在訂用帳戶層級建立資源群組和資源Create resource groups and resources at the subscription level

您通常會將 Azure 資源部署到 Azure 訂用帳戶中的資源群組。Typically, you deploy Azure resources to a resource group in your Azure subscription. 不過,您也可以在訂用帳戶層級建立資源。However, you can also create resources at the subscription level. 您可以使用訂用帳戶層級部署來採取對該層級有意義的動作,例如建立資源群組,或指派角色型存取控制You use subscription level deployments to take actions that make sense at that level, such as creating resource groups, or assigning role-based access control.

若要在訂用帳戶層級部署範本,請使用 Azure CLI、PowerShell 或 REST API。To deploy templates at the subscription level, use Azure CLI, PowerShell, or REST API. Azure 入口網站不支援在訂用帳戶層級進行部署。The Azure portal doesn't support deployment in the subscription level.

支援的資源Supported resources

您可以在訂用帳戶層級部署下列資源類型:You can deploy the following resource types at the subscription level:

結構描述Schema

您用於訂用帳戶層級部署的架構與資源群組部署的架構不同。The schema you use for subscription-level deployments is different than the schema for resource group deployments.

針對範本,請使用:For templates, use:

https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#

針對參數檔案,請使用:For parameter files, use:

https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentParameters.json#

部署命令Deployment commands

訂用帳戶層級部署的命令與資源群組部署的命令不同。The commands for subscription-level deployments are different than the commands for resource group deployments.

針對 Azure CLI,請使用az deployment createFor the Azure CLI, use az deployment create. 下列範例會部署範本來建立資源群組:The following example deploys a template to create a resource group:

az deployment create \
  --name demoDeployment \
  --location centralus \
  --template-uri https://raw.githubusercontent.com/Azure/azure-docs-json-samples/master/azure-resource-manager/emptyRG.json \
  --parameters rgName=demoResourceGroup rgLocation=centralus

對於 PowerShell 部署命令,請使用 New-AzDeploymentFor the PowerShell deployment command, use New-AzDeployment. 下列範例會部署範本來建立資源群組:The following example deploys a template to create a resource group:

New-AzDeployment `
  -Name demoDeployment `
  -Location centralus `
  -TemplateUri https://raw.githubusercontent.com/Azure/azure-docs-json-samples/master/azure-resource-manager/emptyRG.json `
  -rgName demoResourceGroup `
  -rgLocation centralus

針對 REST API,請使用 [部署-在訂用帳戶範圍建立]。For REST API, use Deployments - Create At Subscription Scope.

部署位置和名稱Deployment location and name

針對訂用帳戶層級部署,您必須提供部署的位置。For subscription level deployments, you must provide a location for the deployment. 部署的位置與您部署的資源位置不同。The location of the deployment is separate from the location of the resources you deploy. 部署位置會指定部署資料的儲存位置。The deployment location specifies where to store deployment data.

您可以提供部署的名稱,或使用預設的部署名稱。You can provide a name for the deployment, or use the default deployment name. 預設名稱是範本檔案的名稱。The default name is the name of the template file. 例如,部署名為 azuredeploy.json 的範本會建立預設的部署名稱 azuredeployFor example, deploying a template named azuredeploy.json creates a default deployment name of azuredeploy.

針對每個部署名稱,此位置是不可變的。For each deployment name, the location is immutable. 當不同位置有相同名稱的現有部署時,您無法在一個位置建立部署。You can't create a deployment in one location when there's an existing deployment with the same name in a different location. 如果您收到錯誤代碼 InvalidDeploymentLocation,請使用不同的名稱或與先前該名稱部署相同的位置。If you get the error code InvalidDeploymentLocation, either use a different name or the same location as the previous deployment for that name.

使用範本函式Use template functions

針對訂用帳戶層級部署,使用範本函式時有一些重要考量:For subscription-level deployments, there are some important considerations when using template functions:

  • 支援 resourceGroup() 函式。The resourceGroup() function is not supported.
  • 支援 resourceId() 函式。The resourceId() function is supported. 您可以使用它針對用於訂用帳戶層級部署的資源取得資源識別碼。Use it to get the resource ID for resources that are used at subscription level deployments. 例如,使用 resourceId('Microsoft.Authorization/roleDefinitions/', parameters('roleDefinition'))取得原則定義的資源識別碼。For example, get the resource ID for a policy definition with resourceId('Microsoft.Authorization/roleDefinitions/', parameters('roleDefinition')). 或者,使用subscriptionResourceId ()函數來取得訂用帳戶層級資源的資源識別碼。Or, use the subscriptionResourceId() function to get the resource ID for a subscription level resource.
  • 支援 reference()list() 函式。The reference() and list() functions are supported.

