您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

使用 ARM 模板进行订阅部署Subscription deployments with ARM templates

若要简化资源管理,可以使用 Azure 资源管理器模板(ARM 模板)在 Azure 订阅级别部署资源。To simplify the management of resources, you can use an Azure Resource Manager template (ARM template) to deploy resources at the level of your Azure subscription. 例如,可以将策略Azure 基于角色的访问控制 (Azure RBAC) 部署到你的订阅中,从而将它们应用于整个订阅。For example, you can deploy policies and Azure role-based access control (Azure RBAC) to your subscription, which applies them across your subscription. 还可以在订阅中创建资源组,然后将资源部署到订阅中的资源组。You can also create resource groups within the subscription and deploy resources to resource groups in the subscription.

备注

可在订阅级别部署中部署到 800 个不同的资源组。You can deploy to 800 different resource groups in a subscription level deployment.

若要在订阅级别部署模板,请使用 Azure CLI、PowerShell、REST API 或门户。To deploy templates at the subscription level, use Azure CLI, PowerShell, REST API, or the portal.

支持的资源Supported resources

并非所有资源类型都可以部署到订阅级别。Not all resource types can be deployed to the subscription level. 本部分列出了支持的资源类型。This section lists which resource types are supported.

对于 Azure 蓝图,请使用:For Azure Blueprints, use:

对于 Azure 策略,请使用:For Azure Policies, use:

对于 Azure 基于角色的访问控制 (Azure RBAC),请使用:For Azure role-based access control (Azure RBAC), use:

对于部署到资源组的嵌套模板,请使用:For nested templates that deploy to resource groups, use:

若要创建新的资源组,请使用:For creating new resource groups, use:

若要管理订阅,请使用:For managing your subscription, use:

其他支持的类型包括:Other supported types include:

架构Schema

用于订阅级别部署的架构不同于资源组部署的架构。The schema you use for subscription-level deployments is different than the schema for resource group deployments.

对于模板,请使用:For templates, use:

{
    "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
    ...
}

对于所有部署范围,参数文件的架构都相同。The schema for a parameter file is the same for all deployment scopes. 对于参数文件,请使用:For parameter files, use:

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
    ...
}

部署命令Deployment commands

若要部署到订阅,请使用订阅级别部署命名。To deploy to a subscription, use the subscription-level deployment commands.

对于 Azure CLI,请使用 az deployment sub createFor Azure CLI, use az deployment sub create. 以下示例会部署一个模板来创建资源组:The following example deploys a template to create a resource group:

az deployment sub create \
  --name demoSubDeployment \
  --location centralus \
  --template-uri "https://raw.githubusercontent.com/Azure/azure-docs-json-samples/master/azure-resource-manager/emptyRG.json" \
  --parameters rgName=demoResourceGroup rgLocation=centralus

有关部署命令和部署 ARM 模板的选项的更多详细信息,请参阅:For more detailed information about deployment commands and options for deploying ARM templates, see:

部署位置和名称Deployment location and name

对于订阅级别部署,必须为部署提供位置。For subscription level deployments, you must provide a location for the deployment. 部署位置独立于部署的资源的位置。The location of the deployment is separate from the location of the resources you deploy. 部署位置指定何处存储部署数据。The deployment location specifies where to store deployment data. 管理组租户部署也需要位置。Management group and tenant deployments also require a location. 对于资源组部署,资源组的位置用于存储部署数据。For resource group deployments, the location of the resource group is used to store the deployment data.

可以为部署提供一个名称,也可以使用默认部署名称。You can provide a name for the deployment, or use the default deployment name. 默认名称是模板文件的名称。The default name is the name of the template file. 例如,部署一个名为 azuredeploy.json 的模板将创建默认部署名称 azuredeployFor example, deploying a template named azuredeploy.json creates a default deployment name of azuredeploy.

每个部署名称的位置不可变。For each deployment name, the location is immutable. 当某个位置中已有某个部署时,无法在另一位置创建同名的部署。You can't create a deployment in one location when there's an existing deployment with the same name in a different location. 例如,如果在 centralus 中创建名为 deployment1 的订阅部署,则以后无法使用 deployment1 的位置创建另一个名为的 部署。For example, if you create a subscription deployment with the name deployment1 in centralus, you can't later create another deployment with the name deployment1 but a location of westus. 如果出现错误代码 InvalidDeploymentLocation,请使用其他名称或使用与该名称的以前部署相同的位置。If you get the error code InvalidDeploymentLocation, either use a different name or the same location as the previous deployment for that name.

