您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

了解 Azure 蓝图中的资源锁定Understand resource locking in Azure Blueprints

仅当存在一个可以维护该一致性的机制时,大规模创建一致的环境才会真正有价值。The creation of consistent environments at scale is only truly valuable if there's a mechanism to maintain that consistency. 本文介绍 Azure 蓝图中的资源锁定的工作原理。This article explains how resource locking works in Azure Blueprints. 若要查看资源锁定的示例以及_拒绝分配_的应用,请参阅保护新资源教程。To see an example of resource locking and application of deny assignments, see the protecting new resources tutorial.

锁定模式和状态Locking modes and states

锁定模式适用于蓝图分配,具有三个选项:“不锁定”、“只读”或“不要删除”。Locking Mode applies to the blueprint assignment and it has three options: Don't Lock, Read Only, or Do Not Delete. 在蓝图分配过程中的项目部署过程中配置锁定模式。The locking mode is configured during artifact deployment during a blueprint assignment. 可以通过更新蓝图分配来设置不同的锁定模式。A different locking mode can be set by updating the blueprint assignment. 但是,不能在蓝图外部更改锁定模式。Locking modes, however, can't be changed outside of Blueprints.

蓝图分配中由项目创建的资源具有四种状态:“未锁定”、“只读”、“无法编辑/删除”或“无法删除”。Resources created by artifacts in a blueprint assignment have four states: Not Locked, Read Only, Cannot Edit / Delete, or Cannot Delete. 每种项目类型都可以处于“未锁定”状态。Each artifact type can be in the Not Locked state. 下表可以用于确定资源的状态:The following table can be used to determine the state of a resource:

模式Mode 项目资源类型Artifact Resource Type 状态State 描述Description
不锁定Don't Lock * 未锁定Not Locked 资源不受蓝图保护。Resources aren't protected by Blueprints. 此状态也用于从蓝图分配外部添加到“只读”或“不要删除”资源组项目的资源。This state is also used for resources added to a Read Only or Do Not Delete resource group artifact from outside a blueprint assignment.
只读Read Only 资源组Resource group 无法编辑/删除Cannot Edit / Delete 资源组是只读的,资源组上的标记无法修改。The resource group is read only and tags on the resource group can't be modified. 可以从此资源组添加、移动、更改或删除“未锁定”资源。Not Locked resources can be added, moved, changed, or deleted from this resource group.
只读Read Only 非资源组Non-resource group 只读Read Only 以任何方式都无法更改资源 -- 无更改且无法将其删除。The resource can't be altered in any way -- no changes and it can't be deleted.
请勿删除Do Not Delete * 无法删除Cannot Delete 资源可以更改,但无法删除。The resources can be altered, but can't be deleted. 可以从此资源组添加、移动、更改或删除“未锁定”资源。Not Locked resources can be added, moved, changed, or deleted from this resource group.

重写锁定状态Overriding locking states

通常可以允许在订阅上具有合适的基于角色的访问控制 (RBAC) 的某人(例如“所有者”角色)更改或删除任何资源。It's typically possible for someone with appropriate role-based access control (RBAC) on the subscription, such as the 'Owner' role, to be allowed to alter or delete any resource. 当蓝图在已部署的分配中应用了锁定时,无法进行此访问。This access isn't the case when Blueprints applies locking as part of a deployed assignment. 如果使用“只读”或“不要删除”选项设置了分配,则即使订阅所有者也无法对受保护资源执行阻止的操作。If the assignment was set with the Read Only or Do Not Delete option, not even the subscription owner can perform the blocked action on the protected resource.

此安全措施可以保护已定义的蓝图与设计用于通过意外或以编程方式删除或更改创建的环境之间的一致性。This security measure protects the consistency of the defined blueprint and the environment it was designed to create from accidental or programmatic deletion or alteration.

删除锁定状态Removing locking states

如果需要修改或删除受分配保护的资源,则可通过两种方法来实现。If it becomes necessary to modify or delete a resource protected by an assignment, there are two ways to do so.