建立資源群組Create resource groups

若要在 Azure Resource Manager 範本中建立資源群組,請搭配資源群組的名稱和位置定義 Microsoft.Resources/resourceGroups 資源。To create a resource group in an Azure Resource Manager template, define a Microsoft.Resources/resourceGroups resource with a name and location for the resource group. 您可以建立資源群組,並將資源部署至相同範本中的該資源群組。You can create a resource group and deploy resources to that resource group in the same template.

下列範本會建立空的資源群組。The following template creates an empty resource group.

{
    "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
    "contentVersion": "1.0.0.1",
    "parameters": {
        "rgName": {
            "type": "string"
        },
        "rgLocation": {
            "type": "string"
        }
    },
    "variables": {},
    "resources": [
        {
            "type": "Microsoft.Resources/resourceGroups",
            "apiVersion": "2018-05-01",
            "location": "[parameters('rgLocation')]",
            "name": "[parameters('rgName')]",
            "properties": {}
        }
    ],
    "outputs": {}
}

搭配資源群組使用 copy 元素來建立一個以上的資源群組。Use the copy element with resource groups to create more than one resource group.

{
    "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
    "contentVersion": "1.0.0.1",
    "parameters": {
        "rgNamePrefix": {
            "type": "string"
        },
        "rgLocation": {
            "type": "string"
        },
        "instanceCount": {
            "type": "int"
        }
    },
    "variables": {},
    "resources": [
        {
            "type": "Microsoft.Resources/resourceGroups",
            "apiVersion": "2018-05-01",
            "location": "[parameters('rgLocation')]",
            "name": "[concat(parameters('rgNamePrefix'), copyIndex())]",
            "copy": {
                "name": "rgCopy",
                "count": "[parameters('instanceCount')]"
            },
            "properties": {}
        }
    ],
    "outputs": {}
}

如需資源反復專案的相關資訊,請參閱在 Azure Resource Manager 範本中部署資源或屬性的多個實例教學課程:使用 Resource Manager 範本建立多個資源實例For information about resource iteration, see Deploy more than one instance of a resource or property in Azure Resource Manager Templates, and Tutorial: Create multiple resource instances with Resource Manager templates.

資源群組和資源Resource group and resources

若要建立資源群組並對它部署資源,請使用巢狀範本。To create the resource group and deploy resources to it, use a nested template. 巢狀範本能定義要部署至該資源群組的資源。The nested template defines the resources to deploy to the resource group. 將巢狀範本設定為資源群組的相依項目,以確保該資源群組在部署資源之前確實存在。Set the nested template as dependent on the resource group to make sure the resource group exists before deploying the resources.

下列範例會建立資源群組,並將儲存體帳戶部署至該資源群組。The following example creates a resource group, and deploys a storage account to the resource group.

{
    "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
    "contentVersion": "1.0.0.1",
    "parameters": {
        "rgName": {
            "type": "string"
        },
        "rgLocation": {
            "type": "string"
        },
        "storagePrefix": {
            "type": "string",
            "maxLength": 11
        }
    },
    "variables": {
        "storageName": "[concat(parameters('storagePrefix'), uniqueString(subscription().id, parameters('rgName')))]"
    },
    "resources": [
        {
            "type": "Microsoft.Resources/resourceGroups",
            "apiVersion": "2018-05-01",
            "location": "[parameters('rgLocation')]",
            "name": "[parameters('rgName')]",
            "properties": {}
        },
        {
            "type": "Microsoft.Resources/deployments",
            "apiVersion": "2018-05-01",
            "name": "storageDeployment",
            "resourceGroup": "[parameters('rgName')]",
            "dependsOn": [
                "[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]"
            ],
            "properties": {
                "mode": "Incremental",
                "template": {
                    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                    "contentVersion": "1.0.0.0",
                    "parameters": {},
                    "variables": {},
                    "resources": [
                        {
                            "type": "Microsoft.Storage/storageAccounts",
                            "apiVersion": "2017-10-01",
                            "name": "[variables('storageName')]",
                            "location": "[parameters('rgLocation')]",
                            "kind": "StorageV2",
                            "sku": {
                                "name": "Standard_LRS"
                            }
                        }
                    ],
                    "outputs": {}
                }
            }
        }
    ],
    "outputs": {}
}

