提问人:Helena Raia 提问时间:11/17/2023 更新时间:11/17/2023 访问量:37
子网命名约定以“snet”开头,但允许子网名称(如“AzureBastionSubnet”、“AzureFirewallSubnet”等)的 Azure 策略
Azure policy for naming conventions for subnets to start with "snet", but allow subnet names like "AzureBastionSubnet", "AzureFirewallSubnet", etc
问:
我正在创建一个 Azure 策略,该策略为我的子网强制实施命名约定。子网应遵循以下格式:snet---. 为此,我使用了正则表达式:
[if(and(greaterOrEquals(length(split(field('name'), '-')), 0), equals(split(field('name'), '-')[0], 'snet')), if(and(greaterOrEquals(length(split(field('name'), '-')), 1), contains(parameters('unit'), split(field('name'), '-')[1])), if(and(greaterOrEquals(length(split(field('name'), '-')), 2), contains(parameters('env'), split(field('name'), '-')[2])), 'isValid', 'Environment not accepted')]
这按预期工作。但是,当我尝试允许创建名称为“AzureBastionSubnet”的子网时,我收到一个错误,指出该名称应遵循上述格式。
以下是该策略的代码:
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"equals": "Microsoft.Network/virtualNetworks/subnets",
"field": "type"
},
{
"anyOf": [
{
"value": "(equals(field('name'),'AzureBastionSubnet')",
"notEquals": "true"
},
{
"notEquals": "isValid",
"value": "[if(and(greaterOrEquals(length(split(field('name'), '-')), 0), equals(split(field('name'), '-')[0], 'snet')), if(and(greaterOrEquals(length(split(field('name'), '-')), 1), contains(parameters('unit'), split(field('name'), '-')[1])), if(and(greaterOrEquals(length(split(field('name'), '-')), 2), contains(parameters('env'), split(field('name'), '-')[2])), 'isValid', 'Environment not accepted')]"
}
]
}
]
},
"then": {
"effect": "deny"
}
},
"parameters": {
"unit": {
"type": "Array",
"metadata": {
"displayName": "unit",
"description": null
}
},
"env": {
"type": "Array",
"metadata": {
"displayName": "env",
"description": null
}
}
}
}
我如何表达也允许使用值“AzureBastionSubnet”是否存在问题?
提前感谢您的帮助。
答:
1赞
Venkat V
11/17/2023
#1
子网命名约定以“snet”开头的 Azure 策略,但允许子网名称(如 AzureBastionSubnet)
下面是更新的策略,用于根据单元和环境条件创建名称以 snet 开头的策略,并且还允许特定名称(如 AzureBastionSubnet)。就我而言,我在参数中给出了名称 IT 和 as test。subnetunitenv
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"equals": "Microsoft.Network/virtualNetworks/subnets",
"field": "type"
},
{
"not": {
"allOf": [
{
"equals": "AzureBastionSubnet",
"field": "name"
},
{
"notEquals": "isValid",
"value": "[if(and(greaterOrEquals(length(split(field('name'), '-')), 1), equals(split(field('name'), '-')[0], 'snet'), contains(parameters('unit'), split(field('name'), '-')[1]), contains(parameters('env'), split(field('name'), '-')[2])), 'isValid', 'Environment not accepted')]"
}
]
}
}
]
},
"then": {
"effect": "deny"
}
},
"parameters": {
"unit": {
"type": "Array",
"metadata": {
"displayName": "unit",
"description": null
}
},
"env": {
"type": "Array",
"metadata": {
"displayName": "env",
"description": null
}
}
}
}
仅当满足指定条件时,该策略才允许创建子网。例如,“snet-IT-test”被认为是有效的,而“snet-IT-demo”是无效的。同样,“AzureBastionSubnet”有效,但“AzureBastionSubnet1”无效。 该策略仅允许在有效条件下创建子网;否则,它将拒绝创建子网。
门户中的子网结果
评论
0赞
Helena Raia
11/18/2023
成功了!谢谢!
评论