下列範例會取得 [部署 SQL DB 透明資料加密] 內建原則的定義、設定目標資源群組,然後使用系統指派的受控識別建立指派。
# Login first with Connect-AzAccount if not using Cloud Shell
# Get the built-in "Deploy SQL DB transparent data encryption" policy definition
$policyDef = Get-AzPolicyDefinition -Id '/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f'
# Get the reference to the resource group
$resourceGroup = Get-AzResourceGroup -Name 'MyResourceGroup'
# Create the assignment using the -Location and -Identity properties
$assignment = New-AzPolicyAssignment -Name 'sqlDbTDE' -DisplayName 'Deploy SQL DB transparent data encryption' -Scope $resourceGroup.ResourceId -PolicyDefinition $policyDef -Location 'westus' -IdentityType "SystemAssigned"
下列範例會取得 [部署 SQL DB 透明資料加密] 內建原則的定義、設定目標資源群組,然後使用使用者指派的受控識別建立指派。
# Login first with Connect-AzAccount if not using Cloud Shell
# Get the built-in "Deploy SQL DB transparent data encryption" policy definition
$policyDef = Get-AzPolicyDefinition -Id '/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f'
# Get the reference to the resource group
$resourceGroup = Get-AzResourceGroup -Name 'MyResourceGroup'
# Get the existing user assigned managed identity ID
$userassignedidentity = Get-AzUserAssignedIdentity -ResourceGroupName $rgname -Name $userassignedidentityname
$userassignedidentityid = $userassignedidentity.Id
# Create the assignment using the -Location and -Identity properties
$assignment = New-AzPolicyAssignment -Name 'sqlDbTDE' -DisplayName 'Deploy SQL DB transparent data encryption' -Scope $resourceGroup.ResourceId -PolicyDefinition $policyDef -Location 'westus' -IdentityType "UserAssigned" -IdentityId $userassignedidentityid
###################################################
# Grant roles to managed identity at policy scope #
###################################################
# Use the $policyDef to get to the roleDefinitionIds array
$roleDefinitionIds = $policyDef.Properties.policyRule.then.details.roleDefinitionIds
if ($roleDefinitionIds.Count -gt 0)
{
$roleDefinitionIds | ForEach-Object {
$roleDefId = $_.Split("/") | Select-Object -Last 1
New-AzRoleAssignment -Scope $resourceGroup.ResourceId -ObjectId $assignment.Identity.PrincipalId
-RoleDefinitionId $roleDefId
}
}
#######################################################
# Grant roles to managed identity at initiative scope #
#######################################################
#If the policy had no managed identity in its logic, then no impact. If there is a managed identity
used for enforcement, replicate it on the new assignment.
$getNewInitiativeAssignment = Get-AzPolicyAssignment -Name $newInitiativeDefinition.Name
#Create an array to store role definition's IDs used by policies inside the initiative.
$InitiativeRoleDefinitionIds = @();
#Loop through the policy definitions inside the initiative and gather their role definition IDs
foreach ($policyDefinitionIdInsideInitiative in $InitiativeDefinition.Properties.PolicyDefinitions.policyDefinitionId) {
$policyDef = Get-AzPolicyDefinition -Id $policyDefinitionIdInsideInitiative
$roleDefinitionIds = $policyDef.Properties.PolicyRule.then.details.roleDefinitionIds
$InitiativeRoleDefinitionIds += $roleDefinitionIds
}
#Create the role assignments used by the initiative assignment at the subscription scope.
if ($InitiativeRoleDefinitionIds.Count -gt 0) {
$InitiativeRoleDefinitionIds | Sort-Object -Unique | ForEach-Object {
$roleDefId = $_.Split("/") | Select-Object -Last 1
New-AzRoleAssignment -Scope "/subscriptions/$($subscription)" -ObjectId $getNewInitiativeAssignment.Identity.PrincipalId
-RoleDefinitionId $roleDefId
}
}
新的受控識別必須透過 Microsoft Entra ID 完成複寫,才能獲得所需的角色。 復寫完成後,原則定義 roleDefinitionIds 中指定的角色應該授與受控識別。
# Login first with Connect-AzAccount if not using Cloud Shell
# Create a remediation for a specific assignment
Start-AzPolicyRemediation -Name 'myRemediation' -PolicyAssignmentId '/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/policyAssignments/{myAssignmentId}'
# Login first with az login if not using Cloud Shell
# Create a remediation for a specific assignment
az policy remediation create --name myRemediation --policy-assignment '/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/policyAssignments/{myAssignmentId}'