您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

教程:使用 Azure 蓝图资源锁保护新资源Tutorial: Protect new resources with Azure Blueprints resource locks

使用 Azure 蓝图资源锁可以保护新部署的资源,防止其遭到篡改(即使使用拥有“所有者”角色的帐户,也无法篡改)。 With Azure Blueprints resource locks, you can protect newly deployed resources from being tampered with, even by an account with the Owner role. 可在蓝图定义中将这种保护添加到资源管理器模板项目创建的资源。You can add this protection in the blueprint definitions of resources created by a Resource Manager template artifact.

在本教程中,你将完成以下步骤:In this tutorial, you'll complete these steps:

  • 创建蓝图定义Create a blueprint definition
  • 将蓝图定义标记为“已发布” Mark your blueprint definition as Published
  • 将蓝图定义分配到现有的订阅Assign your blueprint definition to an existing subscription
  • 检查新资源组Inspect the new resource group
  • 取消分配蓝图以删除锁Unassign the blueprint to remove the locks

先决条件Prerequisites

需要一个 Azure 订阅才能完成此教程。To complete this tutorial, you need an Azure subscription. 如果没有 Azure 订阅,请在开始之前创建一个免费帐户If you don't have an Azure subscription, create a free account before you begin.

创建蓝图定义Create a blueprint definition

首先创建蓝图定义。First, create the blueprint definition.

  1. 在左侧窗格中,选择“所有服务” 。Select All services in the left pane. 搜索并选择“蓝图” 。Search for and select Blueprints.

  2. 在左侧的“开始”页中,选择“创建蓝图”下的“创建”。 On the Getting started page on the left, select Create under Create a blueprint.

  3. 在页面顶部找到“空白蓝图”蓝图示例。 Find the Blank Blueprint blueprint sample at the top of the page. 选择“以空白蓝图开始”。 Select Start with blank blueprint.

  4. 在“基本信息”选项卡上输入此信息: Enter this information on the Basics tab:

    • 蓝图名称:提供蓝图示例副本的名称。Blueprint name: Provide a name for your copy of the blueprint sample. 本教程使用名称 locked-storageaccountFor this tutorial, we'll use the name locked-storageaccount.
    • 蓝图描述:添加蓝图定义的说明。Blueprint description: Add a description for the blueprint definition. 使用“用于测试已部署资源中的蓝图资源锁定”。 Use For testing blueprint resource locking on deployed resources.
    • 定义位置:选择省略号按钮 (...),然后选择要将蓝图定义保存到的管理组或订阅。Definition location: Select the ellipsis button (...) and then select the management group or subscription to save your blueprint definition to.
  5. 选择页面顶部的“项目”选项卡,或选择页面底部的“下一步: 项目”。Select the Artifacts tab at the top of the page, or select Next: Artifacts at the bottom of the page.

  6. 添加订阅级别的资源组:Add a resource group at the subscription level:

    1. 在“订阅”下选择“添加项目”行。 Select the Add artifact row under Subscription.
    2. 在“项目类型”下选择“资源组” 。Select Resource Group under Artifact type.
    3. 将“项目显示名称”设置为 RGtoLockSet the Artifact display name to RGtoLock.
    4. 将“资源组名称” 和“位置” 框保留为空,但请确保在每个属性上选中该复选框,以使其成为动态参数 。Leave the Resource Group Name and Location boxes blank, but make sure the check box is selected on each property to make them dynamic parameters.
    5. 选择“添加” 将此项目添加到蓝图中。Select Add to add the artifact to the blueprint.
  7. 在资源组下添加模板:Add a template under the resource group:

    1. 在“RGtoLock”条目下选择“添加项目”行 。Select the Add artifact row under the RGtoLock entry.
    2. 在“项目类型”下选择“Azure 资源管理器模板”,将“项目显示名称”设置为“StorageAccount”,并将“说明”保留为空 。Select Azure Resource Manager template under Artifact type, set Artifact display name to StorageAccount, and leave Description blank.
    3. 在“模板” 选项卡上,将以下资源管理器模板粘贴到编辑器框中。On the Template tab, paste the following Resource Manager template into the editor box. 粘贴模板后,选择“添加”将此项目添加到蓝图。 After you paste in the template, select Add to add the artifact to the blueprint.
    {
        "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
        "contentVersion": "1.0.0.0",
        "parameters": {
            "storageAccountType": {
                "type": "string",
                "defaultValue": "Standard_LRS",
                "allowedValues": [
                    "Standard_LRS",
                    "Standard_GRS",
                    "Standard_ZRS",
                    "Premium_LRS"
                ],
                "metadata": {
                    "description": "Storage Account type"
                }
            }
        },
        "variables": {
            "storageAccountName": "[concat('store', uniquestring(resourceGroup().id))]"
        },
        "resources": [{
            "type": "Microsoft.Storage/storageAccounts",
            "name": "[variables('storageAccountName')]",
            "location": "[resourceGroup().location]",
            "apiVersion": "2018-07-01",
            "sku": {
                "name": "[parameters('storageAccountType')]"
            },
            "kind": "StorageV2",
            "properties": {}
        }],
        "outputs": {
            "storageAccountName": {
                "type": "string",
                "value": "[variables('storageAccountName')]"
            }
        }
    }
    
