文档建议反馈控制台
首页
学习
活动
专区
圈层
工具
MCP广场
文章/答案/技术大牛
发布
社区首页 >问答首页 >Terraform :如何定义Azure策略和Azure策略?

Terraform :如何定义Azure策略和Azure策略?
EN

Stack Overflow用户
提问于 2022-10-18 15:30:19
回答 1查看 164关注 0票数 0

我有一个定制的政策

代码语言:javascript
复制
// Policy: Management Group Level
resource "azurerm_policy_definition" "only-deploy-in-eastus" {
  name                = "only-deploy-in-eastus"
  policy_type         = "Custom"
  mode                = "All"
  display_name        = "only-deploy-in-eastus"
  management_group_id = data.azurerm_management_group.parent-mg.id

  policy_rule = <<POLICY_RULE
    {
    "if": {
      "not": {
        "field": "location",
        "equals": "eastus"
      }
    },
    "then": {
      "effect": "Deny"
    }
  }
POLICY_RULE
}

以及引用上述策略的自定义倡议

代码语言:javascript
复制
// Policy Initivate
variable "custom_geo_definitions" {
  type        = list
  description = "List of policy definitions (display names) for the Geo_governance policyset"
  default = [
    "only-deploy-in-eastus"
  ]
}

data "azurerm_policy_definition" "custom_geo_definitions" {
  count        = length(var.custom_geo_definitions)
  display_name = var.custom_geo_definitions[count.index]
}

resource "azurerm_policy_set_definition" "custom_geo_policy_set" {

  name         = "custom_geo_policy_set"
  policy_type  = "Custom"
  display_name = "Custom Geo-Location Governance"
  description  = "Contains common Geo-Location Governance policies"

  metadata = <<METADATA
    {
    "category": "${var.policyset_definition_category}"
    }
METADATA

  policy_definition_reference {
    policy_definition_id = "${data.azurerm_policy_definition.custom_geo_definitions.*.id[0]}"
  }    
}

我不想像上面所显示的那样分别定义策略。

我想在azurerm_policy_set_definition (Azurerm_policy_set_definition)中定义策略。这可行吗?一般来说,采用哪种方法?

terraform-provider-azure
azure-policy
azure
terraform
EN

回答 1

Stack Overflow用户

回答已采纳

发布于 2022-10-19 12:45:22

我试图在azurerm_policy_set_definition中直接声明策略定义。

代码语言:javascript
复制
resource "azurerm_policy_set_definition" "example" {
  name         = "katestPolicySet"
  policy_type  = "Custom"
  display_name = "Test Policy Set"

  parameters = <<PARAMETERS
    {
        "allowedLocations": {
            "type": "Array",
            "metadata": {
                "description": "The list of allowed locations for resources.",
                "displayName": "Allowed locations",
                "strongType": "location"
            },
            "defaultValue": [ "westus2" ],
        "allowedValues": [
            "eastus2",
            "westus2",
            "westus"
        ]
        }
    }
PARAMETERS




  policy_definition_reference {
  name                = "only-deploy-in-eastus"
  policy_type         = "Custom"
  mode                = "All"
  display_name        = "only-deploy-in-eastus"
  management_group_id = azurerm_management_group.example.id
 policy_rule = <<POLICY_RULE
       {
    "if": {
      "not": {
        "field": "location",
        "equals": "eastus"
      }
    },
    "then": {
      "effect": "Deny"
    }
  }
POLICY_RULE
}

 ....

  }

但会导致错误,如不支持的论点,缺失

代码语言:javascript
复制
Unsupported argument
  policy_rule = <<POLICY_RULE
│
│ An argument named "policy_rule" is not expected here.

代码语言:javascript
复制
Error: Missing required argument
│
│   on main.tf line 64, in resource "azurerm_policy_set_definition" "example":
│   64:   policy_definition_reference {
│
│ The argument "policy_definition_id" is required, but no definition was found.

通常,在azurerm_policy_set_definition块中,策略定义Id是需要声明的参数之一,为此它需要azurerm_policy_definition资源。

代码语言:javascript
复制
resource "azurerm_management_group" "example" {
  display_name = "xManagement Group"
}

resource "azurerm_policy_definition" "policy" {
  name                = "onlydeployineastus"
  policy_type         = "Custom"
  mode                = "All"
  display_name        = "onlydeployineastus"
  management_group_id = azurerm_management_group.example.id


  metadata = <<METADATA
    {
    "category": "General"
    }

  policy_rule = <<POLICY_RULE
    {
    "if": {
      "not": {
        "field": "location",
        "in": "[parameters('allowedLocations')]"
      }
    },
    "then": {
      "effect": "audit"
    }
  }
POLICY_RULE


parameters = <<PARAMETERS
    {
        "allowedLocations": {
            "type": "Array",
            "metadata": {
                "description": "The list of allowed locations for resources.",
                "displayName": "Allowed locations",
                "strongType": "location"
            },
            "defaultValue": [ "westus2" ],
        "allowedValues": [
            "eastus2",
            "westus2",
            "westus"
        ]
        }
    }
PARAMETERS

resource "azurerm_policy_set_definition" "example" {
  name         = "katestPolicySet"
  policy_type  = "Custom"
  display_name = "Test Policy Set"

  policy_definition_reference {
  policy_definition_id = azurerm_policy_definition.policy.id

  parameter_values     = <<VALUE
    {
      "listOfAllowedLocations": {"value": "[parameters('allowedLocations')]"}
    }
    VALUE

    }

 }

参考定义资源\ hashicorp/azurerm \ Terraform注册表

票数 1
EN
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:

https://stackoverflow.com/questions/74113636

复制
相关文章

相似问题

领券

腾讯云开发者

扫码关注腾讯云开发者

扫码关注腾讯云开发者

领取腾讯云代金券

热门产品

热门推荐

更多推荐

Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有 

深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 粤公网安备44030502008569号

腾讯云计算(北京)有限责任公司 京ICP证150476号 |  京ICP备11018762号

问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档