部署范围Deployment scopes

部署到订阅时,可以将资源部署到:When deploying to a subscription, you can deploy resources to:

  • 操作中的目标订阅the target subscription from the operation
  • 租户中的任何订阅any subscription in the tenant
  • 该订阅或其他订阅中的资源组resource groups within the subscription or other subscriptions
  • 订阅的租户the tenant for the subscription

扩展资源的作用域可以是与部署目标不同的目标。An extension resource can be scoped to a target that is different than the deployment target.

部署模板的用户必须有权访问指定的作用域。The user deploying the template must have access to the specified scope.

本部分演示如何指定不同范围。This section shows how to specify different scopes. 可以在单个模板中组合这些不同范围。You can combine these different scopes in a single template.

将范围限制为目标订阅Scope to target subscription

若要将资源部署到目标订阅,请将这些资源添加到模板的资源部分。To deploy resources to the target subscription, add those resources to the resources section of the template.

{
    "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "resources": [
        subscription-level-resources
    ],
    "outputs": {}
}

有关部署到订阅的示例,请参阅创建资源组分配策略定义For examples of deploying to the subscription, see Create resource groups and Assign policy definition.

将范围限制为其他订阅Scope to other subscription

若要将资源部署到与操作中的订阅不同的订阅,请添加嵌套部署。To deploy resources to a subscription that is different than the subscription from the operation, add a nested deployment. subscriptionId 属性设置为要部署到的订阅的 ID。Set the subscriptionId property to the ID of the subscription you want to deploy to. 为嵌套部署设置 location 属性。Set the location property for the nested deployment.

{
    "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "resources": [
        {
            "type": "Microsoft.Resources/deployments",
            "apiVersion": "2020-06-01",
            "name": "nestedDeployment",
            "subscriptionId": "00000000-0000-0000-0000-000000000000",
            "location": "westus",
            "properties": {
                "mode": "Incremental",
                "template": {
                    subscription-resources
                }
            }
        }
    ],
    "outputs": {}
}

将范围限定于资源组Scope to resource group

若要将资源部署到订阅中的资源组,请添加嵌套部署并包括 resourceGroup 属性。To deploy resources to a resource group within the subscription, add a nested deployment and include the resourceGroup property. 在以下示例中,嵌套部署以名为 demoResourceGroup 的资源组为目标。In the following example, the nested deployment targets a resource group named demoResourceGroup.

{
    "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "resources": [
        {
            "type": "Microsoft.Resources/deployments",
            "apiVersion": "2020-06-01",
            "name": "nestedDeployment",
            "resourceGroup": "demoResourceGroup",
            "properties": {
                "mode": "Incremental",
                "template": {
                    resource-group-resources
                }
            }
        }
    ],
    "outputs": {}
}

有关部署到资源组的示例,请参阅创建资源组和资源For an example of deploying to a resource group, see Create resource group and resources.

将范围设定为租户Scope to tenant

可通过将 scope 设置为 /,在租户中创建资源。You can create resources at the tenant by setting the scope set to /. 部署模板的用户必须具有在租户中进行部署所需的访问权限The user deploying the template must have the required access to deploy at the tenant.

可使用设置了 scopelocation 的嵌套部署。You can use a nested deployment with scope and location set.

{
    "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "resources": [
        {
            "type": "Microsoft.Resources/deployments",
            "apiVersion": "2020-06-01",
            "name": "nestedDeployment",
            "location": "centralus",
            "scope": "/",
            "properties": {
                "mode": "Incremental",
                "template": {
                    tenant-resources
                }
            }
        }
    ],
    "outputs": {}
}

或者,可将某些资源类型(如管理组)的范围设置为 /Or, you can set the scope to / for some resource types, like management groups.

{
    "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "mgName": {
            "type": "string",
            "defaultValue": "[concat('mg-', uniqueString(newGuid()))]"
        }
    },
    "resources": [
        {
            "type": "Microsoft.Management/managementGroups",
            "apiVersion": "2020-05-01",
            "name": "[parameters('mgName')]",
            "scope": "/",
            "location": "eastus",
            "properties": {}
        }
    ],
    "outputs": {
        "output": {
            "type": "string",
            "value": "[parameters('mgName')]"
        }
    }
}

有关详细信息,请参阅 管理组For more information, see Management group.

