azure - SQL Server 部署后如何将 SQL Server 上的 Azure Active Directory 管理员添加到 Azure 组
问题描述
我正在尝试创建一个自动化过程,在 SQL Server 部署后将 SQL Server 上的 Azure Active Directory 添加到 Azure 组。我也想添加的组是安全组。我正在考虑使用 Azure 策略来实现这一点。政策规则是什么样的?如果有更好的 Azure 服务/功能来实现我的任务,那是什么?
解决方案
这是对我有用的示例策略定义,它评估并提供现有资源的投诉和非投诉资源。另请注意,在评估周期中,匹配资源的具有“DeployIfNotExists”效果的策略定义被标记为不合规,但不会对该资源执行任何操作。可以通过修复任务修复现有的不合规资源。
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Sql/servers"
}
]
},
"then": {
"effect": "deployIfNotExists",
"details": {
"type": "Microsoft.Sql/servers/administrators",
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Sql/servers/administrators/administratorType",
"equals": "ActiveDirectory"
},
{
"field": "Microsoft.Sql/servers/administrators/login",
"equals": "xxxx@xxxxxx.com"
},
{
"field": "Microsoft.Sql/servers/administrators/sid",
"equals": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx"
},
{
"field": "Microsoft.Sql/servers/administrators/tenantId",
"equals": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx"
}
]
},
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"location": {
"type": "string"
},
"sqlServerName": {
"type": "string"
}
},
"variables": {},
"resources": [
{
"name": "[parameters('sqlServerName')]",
"type": "Microsoft.Sql/servers",
"apiVersion": "2019-06-01-preview",
"location": "[parameters('location')]",
"resources": [
{
"type": "Microsoft.Sql/servers/administrators",
"apiVersion": "2019-06-01-preview",
"name": "[concat(parameters('sqlServerName'), '/ActiveDirectory')]",
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', parameters('sqlServerName'))]"
],
"properties": {
"administratorType": "ActiveDirectory",
"login": "xxxx@xxxxxx.com",
"sid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx",
"tenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx"
}
}
]
}
]
},
"parameters": {
"sqlServerName": {
"value": "[field('Name')]"
},
"location": {
"value": "[field('Location')]"
}
}
}
},
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635"
]
}
}
},
"parameters": {}
}
推荐阅读
- java - 无法使用 * 通配符访问导入的类,但在使用完整限定名导入时能够使用相同的类
- linux - 连接 tar 文件,以便可以在没有 -i 选项的情况下打开生成的 tar
- c# - 在模型类中使用数据库是一种好方法吗?
- wordpress - WordPress AJAX 更新自定义页面中的自定义字段
- visual-studio-code - VSCode 英语/德语 dotnet build 命令语言文本输出
- postgresql - JDBI/Postgress Select 查询因日期时间比较而失败
- c++ - 获取四叉树中节点子节点的方法
- json - 更改加载页面清单 json PWA
- javascript - Swiper js 在 wordpress 中不起作用,javascript 文件不起作用
- python - ffmpeg:加载共享库时出错:libvpx.so.6:无法打开共享对象文件:没有这样的文件或目录