建立原則Create policies

指派原則Assign policy

下列範例會將現有原則定義指派給訂用帳戶。The following example assigns an existing policy definition to the subscription. 如果此原則採用參數,請以物件形式提供參數。If the policy takes parameters, provide them as an object. 如果此原則不採用參數,請使用預設空白物件。If the policy doesn't take parameters, use the default empty object.

{
    "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "policyDefinitionID": {
            "type": "string"
        },
        "policyName": {
            "type": "string"
        },
        "policyParameters": {
            "type": "object",
            "defaultValue": {}
        }
    },
    "variables": {},
    "resources": [
        {
            "type": "Microsoft.Authorization/policyAssignments",
            "name": "[parameters('policyName')]",
            "apiVersion": "2018-03-01",
            "properties": {
                "scope": "[subscription().id]",
                "policyDefinitionId": "[parameters('policyDefinitionID')]",
                "parameters": "[parameters('policyParameters')]"
            }
        }
    ]
}

若要使用 Azure CLI 部署此範本,請使用:To deploy this template with Azure CLI, use:

# Built-in policy that accepts parameters
definition=$(az policy definition list --query "[?displayName=='Allowed locations'].id" --output tsv)

az deployment create \
  --name demoDeployment \
  --location centralus \
  --template-uri https://raw.githubusercontent.com/Azure/azure-docs-json-samples/master/azure-resource-manager/policyassign.json \
  --parameters policyDefinitionID=$definition policyName=setLocation policyParameters="{'listOfAllowedLocations': {'value': ['westus']} }"

若要使用 PowerShell 部署此範本,請使用:To deploy this template with PowerShell, use:

$definition = Get-AzPolicyDefinition | Where-Object { $_.Properties.DisplayName -eq 'Allowed locations' }

$locations = @("westus", "westus2")
$policyParams =@{listOfAllowedLocations = @{ value = $locations}}

New-AzDeployment `
  -Name policyassign `
  -Location centralus `
  -TemplateUri https://raw.githubusercontent.com/Azure/azure-docs-json-samples/master/azure-resource-manager/policyassign.json `
  -policyDefinitionID $definition.PolicyDefinitionId `
  -policyName setLocation `
  -policyParameters $policyParams

定義及指派原則Define and assign policy

您可以在相同的範本定義和指派原則。You can define and assign a policy in the same template.

{
    "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {},
    "variables": {},
    "resources": [
        {
            "type": "Microsoft.Authorization/policyDefinitions",
            "name": "locationpolicy",
            "apiVersion": "2018-05-01",
            "properties": {
                "policyType": "Custom",
                "parameters": {},
                "policyRule": {
                    "if": {
                        "field": "location",
                        "equals": "northeurope"
                    },
                    "then": {
                        "effect": "deny"
                    }
                }
            }
        },
        {
            "type": "Microsoft.Authorization/policyAssignments",
            "name": "location-lock",
            "apiVersion": "2018-05-01",
            "dependsOn": [
                "locationpolicy"
            ],
            "properties": {
                "scope": "[subscription().id]",
                "policyDefinitionId": "[resourceId('Microsoft.Authorization/policyDefinitions', 'locationpolicy')]"
            }
        }
    ]
}

若要在訂用帳戶中建立原則定義,並將它套用至訂用帳戶,請使用下列 CLI 命令:To create the policy definition in your subscription, and apply it to the subscription, use the following CLI command:

az deployment create \
  --name demoDeployment \
  --location centralus \
  --template-uri https://raw.githubusercontent.com/Azure/azure-docs-json-samples/master/azure-resource-manager/policydefineandassign.json

若要使用 PowerShell 部署此範本,請使用:To deploy this template with PowerShell, use:

New-AzDeployment `
  -Name definePolicy `
  -Location centralus `
  -TemplateUri https://raw.githubusercontent.com/Azure/azure-docs-json-samples/master/azure-resource-manager/policydefineandassign.json

後續步驟Next steps