资源组Resource groups

创建资源组Create resource groups

若要在 ARM 模板中创建资源组,请使用资源组的名称和位置定义一个 resourceGroups/ 资源组。To create a resource group in an ARM template, define a Microsoft.Resources/resourceGroups resource with a name and location for the resource group.

以下模板创建空资源组。The following template creates an empty resource group.

{
  "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "rgName": {
      "type": "string"
    },
    "rgLocation": {
      "type": "string"
    }
  },
  "variables": {},
  "resources": [
    {
      "type": "Microsoft.Resources/resourceGroups",
      "apiVersion": "2020-06-01",
      "name": "[parameters('rgName')]",
      "location": "[parameters('rgLocation')]",
      "properties": {}
    }
  ],
  "outputs": {}
}

结合使用 copy 元素与资源组来创建多个资源组。Use the copy element with resource groups to create more than one resource group.

{
  "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "rgNamePrefix": {
      "type": "string"
    },
    "rgLocation": {
      "type": "string"
    },
    "instanceCount": {
      "type": "int"
    }
  },
  "variables": {},
  "resources": [
    {
      "type": "Microsoft.Resources/resourceGroups",
      "apiVersion": "2020-06-01",
      "location": "[parameters('rgLocation')]",
      "name": "[concat(parameters('rgNamePrefix'), copyIndex())]",
      "copy": {
        "name": "rgCopy",
        "count": "[parameters('instanceCount')]"
      },
      "properties": {}
    }
  ],
  "outputs": {}
}

有关资源迭代的信息,请参阅在 Azure 资源管理器模板中部署资源的多个实例,以及教程:使用资源管理器模板创建多个资源实例For information about resource iteration, see Deploy more than one instance of a resource in Azure Resource Manager Templates, and Tutorial: Create multiple resource instances with Resource Manager templates.

创建资源组和资源Create resource group and resources

若要创建资源组并向其部署资源,请使用嵌套模板。To create the resource group and deploy resources to it, use a nested template. 嵌套模板定义要部署到资源组的资源。The nested template defines the resources to deploy to the resource group. 将嵌套模板设置为依赖于资源组,确保资源组存在,然后再部署资源。Set the nested template as dependent on the resource group to make sure the resource group exists before deploying the resources. 最多可部署到 800 个资源组。You can deploy to up to 800 resource groups.

以下示例将创建一个资源组,并向该资源组部署存储帐户。The following example creates a resource group, and deploys a storage account to the resource group.

{
  "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "rgName": {
      "type": "string"
    },
    "rgLocation": {
      "type": "string"
    },
    "storagePrefix": {
      "type": "string",
      "maxLength": 11
    }
  },
  "variables": {
    "storageName": "[concat(parameters('storagePrefix'), uniqueString(subscription().id, parameters('rgName')))]"
  },
  "resources": [
    {
      "type": "Microsoft.Resources/resourceGroups",
      "apiVersion": "2020-06-01",
      "name": "[parameters('rgName')]",
      "location": "[parameters('rgLocation')]",
      "properties": {}
    },
    {
      "type": "Microsoft.Resources/deployments",
      "apiVersion": "2020-06-01",
      "name": "storageDeployment",
      "resourceGroup": "[parameters('rgName')]",
      "dependsOn": [
        "[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]"
      ],
      "properties": {
        "mode": "Incremental",
        "template": {
          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
          "contentVersion": "1.0.0.0",
          "parameters": {},
          "variables": {},
          "resources": [
            {
              "type": "Microsoft.Storage/storageAccounts",
              "apiVersion": "2019-06-01",
              "name": "[variables('storageName')]",
              "location": "[parameters('rgLocation')]",
              "sku": {
                "name": "Standard_LRS"
              },
              "kind": "StorageV2"
            }
          ],
          "outputs": {}
        }
      }
    }
  ],
  "outputs": {}
}

Azure PolicyAzure Policy

分配策略定义Assign policy definition

以下示例将现有的策略定义分配到订阅。The following example assigns an existing policy definition to the subscription. 如果策略定义使用参数,请将参数作为对象提供。If the policy definition takes parameters, provide them as an object. 如果策略定义不使用参数,请使用默认的空对象。If the policy definition doesn't take parameters, use the default empty object.