  8. 选择页面底部的“保存草稿” 。Select Save Draft at the bottom of the page.

此步骤在选定的管理组或订阅中创建蓝图定义。This step creates the blueprint definition in the selected management group or subscription.

“保存蓝图定义成功”门户通知出现后,转到下一步骤。 After the Saving blueprint definition succeeded portal notification appears, go to the next step.

发布蓝图定义Publish the blueprint definition

现已在环境中创建蓝图定义。Your blueprint definition has now been created in your environment. 该副本在创建后处于“草稿”模式,必须先将其发布,然后才能分配和部署它。 It's created in Draft mode and must be published before it can be assigned and deployed.

  1. 在左侧窗格中,选择“所有服务” 。Select All services in the left pane. 搜索并选择“蓝图” 。Search for and select Blueprints.

  2. 在左侧选择“蓝图定义”页。 Select the Blueprint definitions page on the left. 使用筛选器找到 locked-storageaccount 蓝图定义,并将其选中。Use the filters to find the locked-storageaccount blueprint definition, and then select it.

  3. 选择页面顶部的“发布蓝图”。 Select Publish blueprint at the top of the page. 在右侧的新窗格中,输入 1.0 作为版本In the new pane on the right, enter 1.0 as the Version. 以后做出更改时,此属性非常有用。This property is useful if you make a change later. 输入更改注释,例如,“为锁定蓝图部署的资源而发布的第一个版本”。 Enter Change notes, such as First version published for locking blueprint deployed resources. 然后选择页面底部的“发布”。 Then select Publish at the bottom of the page.

使用此步骤可将蓝图分配到订阅。This step makes it possible to assign the blueprint to a subscription. 发布蓝图定义后,仍可进行更改。After the blueprint definition is published, you can still make changes. 如果进行了更改,则需要使用新的版本值发布定义,以跟踪同一蓝图定义的不同版本之间的差异。If you make changes, you need to publish the definition with a new version value to track differences between versions of the same blueprint definition.

“发布蓝图定义成功”门户通知出现后,转到下一步骤。 After the Publishing blueprint definition succeeded portal notification appears, go to the next step.

分配蓝图定义Assign the blueprint definition

发布蓝图定义后,可将它分配到它所在的管理组中的某个订阅。After the blueprint definition is published, you can assign it to a subscription within the management group where you saved it. 在此步骤中,请提供参数来使蓝图定义的每个部署保持唯一。In this step, you provide parameters to make each deployment of the blueprint definition unique.

  1. 在左侧窗格中,选择“所有服务” 。Select All services in the left pane. 搜索并选择“蓝图” 。Search for and select Blueprints.

  2. 在左侧选择“蓝图定义”页。 Select the Blueprint definitions page on the left. 使用筛选器找到 locked-storageaccount 蓝图定义,并将其选中。Use the filters to find the locked-storageaccount blueprint definition, and then select it.

  3. 选择蓝图定义页面顶部的“分配蓝图”。 Select Assign blueprint at the top of the blueprint definition page.

  4. 提供蓝图分配的参数值:Provide the parameter values for the blueprint assignment:

    • 基础知识Basics

      • 订阅:在蓝图定义所保存到的管理组中选择一个或多个订阅。Subscriptions: Select one or more of the subscriptions that are in the management group where you saved your blueprint definition. 如果选择多个订阅,将使用输入的参数为每个订阅创建一个分配。If you select more than one subscription, an assignment will be created for each subscription, using the parameters you enter.
      • 分配名称:系统会根据蓝图定义的名称预先填充该名称。Assignment name: The name is pre-populated based on the name of the blueprint definition. 我们希望此分配表示新资源组的锁定,因此请将分配名称更改为 assignment-locked-storageaccount-TestingBPLocksWe want this assignment to represent locking the new resource group, so change the assignment name to assignment-locked-storageaccount-TestingBPLocks.
      • 位置:选择要在其中创建托管标识的区域。Location: Select a region in which to create the managed identity. Azure 蓝图使用此托管标识在分配的蓝图中部署所有项目。Azure Blueprint uses this managed identity to deploy all artifacts in the assigned blueprint. 若要了解详细信息,请参阅 Azure 资源的托管标识To learn more, see managed identities for Azure resources. 本教程选择了“美国东部 2”。 For this tutorial, select East US 2.
      • 蓝图定义版本:选择蓝图定义的已发布版本 1.0Blueprint definition version: Select the published version 1.0 of the blueprint definition.
    • 锁分配Lock Assignment

      选择“只读”蓝图锁定模式。 Select the Read Only blueprint lock mode. 有关更多信息,请参阅蓝图资源锁定For more information, see blueprints resource locking.

