如何编写 Azure 策略,仅在满足这两个条件时才允许创建资源:
- 该资源已分配有“所有者”标签
- “所有者”标签的值是有效的电子邮件地址格式
编辑:我只会进行简单的电子邮件地址验证,因为它应该只是提醒我公司的人员使用他们的电子邮件地址而不是他们的全名。我并不想验证所有可能的电子邮件地址。
正则表达式可能看起来像这样:
[A-Z0-9a-z._-]+@[A-Za-z0-9.-]+\.[A-Za-z]+
最佳答案
有内置策略来强制执行标签及其值,您可以利用这些策略来自定义自己的标签及其值。如果您想添加标签,即使它不存在,您可以使用新的 Modify影响。这是一个example
{"properties": {
"displayName": "Add a tag to resources",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "Adds the specified tag and value when any resource missing this tag is created or updated. Existing resources can be remediated by triggering a remediation task. If the tag exists with a different value it will not be changed. Does not modify tags on resource groups.",
"metadata": {
"category": "Tags"
},
"parameters": {
"tagName": {
"type": "String",
"metadata": {
"displayName": "Tag Name",
"description": "Name of the tag, such as 'environment'"
}
},
"tagValue": {
"type": "String",
"metadata": {
"displayName": "Tag Value",
"description": "Value of the tag, such as 'production'"
}
}
},
"policyRule": {
"if": {
"field": "[concat('tags[', parameters('tagName'), ']')]",
"exists": "false"
},
"then": {
"effect": "modify",
"details": {
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"operations": [
{
"operation": "add",
"field": "[concat('tags[', parameters('tagName'), ']')]",
"value": "[parameters('tagValue')]"
}
]
}
}
}
},"id": "/providers/Microsoft.Authorization/policyDefinitions/4f9dc7db-30c1-420c-b61a-e1d640128d26",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "4f9dc7db-30c1-420c-b61a-e1d640128d26"
}
现在对于电子邮件地址,您可以尝试使用包含或不包含。信息here
关于Azure 策略 : Deny If Owner Tag Does Not Exist Or Isn't Email Address,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/57077080/