The deployment criteria narrows the scope of a policy so that it is applied only to the deployments where the criteria is true. For example, you can use the deployment criteria to create a policy that is applied only to a particular catalog item or template.
Constructing deployment criteria
You use the graphical interface to construct the deployment criteria expression. To construct complex expressions, you can use AND and OR. You can also group expressions as parenthetical operators. For more about how the expressions are processed, see Order of operations for the expression.
Deployment equals Multi-tier five machine with LB AND (Owned By equals [email protected] OR Owned By [email protected])
Deployment criteria properties
To create a functional deployment criteria, you must understand the syntax.
The criteria text box has various drop-down menus that provide the available properties and operators. How you construct your expression depends on the available values and on the order of operations.
The drop-down menus include the following properties. Some properties vary between policy types.
Property | Description | Available in these policy types | Supports these operators |
---|---|---|---|
Cloud Template |
Identifier for the Cloud Assembly cloud template that was used to create the deployment. Use |
|
|
|
Identifier for the Service Broker catalog item that was used to request the deployment. Use |
|
|
Deployment Creation Cost |
Cost value. If the deployment matches the specified cost expression, it triggers an approval flow. |
|
|
Deployment |
Identifier for the deployment. Use |
|
|
Created By |
Name of the user who requested the deployment. The format is [email protected]. This user is the user who requested the deployment. |
|
|
Name |
Deployment name. Use |
|
|
Owned By |
Name of the current deployment owner. |
|
|
Owner Type |
Deployment owner type. Ownership can be based on users or Active Directory groups. |
|
|
Requested By |
Name of the user who requested a day 2 action. The format is [email protected]. When creating approval policies, the |
|
|
Resources |
Resources that are part of a deployment. You can define the deployment criteria based on the following resources.
|
|
Criteria formats for resource tags
Resource tags are key value pairs. When you define deployment criteria based on the tags, you must define the key. Defining the value is optional. The criteria are based on user-defined tags and system tags.
Resources has any Tags has any Key equals env AND Value equals dev
Resources has any Tags has any Key equals env AND Value equals dev OR Value equals prod
Resources has any Tags has any Key equals env1 OR Key equals env2
Resources has any Tags has any Key equals env AND Value equals envprod AND Tags has any Key equals vc_65_network AND Value equals vc
Using the contains and matches Regex operators
The contains
and matches Regex
operators define a search for a specified set of characters within a property. You can apply these operators to string based properties that do not support a drop-down, such as createdBy
, name
, and ownedBy
.
The contains
operator searches for all instances of the value you specify in any context. The value input text box is case sensitive and space sensitive. If you want to account for context variation, you must set a value for each additional variant. Use the contains
operator for simple searches for a limited number of values.
The matches Regex
operator provides great flexibility when you use it for complex searches that must account for a lot of context variation. The regular expressions must follow ECMAScript syntax. When defining regular expressions, do not enter the forward slashes (/
) at the beginning and at the end of the value.
The following table provides examples of expressions using the two operators and compares how they might be used to achieve the same goal.
Example with the contains operator |
Example with the matches Regex operator |
Field value matches |
---|---|---|
Name contains test |
Name matches Regex test* |
All deployment names that contain test in lowercase. For example, test deployment, mytest, test-123, and so on. |
Name contains test OR Name contains Test |
Name matches Regex (t|T)est.* |
All deployment names that contain test or Test. |
(group) Created By contains admin@ (group) AND Created By contains .com OR Created By contains .org (group) AND Name contains test OR Name contains test- OR Name contains Test OR Name contains Test- OR Name contains deploy OR Name contains Deploy |
Created By matches Regex admin@\S+\.((com)|(org)) AND Name matches ((t|T)est)|(d|D)epl.*. |
All deployments that are created by users whose email address starts with admin@ and ends with .com or .org. All deployment names that contain test and/or deploy in any configuration. For example, test deployment, testdeployment, Test-Deployment, and so on. |
Order of operations for the expression
An expression is processed in the following order. Groups are illustrated as parentheses.
- Expressions in groups
- AND
- OR
Use the following examples to understand the order.
- X OR Y AND Z. In this example, Y AND Z is evaluated before X OR Y. Next, the X OR is evaluated against the results of Y AND Z.
- (X OR Y) AND Z. In this example, X OR Y is evaluated before AND because the expression in the group is always evaluated first. Next the AND Z is evaluated against the results of X OR Y.