    • 托管的标识Managed Identity

      使用默认选项:“系统分配”。 Use the default option: System assigned. 有关详细信息,请参阅托管标识For more information, see managed identities.

    • 项目参数Artifact parameters

      在本部分定义的参数将应用到定义了这些参数的项目。The parameters defined in this section apply to the artifact under which they're defined. 这些参数属于动态参数 ,因为它们是在分配蓝图期间定义的。These parameters are dynamic parameters because they're defined during the assignment of the blueprint. 对于每个项目,请将参数值设置为“值”列中显示的值。 For each artifact, set the parameter value to what you see in the Value column.

      项目名称Artifact name 项目类型Artifact type 参数名称Parameter name Value 说明Description
      RGtoLock 资源组RGtoLock resource group Resource groupResource group NameName TestingBPLocksTestingBPLocks 定义要将蓝图锁应用到的新资源组的名称。Defines the name of the new resource group to apply blueprint locks to.
      RGtoLock 资源组RGtoLock resource group Resource groupResource group 位置Location 美国西部 2West US 2 定义要将蓝图锁应用到的新资源组的位置。Defines the location of the new resource group to apply blueprint locks to.
      StorageAccountStorageAccount 资源管理器模板Resource Manager template storageAccountType (StorageAccount)storageAccountType (StorageAccount) Standard_GRSStandard_GRS 存储 SKU。The storage SKU. 默认值为 Standard_LRSThe default value is Standard_LRS.
  5. 输入所有参数后,选择页面底部的“分配”。 After you've entered all parameters, select Assign at the bottom of the page.

此步骤部署定义的资源,并配置选定的锁分配This step deploys the defined resources and configures the selected Lock Assignment. 应用蓝图锁最长可能需要花费 30 分钟。It can take up to 30 minutes to apply blueprint locks.

“分配蓝图定义成功”门户通知出现后,转到下一步骤。 After the Assigning blueprint definition succeeded portal notification appears, go to the next step.

检查分配部署的资源Inspect resources deployed by the assignment

该分配创建了资源组 TestingBPLocks,资源管理器模板项目部署了存储帐户。The assignment creates the resource group TestingBPLocks and the storage account deployed by the Resource Manager template artifact. 新资源组和选定的锁定状态显示在分配详细信息页上。The new resource group and the selected lock state are shown on the assignment details page.

  1. 在左侧窗格中,选择“所有服务” 。Select All services in the left pane. 搜索并选择“蓝图” 。Search for and select Blueprints.

  2. 在左侧选择“分配的蓝图”页。 Select the Assigned blueprints page on the left. 使用筛选器找到 assignment-locked-storageaccount-TestingBPLocks 蓝图分配,并将其选中。Use the filters to find the assignment-locked-storageaccount-TestingBPLocks blueprint assignment, and then select it.

    在此页中,可以看到分配成功消息和已部署资源的消息,以及新的蓝图锁定状态。From this page, we can see that the assignment succeeded and that the resources were deployed with the new blueprint lock state. 如果更新了分配,“分配操作”下拉列表会显示有关每个定义版本的部署的详细信息。 If the assignment is updated, the Assignment operation drop-down shows details about the deployment of each definition version. 可以选择资源组打开属性页。You can select the resource group to open the property page.

  3. 选择“TestingBPLocks”资源组。 Select the TestingBPLocks resource group.

  4. 选择左侧的“访问控制(IAM)” 页。Select the Access control (IAM) page on the left. 然后选择“角色分配”选项卡 。Then select the Role assignments tab.

    在此处可以看到,assignment-locked-storageaccount-TestingBPLocks 蓝图分配具有“所有者”角色。 Here we see that the assignment-locked-storageaccount-TestingBPLocks blueprint assignment has the Owner role. 之所以具有此角色,是因为资源组是使用此角色部署和锁定的。It has this role because this role was used to deploy and lock the resource group.

  5. 选择“拒绝分配”选项卡。 Select the Deny assignments tab.

