authorization - 如何在 Azure 资源管理器部署模板中为网站创建角色分配？

Question

我尝试了使用嵌套资源的显而易见的方法:

{
  "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Web/sites",
      "apiVersion": "2016-08-01",
      "name": "testapp",
      "location": "[resourceGroup().location]",
      "resources": [
        {
          "type": "Microsoft.Web/sites/providers/Microsoft.Authorization/roleassignments",
          "apiVersion": "2015-07-01",
          "name": "<guid>",
          "dependsOn": [
            "[resourceId('Microsoft.Web/sites/', 'testapp')]"
          ],
          "properties": {
            "roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",
            "principalId": "<guid>",
          }
        }
      ]
    }
  ]
}

但这没有用 - 它创建了一个角色分配，但在资源组级别而不是在网站级别。 (这是一个错误吗？)

如果我尝试明确指定范围:

{
  "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Web/sites",
      "apiVersion": "2016-08-01",
      "name": "testapp",
      "location": "[resourceGroup().location]",
      "resources": [
        {
          "type": "Microsoft.Web/sites/providers/Microsoft.Authorization/roleassignments",
          "apiVersion": "2015-07-01",
          "name": "<guid>",
          "dependsOn": [
            "[resourceId('Microsoft.Web/sites/', 'testapp')]"
          ],
          "properties": {
            "roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",
            "principalId": "<guid>",
            "scope": "[resourceId('Microsoft.Web/sites/', 'testapp'))]"
          }
        }
      ]
    }
  ]
}

失败了，表示范围 ID 必须与资源的 URI 匹配。

我还尝试了一些带有非嵌套资源的选项，但它们都不会通过。此功能是否不受支持，或者我是否缺少一些有效的语法？

Answer 1

在这里找到答案:https://www.henrybeen.nl/creating-an-authorization-rule-using-an-arm-template/

范围标记不适用于单个角色分配。'name' 标签似乎起到了作用域的作用。

  "parameters": {

    "roleAssignmentsGuidFunctionsReader": {
      "type": "string",
      "defaultValue": "[newGuid()]"
    },
    "roleAssignmentsGuidFunctionsContributor": {
      "type": "string",
      "defaultValue": "[newGuid()]"
    }
   },
  "variables": {
    "uniqueId": "[substring(uniqueString(resourceGroup().id),9,4)]",
    "functionsName": "[concat('MyfuncApp','Functions',variables('uniqueId') )]",
    "readerRole": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]",
    "contributorRole": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]"  
  },
  "resources": [
    {
      "apiVersion": "2017-09-01",
      "type": "Microsoft.Web/sites/providers/roleAssignments",
      "name": "[concat(variables('functionsName'), '/Microsoft.Authorization/', parameters('roleAssignmentsGuidFunctionsContributor'))]",
      "properties": {
        "roleDefinitionId": "[variables('contributorRole')]",
        "principalId": "[ reference( resourceId('Microsoft.Web/sites', variables('functionsName') ), '2018-11-01', 'Full').identity.principalId]" //,
      },
      "dependsOn": [
        "[resourceId('Microsoft.Web/sites', variables('functionsName'))]"
      ]
    }
 ]