{
  "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "policyDefinitionID": {
      "type": "string"
    },
    "policyName": {
      "type": "string"
    },
    "policyParameters": {
      "type": "object",
      "defaultValue": {}
    }
  },
  "variables": {},
  "resources": [
    {
      "type": "Microsoft.Authorization/policyAssignments",
      "apiVersion": "2018-03-01",
      "name": "[parameters('policyName')]",
      "properties": {
        "scope": "[subscription().id]",
        "policyDefinitionId": "[parameters('policyDefinitionID')]",
        "parameters": "[parameters('policyParameters')]"
      }
    }
  ]
}

若要使用 Azure CLI 部署此模板,请使用:To deploy this template with Azure CLI, use:

# Built-in policy definition that accepts parameters
definition=$(az policy definition list --query "[?displayName=='Allowed locations'].id" --output tsv)

az deployment sub create \
  --name demoDeployment \
  --location centralus \
  --template-uri "https://raw.githubusercontent.com/Azure/azure-docs-json-samples/master/azure-resource-manager/policyassign.json" \
  --parameters policyDefinitionID=$definition policyName=setLocation policyParameters="{'listOfAllowedLocations': {'value': ['westus']} }"

若要使用 PowerShell 部署此模板,请使用:To deploy this template with PowerShell, use:

$definition = Get-AzPolicyDefinition | Where-Object { $_.Properties.DisplayName -eq 'Allowed locations' }

$locations = @("westus", "westus2")
$policyParams =@{listOfAllowedLocations = @{ value = $locations}}

New-AzSubscriptionDeployment `
  -Name policyassign `
  -Location centralus `
  -TemplateUri "https://raw.githubusercontent.com/Azure/azure-docs-json-samples/master/azure-resource-manager/policyassign.json" `
  -policyDefinitionID $definition.PolicyDefinitionId `
  -policyName setLocation `
  -policyParameters $policyParams

创建和分配策略定义Create and assign policy definitions

可在同一模板中定义和分配策略定义。You can define and assign a policy definition in the same template.

{
  "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {},
  "variables": {},
  "resources": [
    {
      "type": "Microsoft.Authorization/policyDefinitions",
      "apiVersion": "2018-05-01",
      "name": "locationpolicy",
      "properties": {
        "policyType": "Custom",
        "parameters": {},
        "policyRule": {
          "if": {
            "field": "location",
            "equals": "northeurope"
          },
          "then": {
            "effect": "deny"
          }
        }
      }
    },
    {
      "type": "Microsoft.Authorization/policyAssignments",
      "apiVersion": "2018-05-01",
      "name": "location-lock",
      "dependsOn": [
        "locationpolicy"
      ],
      "properties": {
        "scope": "[subscription().id]",
        "policyDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/policyDefinitions', 'locationpolicy')]"
      }
    }
  ]
}

若要在订阅中创建策略定义,然后将其分配到订阅,请使用以下 CLI 命令:To create the policy definition in your subscription, and assign it to the subscription, use the following CLI command:

az deployment sub create \
  --name demoDeployment \
  --location centralus \
  --template-uri "https://raw.githubusercontent.com/Azure/azure-docs-json-samples/master/azure-resource-manager/policydefineandassign.json"

若要使用 PowerShell 部署此模板,请使用:To deploy this template with PowerShell, use:

New-AzSubscriptionDeployment `
  -Name definePolicy `
  -Location centralus `
  -TemplateUri "https://raw.githubusercontent.com/Azure/azure-docs-json-samples/master/azure-resource-manager/policydefineandassign.json"

Azure 蓝图Azure Blueprints

创建蓝图定义Create blueprint definition

可通过模板创建蓝图定义。You can create a blueprint definition from a template.