  • 将蓝图分配更新为“不锁定”锁定模式Updating the blueprint assignment to a locking mode of Don't Lock
  • 删除蓝图分配Delete the blueprint assignment

删除分配后,将删除由蓝图创建的锁定。When the assignment is removed, the locks created by Blueprints are removed. 但是,资源会留在原地,需要通过正常方式删除。However, the resource is left behind and would need to be deleted through normal means.

蓝图锁定的工作原理How blueprint locks work

如果蓝图分配选择了“只读”或“不要删除”选项,则会在分配期间将 RBAC 拒绝分配拒绝操作应用于项目资源。An RBAC deny assignments deny action is applied to artifact resources during assignment of a blueprint if the assignment selected the Read Only or Do Not Delete option. 该拒绝操作由蓝图分配的托管标识添加,并且只能通过同一托管标识从项目资源中删除。The deny action is added by the managed identity of the blueprint assignment and can only be removed from the artifact resources by the same managed identity. 此安全措施将强制实施锁定机制,并防止在蓝图外部删除蓝图锁定。This security measure enforces the locking mechanism and prevents removing the blueprint lock outside Blueprints.

蓝图拒绝对资源组的分配

每个模式的拒绝分配属性如下所示:The deny assignment properties of each mode are as follows:

模式Mode Permissions.ActionsPermissions.Actions Permissions.NotActionsPermissions.NotActions Principals[i].TypePrincipals[i].Type ExcludePrincipals[i].IdExcludePrincipals[i].Id DoNotApplyToChildScopesDoNotApplyToChildScopes
只读Read Only * */读取*/read SystemDefined (Everyone)SystemDefined (Everyone) excludedPrincipals中的蓝图分配和用户定义blueprint assignment and user-defined in excludedPrincipals 资源组- true;资源- falseResource group - true; Resource - false
请勿删除Do Not Delete */delete*/delete SystemDefined (Everyone)SystemDefined (Everyone) excludedPrincipals中的蓝图分配和用户定义blueprint assignment and user-defined in excludedPrincipals 资源组- true;资源- falseResource group - true; Resource - false

重要

Azure 资源管理器可以将角色分配详细信息缓存最多 30 分钟。Azure Resource Manager caches role assignment details for up to 30 minutes. 因此,蓝图资源上的拒绝分配拒绝操作可能不会立即完全生效。As a result, deny assignments deny action's on blueprint resources may not immediately be in full effect. 在此时间段内,可能无法删除将由蓝图锁保护的资源。During this period of time, it might be possible to delete a resource intended to be protected by blueprint locks.

从拒绝分配中排除主体Exclude a principal from a deny assignment

在某些设计或安全方案中,可能需要将主体从蓝图分配创建的拒绝分配中排除。In some design or security scenarios, it may be necessary to exclude a principal from the deny assignment the blueprint assignment creates. 这是在 REST API 中完成的,方法是在创建分配时,将最多五个值添加到 "锁定" 属性中的excludedPrincipals数组。This is done in REST API by adding up to five values to the excludedPrincipals array in the locks property when creating the assignment. 下面是包含excludedPrincipals的请求正文示例:This is an example of a request body that includes excludedPrincipals:

{
  "identity": {
    "type": "SystemAssigned"
  },
  "location": "eastus",
  "properties": {
    "description": "enforce pre-defined simpleBlueprint to this XXXXXXXX subscription.",
    "blueprintId": "/providers/Microsoft.Management/managementGroups/{mgId}/providers/Microsoft.Blueprint/blueprints/simpleBlueprint",
    "locks": {
        "mode": "AllResourcesDoNotDelete",
        "excludedPrincipals": [
            "7be2f100-3af5-4c15-bcb7-27ee43784a1f",
            "38833b56-194d-420b-90ce-cff578296714"
        ]
    },
    "parameters": {
      "storageAccountType": {
        "value": "Standard_LRS"
      },
      "costCenter": {
        "value": "Contoso/Online/Shopping/Production"
      },
      "owners": {
        "value": [
          "johnDoe@contoso.com",
          "johnsteam@contoso.com"
        ]
      }
    },
    "resourceGroups": {
      "storageRG": {
        "name": "defaultRG",
        "location": "eastus"
      }
    }
  }
}

后续步骤Next steps