 4
gpt4 key购买 nike

我正在尝试使用 terraform 创建 azure 策略以向资源添加标签。我希望所有资源都继承资源组标签。

我一直在关注各种文档和示例,但我不知道如何在资源上分配标签。

我想我已经很接近了,我不想在每个资源中都写入标签,这是不可持续的。

我的代码分为 3 个不同的文件:

ma​​in.tf

terraform {
  
  required_providers {
    azurerm = {
      source = "hashicorp/azurerm"
      version = "=3.37.0"
    }
    azuread = {
      source  = "hashicorp/azuread"
      version = "2.31.0"
    }
  }
}

provider "azurerm" {
    subscription_id = var.azure_subscription_id
    tenant_id = var.azure_tenant_id
  features {
    resource_group {
      prevent_deletion_if_contains_resources = false
    }
  }
}

#create azure resource group
resource "azurerm_resource_group" "rg" {
  name     = var.azure_rg_name
  location = var.azure_resource_group_location
  tags = {
    costcenter = var.azure_costcenter
    projectcode = var.azure_project_code
    environment = var.azure_env_code
    client = var.azure_client_code

  }
}
#Create azure storage account
resource "azurerm_storage_account" "sa" {
  name                     = lower("${var.azure_project_code}${var.azure_env_code}sa01")
  resource_group_name      = azurerm_resource_group.rg.name
  location                 = var.azure_resource_group_location
  account_tier             = "Standard"
  account_replication_type = "LRS"
}

#Create container in previously created sa
resource "azurerm_storage_container" "ctnr2" {
  name                  = lower("${var.azure_project_code}${var.azure_env_code}tfstate01")
  storage_account_name  = azurerm_storage_account.sa.name
  container_access_type = "private"
}

#create azure policy definition
resource "azurerm_policy_definition" "az_pol_def" {
  name         = "Append a tag and its value to resources"
  policy_type  = "Custom"
  mode         = "Indexed"
  display_name = "Append a tag and its value to resources"

  metadata = jsonencode({
    "version" : "1.0.1",
    "category" : "Tags  "
    }
  )
  

  policy_rule = jsonencode({
      "if": {
        "field": "[concat('tags[', parameters('tagName'), ']')]",
        "exists": "false"
      },
      "then": {
        "effect": "append",
        "details": [
          {
            "field": "[concat('tags[', parameters('tagName'), ']')]",
            "value": "[parameters('tagValue')]"
          }
        ]
      } 
  })
}
#assign azure policy created previously
resource "azurerm_resource_group_policy_assignment" "az_pol_assign" {
  name                 = "Append a tag and its value to resources"
  resource_group_id    = azurerm_resource_group.rg.id
  policy_definition_id = azurerm_policy_definition.az_pol_def.id

  parameters = jsonencode({
    "parameters": {
      "tagName": {
        "type": "String",
        "metadata": {
          "displayName": "Tag Name",
          "description": "Name of the tag, such as 'environment'"
        }
      },
      "tagValue": {
        "type": "String",
        "metadata": {
          "displayName": "Tag Value",
          "description": "Value of the tag, such as 'production'"
        }
      }
    },
  })
}

变量.tf

variable "azure_resource_group_location" {
  default = "west europe"
  description   = "Location of the resource group."
}

variable "azure_subscription_id" {
  type        = string
  description = "Azure Subscription Id"
}

variable "azure_tenant_id" {
  type        = string
  description = "Azure Tenant Id"
}

variable "azure_rg_name" {
  type        = string
  description = "Azure Resource Group Name"
}

variable "azure_costcenter" {
  type        = string
  description = "Azure Tag Cost Center"
}

variable "azure_client_code" {
  type        = string
  description = "Azure Tag Client"
}

variable "azure_project_code" {
  type        = string
  description = "Azure Tag Project Code"
}

variable "azure_env_code" {
  type        = string
  description = "Azure Tag Environment Code"
}

resource_group_name.tfvars

#Azure tenant id
azure_tenant_id ="********-****-****-****-************"
#Azure subscription
azure_subscription_id = "********-****-****-****-************"
#Azure resource group location
azure_resource_group_location = "west europe"
#Azure RG name
azure_rg_name = "resource_group_name"
#Azure tag
azure_costcenter = "missions"
#Azure tag project code
azure_project_code = "test_project"
#Azure tag client code
azure_client_code = "leanne"
#Environement tag code :
azure_env_code="dev"

我知道“parameter_values”应该用于我的标签,但我不确定如何使用?

这是一条可能有帮助的错误消息。 error message

任何帮助将不胜感激。

提前致谢!

最佳答案

您在策略分配中声明了策略参数 (az_pol_assign)。
相反,您应该在策略定义中声明参数 (az_pol_def)。

在您的策略分配中,您可以设置要作为参数传递的值:

#assign azure policy created previously
resource "azurerm_resource_group_policy_assignment" "az_pol_assign" {
  name                 = "Append a tag and its value to resources"
  resource_group_id    = azurerm_resource_group.rg.id
  policy_definition_id = azurerm_policy_definition.az_pol_def.id

  parameters = jsonencode({
    tagName = {
      value = "environment"
    },
    tagValue = {
      value = "production"
    }
  })
}

注意 当您使用 jsonencode() 时,您不需要使用纯 JSON,您可以使用更简单的 HashiCorp 配置语言 (HCL) 语法,就像我在我的例子。

关于json - 使用 Terraform 创建 Azure 策略,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/74962335/

25 4 0
文章推荐: Azure 逻辑应用程序获取所有 Jira 票证,而不是一张
文章推荐: sql-server - 企业项目的 Access+SQL Server 替代方案
文章推荐: sql-server - T-SQL 中的 VLOOKUP 式范围查找
文章推荐: c# - DurableClient 和 OrchestrationTrigger 无法在 .NET 7 Azure Function 中使用
行者123
个人简介

我是一名优秀的程序员,十分优秀!

滴滴打车优惠券免费领取
滴滴打车优惠券
全站热门文章
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com