azure - 地形 : How to define the Azure Policy Initiative along with Azure Policies?-6ren

azure - 地形 : How to define the Azure Policy Initiative along with Azure Policies?

转载作者：行者123 更新时间：2023-12-03 06:46:09

我有一个自定义政策

// Policy: Management Group Level
resource "azurerm_policy_definition" "only-deploy-in-eastus" {
  name                = "only-deploy-in-eastus"
  policy_type         = "Custom"
  mode                = "All"
  display_name        = "only-deploy-in-eastus"
  management_group_id = data.azurerm_management_group.parent-mg.id

  policy_rule = <<POLICY_RULE
    {
    "if": {
      "not": {
        "field": "location",
        "equals": "eastus"
      }
    },
    "then": {
      "effect": "Deny"
    }
  }
POLICY_RULE
}

以及引用上述政策的自定义计划

// Policy Initivate
variable "custom_geo_definitions" {
  type        = list
  description = "List of policy definitions (display names) for the Geo_governance policyset"
  default = [
    "only-deploy-in-eastus"
  ]
}

data "azurerm_policy_definition" "custom_geo_definitions" {
  count        = length(var.custom_geo_definitions)
  display_name = var.custom_geo_definitions[count.index]
}

resource "azurerm_policy_set_definition" "custom_geo_policy_set" {

  name         = "custom_geo_policy_set"
  policy_type  = "Custom"
  display_name = "Custom Geo-Location Governance"
  description  = "Contains common Geo-Location Governance policies"

  metadata = <<METADATA
    {
    "category": "${var.policyset_definition_category}"
    }
METADATA

  policy_definition_reference {
    policy_definition_id = "${data.azurerm_policy_definition.custom_geo_definitions.*.id[0]}"
  }    
}

我不想像上面所示的那样单独定义策略。

我想在 azurerm_policy_set_definition(Azure 策略计划)中定义策略。这可行吗？一般来说，使用哪种方法？

最佳答案

我尝试复制以直接在 azurerm_policy_set_definition 中声明策略定义

resource "azurerm_policy_set_definition" "example" {
  name         = "katestPolicySet"
  policy_type  = "Custom"
  display_name = "Test Policy Set"

  parameters = <<PARAMETERS
    {
        "allowedLocations": {
            "type": "Array",
            "metadata": {
                "description": "The list of allowed locations for resources.",
                "displayName": "Allowed locations",
                "strongType": "location"
            },
            "defaultValue": [ "westus2" ],
        "allowedValues": [
            "eastus2",
            "westus2",
            "westus"
        ]
        }
    }
PARAMETERS




  policy_definition_reference {
  name                = "only-deploy-in-eastus"
  policy_type         = "Custom"
  mode                = "All"
  display_name        = "only-deploy-in-eastus"
  management_group_id = azurerm_management_group.example.id
 policy_rule = <<POLICY_RULE
       {
    "if": {
      "not": {
        "field": "location",
        "equals": "eastus"
      }
    },
    "then": {
      "effect": "Deny"
    }
  }
POLICY_RULE
}

 ....

  }

但会导致错误，例如不支持的参数、缺失

Unsupported argument
  policy_rule = <<POLICY_RULE
│
│ An argument named "policy_rule" is not expected here.

还有

Error: Missing required argument
│
│   on main.tf line 64, in resource "azurerm_policy_set_definition" "example":
│   64:   policy_definition_reference {
│
│ The argument "policy_definition_id" is required, but no definition was found.

通常，在 azurerm_policy_set_definition block 中，策略定义 Id 是要声明的必需参数之一，为此它需要 azurerm_policy_definition 资源。

resource "azurerm_management_group" "example" {
  display_name = "xManagement Group"
}

resource "azurerm_policy_definition" "policy" {
  name                = "onlydeployineastus"
  policy_type         = "Custom"
  mode                = "All"
  display_name        = "onlydeployineastus"
  management_group_id = azurerm_management_group.example.id


  metadata = <<METADATA
    {
    "category": "General"
    }

  policy_rule = <<POLICY_RULE
    {
    "if": {
      "not": {
        "field": "location",
        "in": "[parameters('allowedLocations')]"
      }
    },
    "then": {
      "effect": "audit"
    }
  }
POLICY_RULE


parameters = <<PARAMETERS
    {
        "allowedLocations": {
            "type": "Array",
            "metadata": {
                "description": "The list of allowed locations for resources.",
                "displayName": "Allowed locations",
                "strongType": "location"
            },
            "defaultValue": [ "westus2" ],
        "allowedValues": [
            "eastus2",
            "westus2",
            "westus"
        ]
        }
    }
PARAMETERS

resource "azurerm_policy_set_definition" "example" {
  name         = "katestPolicySet"
  policy_type  = "Custom"
  display_name = "Test Policy Set"

  policy_definition_reference {
  policy_definition_id = azurerm_policy_definition.policy.id

  parameter_values     = <<VALUE
    {
      "listOfAllowedLocations": {"value": "[parameters('allowedLocations')]"}
    }
    VALUE

    }

 }

引用:azurerm_policy_set_definition | Resources | hashicorp/azurerm | Terraform Registry

关于azure - 地形 : How to define the Azure Policy Initiative along with Azure Policies?，我们在Stack Overflow上找到一个类似的问题： https://stackoverflow.com/questions/74113636/

文章推荐： Azure 应用程序网关出现不健康状态 502 错误

文章推荐： matplotlib - 控制图例中的行数

文章推荐： azure - 是否可以使用自定义受众访问 microsoft graph？

行者123

个人简介

我是一名优秀的程序员,十分优秀！

作者热门文章

滴滴打车优惠券免费领取

全站热门文章

首页

博学

6Ren·AI

商城

azure - 地形 : How to define the Azure Policy Initiative along with Azure Policies?