    该蓝图分配在部署的资源组中创建了一个拒绝分配,以强制实施“只读”蓝图锁定模式。 The blueprint assignment created a deny assignment on the deployed resource group to enforce the Read Only blueprint lock mode. 该拒绝分配会阻止“角色分配”选项卡中具有相应权限的某人执行特定的操作。 The deny assignment prevents someone with appropriate rights on the Role assignments tab from taking specific actions. 拒绝分配会影响所有主体。 The deny assignment affects All principals.

    若要了解如何从拒绝分配中排除主体,请参阅蓝图资源锁定For information about excluding a principal from a deny assignment, see blueprints resource locking.

  6. 选择该拒绝分配,然后在左侧选择“拒绝的权限”页。 Select the deny assignment, and then select the Denied Permissions page on the left.

    该拒绝分配正在阻止使用 *Action 配置的所有操作,但允许通过 NotActions 排除 */read,以此进行读取访问。The deny assignment is preventing all operations with the * and Action configuration, but it allows read access by excluding */read via NotActions.

  7. 在 Azure 门户痕迹导航中,选择“TestingBPLocks - 访问控制(IAM)”。 In the Azure portal breadcrumb, select TestingBPLocks - Access control (IAM). 在左侧选择“概述”页,然后选择“删除资源组”按钮。 Then select the Overview page on the left and then the Delete resource group button. 输入名称 TestingBPLocks 以确认删除,然后选择窗格底部的“删除”。 Enter the name TestingBPLocks to confirm the delete and then select Delete at the bottom of the pane.

    此时会显示门户通知“删除资源组 TestingBPLocks 失败”。 The portal notification Delete resource group TestingBPLocks failed appears. 错误中指出,尽管你的帐户有权删除资源组,但蓝图分配拒绝了访问。The error states that although your account has permission to delete the resource group, access is denied by the blueprint assignment. 回顾前文,我们在蓝图分配期间选择了“只读”蓝图锁定模式。 Remember that we selected the Read Only blueprint lock mode during blueprint assignment. 蓝图锁会阻止具有权限的帐户(甚至包括“所有者”)删除资源。 The blueprint lock prevents an account with permission, even Owner, from deleting the resource. 有关更多信息,请参阅蓝图资源锁定For more information, see blueprints resource locking.

这些步骤演示了部署的资源现在受到蓝图锁的保护,蓝图锁可以阻止意外的删除,甚至可以阻止具有权限的帐户删除资源。These steps show that our deployed resources are now protected with blueprint locks that prevent unwanted deletion, even from an account that has permission to delete the resources.

取消分配蓝图Unassign the blueprint

最后一步是删除蓝图定义的分配。The last step is to remove the assignment of the blueprint definition. 删除分配不会删除关联的项目。Removing the assignment doesn't remove the associated artifacts.

  1. 在左侧窗格中,选择“所有服务” 。Select All services in the left pane. 搜索并选择“蓝图” 。Search for and select Blueprints.

  2. 在左侧选择“分配的蓝图”页。 Select the Assigned blueprints page on the left. 使用筛选器找到 assignment-locked-storageaccount-TestingBPLocks 蓝图分配,并将其选中。Use the filters to find the assignment-locked-storageaccount-TestingBPLocks blueprint assignment, and then select it.

  3. 选择页面顶部的“取消分配蓝图”。 Select Unassign blueprint at the top of the page. 阅读确认对话框中的警告,然后选择“确定”。 Read the warning in the confirmation dialog box, and then select OK.

    删除蓝图分配时,蓝图锁也会一并删除。When the blueprint assignment is removed, the blueprint locks are also removed. 具有相应权限的帐户现在又可以删除资源。The resources can once again be deleted by an account with appropriate permissions.

  4. 在 Azure 菜单中选择“资源组”,然后选择“TestingBPLocks”。 Select Resource groups from the Azure menu, and then select TestingBPLocks.

  5. 在左侧选择“访问控制(IAM)”页,然后选择“角色分配”选项卡。 Select the Access control (IAM) page on the left and then select the Role assignments tab.

资源组的安全性显示该蓝图分配不再拥有“所有者”访问权限。 The security for the resource group shows that the blueprint assignment no longer has Owner access.

“删除蓝图分配成功”门户通知出现后,转到下一步骤。 After the Removing blueprint assignment succeeded portal notification appears, go to the next step.

清理资源Clean up resources

完成本教程后,请删除以下资源:When you're finished with this tutorial, delete these resources:

  • 资源组 TestingBPLocksResource group TestingBPLocks
  • 蓝图定义 locked-storageaccountBlueprint definition locked-storageaccount

后续步骤Next steps