{
  "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "blueprintName": {
      "defaultValue": "sample-blueprint",
      "type": "String",
      "metadata": {
        "description": "The name of the blueprint definition."
      }
    }
  },
  "resources": [
    {
      "type": "Microsoft.Blueprint/blueprints",
      "apiVersion": "2018-11-01-preview",
      "name": "[parameters('blueprintName')]",
      "properties": {
        "targetScope": "subscription",
        "description": "Blueprint with a policy assignment artifact.",
        "resourceGroups": {
          "sampleRg": {
            "description": "Resource group to add the assignment to."
          }
        },
        "parameters": {
          "listOfResourceTypesNotAllowed": {
            "type": "array",
            "metadata": {
              "displayName": "Resource types to pass to the policy assignment artifact."
            },
            "defaultValue": [
              "Citrix.Cloud/accounts"
            ]
          }
        }
      }
    },
    {
      "type": "Microsoft.Blueprint/blueprints/artifacts",
      "apiVersion": "2018-11-01-preview",
      "name": "[concat(parameters('blueprintName'), '/policyArtifact')]",
      "kind": "policyAssignment",
      "dependsOn": [
        "[parameters('blueprintName')]"
      ],
      "properties": {
        "displayName": "Blocked Resource Types policy definition",
        "description": "Block certain resource types",
        "policyDefinitionId": "[tenantResourceId('Microsoft.Authorization/policyDefinitions', '6c112d4e-5bc7-47ae-a041-ea2d9dccd749')]",
        "resourceGroup": "sampleRg",
        "parameters": {
          "listOfResourceTypesNotAllowed": {
            "value": "[[parameters('listOfResourceTypesNotAllowed')]"
          }
        }
      }
    }
  ]
}

若要在订阅中创建蓝图定义,请使用以下 CLI 命令:To create the blueprint definition in your subscription, use the following CLI command:

az deployment sub create \
  --name demoDeployment \
  --location centralus \
  --template-uri "https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/subscription-deployments/blueprints-new-blueprint/azuredeploy.json"

若要使用 PowerShell 部署此模板,请使用:To deploy this template with PowerShell, use:

New-AzSubscriptionDeployment `
  -Name demoDeployment `
  -Location centralus `
  -TemplateUri "https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/subscription-deployments/blueprints-new-blueprint/azuredeploy.json"

访问控制Access control

若要了解如何分配角色,请参阅使用 Azure 资源管理器模板添加 Azure 角色分配To learn about assigning roles, see Add Azure role assignments using Azure Resource Manager templates.

以下示例创建一个资源组,对其应用锁定,并为主体分配一个角色。The following example creates a resource group, applies a lock to it, and assigns a role to a principal.

{
  "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "rgName": {
      "type": "string",
      "metadata": {
        "description": "Name of the resourceGroup to create"
      }
    },
    "rgLocation": {
      "type": "string",
      "metadata": {
        "description": "Location for the resourceGroup"
      }
    },
    "principalId": {
      "type": "string",
      "metadata": {
        "description": "principalId of the user that will be given contributor access to the resourceGroup"
      }
    },
    "roleDefinitionId": {
      "type": "string",
      "defaultValue": "b24988ac-6180-42a0-ab88-20f7382dd24c",
      "metadata": {
        "description": "roleDefinition to apply to the resourceGroup - default is contributor"
      }
    },
    "roleAssignmentName": {
      "type": "string",
      "defaultValue": "[guid(parameters('principalId'), parameters('roleDefinitionId'), parameters('rgName'))]",
      "metadata": {
        "description": "Unique name for the roleAssignment in the format of a guid"
      }
    }
  },
  "variables": { },
  "resources": [
    {
      "type": "Microsoft.Resources/resourceGroups",
      "apiVersion": "2019-10-01",
      "name": "[parameters('rgName')]",
      "location": "[parameters('rgLocation')]",
      "tags": {
        "Note": "subscription level deployment"
      },
      "properties": {}
    },
    {
      "type": "Microsoft.Resources/deployments",
      "apiVersion": "2019-10-01",
      "name": "applyLock",
      "resourceGroup": "[parameters('rgName')]",
      "dependsOn": [
        "[parameters('rgName')]"
      ],
      "properties": {
        "mode": "Incremental",
        "template": {
          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
          "contentVersion": "1.0.0.0",
          "resources": [
            {
              "type": "Microsoft.Authorization/locks",
              "apiVersion": "2017-04-01",
              "name": "DontDelete",
              "properties": {
                "level": "CanNotDelete",
                "notes": "Prevent deletion of the resourceGroup"
              }
            },
            {
              "type": "Microsoft.Authorization/roleAssignments",
              "apiVersion": "2020-04-01-preview",
              "name": "[guid(parameters('roleAssignmentName'))]",
              "properties": {
                "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', parameters('roleDefinitionId'))]",
                "principalId": "[parameters('principalId')]",
                "scope": "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('rgName'))]"
              }
            }
          ]
        }
      }
    }
  ]
}

后续步骤Next steps