gpt4 book ai didi

json - 使用 DependOn 配置访问策略

转载 作者:行者123 更新时间:2023-12-05 03:57:56 25 4
gpt4 key购买 nike

我正在尝试执行以下操作:

  • 创建 key 保管库(有效)
  • 创建 AZ 函数(有效)
  • 使用 keyvault 的VaultURI 作为 AZ 功能的应用设置(可行)
  • 为可用区功能提供托管身份(有效)
  • 创建访问策略,使 AZ 功能能够访问 key 保管库(哎哟!)

最初,我是在 Keyvault 内创建访问策略,但我必须将 AZ 函数声明为依赖于 Key Vault(以便我可以获取其 URI)。显然,我无法将 Key Vault 设置为依赖于 AZ 函数(因为这会创建循环依赖)。然后,我尝试创建 AccessPolicy 作为另一个步骤,并将其标记为依赖于 KeyVault 和 AZ 功能(认为它将最后配置)。

但由于某种原因,当查看部署日志时,似乎总是他先尝试部署它!任何帮助,将不胜感激。

为简洁起见,ARM 模板被截断:


"resources": [
{
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2016-10-01",
"name": "[variables('keyVaultName')]",
"location": "[ResourceGroup().location]",
"properties": {
"sku": {
"family": "A",
"name": "Standard"
},
"tenantId": "[subscription().tenantId]",
"accessPolicies": [
{
"tenantId": "[subscription().tenantId]",
"objectId": "[parameters('userId')]",
"permissions": {
"keys": [
"Get",
"List",
"Update",
"Create",
"Import",
"Delete",
"Recover",
"Backup",
"Restore"
],
"secrets": [
"Get",
"List",
"Set",
"Delete",
"Recover",
"Backup",
"Restore"
],
"certificates": [
"Get",
"List",
"Update",
"Create",
"Import",
"Delete",
"Recover",
"Backup",
"Restore",
"ManageContacts",
"ManageIssuers",
"GetIssuers",
"ListIssuers",
"SetIssuers",
"DeleteIssuers"
]
}
}
],
"enabledForDeployment": false,
"enabledForDiskEncryption": false,
"enabledForTemplateDeployment": false
}
},
{
"type": "Microsoft.KeyVault/vaults/accessPolicies",
"name": "[concat(variables('keyVaultName'),'/add')]",
"apiVersion": "2018-02-14",
"dependsOn": [
"[resourceId('Microsoft.Web/sites', variables('functionName'))]",
"[resourceId('Microsoft.KeyVault/vaults', variables('keyVaultName'))]"
],
//tried both the above and the below
"dependsOn": [
"[variables('keyVaultName')]",
"[variables('functionName')]"
],
"properties": {
"accessPolicies": [
{
"tenantId": "[subscription().tenantId]",
"objectId": "[reference(concat(resourceId('Microsoft.Web/sites', variables('functionName')), '/providers/Microsoft.ManagedIdentity/Identities/default'), '2015-08-31-PREVIEW').principalId]",
"permissions": {
"keys": [
],
"secrets": [
"Get",
"Set",
"Delete"
],
"certificates": [
]
}
}
]
}
},
.
.
.
.
.
.
.
.
{
"type": "Microsoft.Web/sites",
"apiVersion": "2016-08-01",
"name": "[variables('functionName')]",
"location": "[ResourceGroup().location]",
"dependsOn": [
"[variables('planName')]",
"[variables('appInsightsName')]",
"[variables('storageAccName')]",
"[variables('keyVaultName')]",
"[variables('databaseName')]"
],
"kind": "functionapp",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"serverFarmId": "[variables('planName')]",
"enabled": true,
"reserved": false
},
"resources": [
{
"apiVersion": "2015-08-01",
"name": "connectionstrings",
"type": "config",
"dependsOn": [
"[variables('functionName')]",
"[variables('databaseName')]"
],
"properties": {
}
},
{
"apiVersion": "2015-08-01",
"name": "appsettings",
"type": "config",
"dependsOn": [
"[variables('functionName')]",
"[variables('appInsightsName')]",
"[variables('storageAccName')]",
"[variables('keyVaultName')]"
],
"properties": "[union(variables('completeAppSettings'),json(concat('{ AzureWebJobsStorage:\"', concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccName'), ';AccountKey=', listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccName')), '2019-04-01').keys[0].value), '\", WEBSITE_CONTENTAZUREFILECONNECTIONSTRING:\"',\tconcat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccName'), ';AccountKey=', listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccName')), '2019-04-01').keys[0].value), '\", WEBSITE_CONTENTSHARE:\"', variables('functionName'), '\", APPINSIGHTS_INSTRUMENTATIONKEY:\"', reference(concat('microsoft.insights/components/', variables('appInsightsName'))).InstrumentationKey, '\", KeyVaultUri:\"', reference(concat('Microsoft.KeyVault/vaults/', variables('keyVaultName'))).vaultUri, '\"}')))]"
},
{
"type": "slots",
"apiVersion": "2016-08-01",
"name": "[variables('functionStagingName')]",
"location": "[ResourceGroup().location]",
"dependsOn": [
"[variables('functionName')]",
"[variables('keyVaultName')]"
],
"kind": "functionapp",
"properties": {
"enabled": false,
"serverFarmId": "[variables('planName')]"
}
}
]
}
]

P.s.我知道我创建应用程序设置的方式是一件艺术品(讽刺)。请不要评判我,只要知道它有效即可。

P.p.s 完整的 ARM 模板:https://pastebin.com/mma4PyRu

最佳答案

你的模板绝对没问题,所以如果这不起作用,它看起来就像一个错误。话虽如此,您始终可以通过将 accessPolicy 分配移动到嵌套模板中来解决此问题:

{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2018-05-01",
"name": "linkedTemplate",
"dependsOn": [
"[variables('keyVaultName')]",
"[variables('functionName')]"
],
"properties": {
"mode": "Incremental",
"templateLink": {
"uri":"https://mystorageaccount.blob.core.windows.net/AzureTemplates/newStorageAccount.json",
"contentVersion":"1.0.0.0"
},
"parameters": {
"managedIdentityId":{"value": "[reference(concat(resourceId('Microsoft.Web/sites', variables('functionName')), '/providers/Microsoft.ManagedIdentity/Identities/default'), '2015-08-31-PREVIEW').principalId]"}
}
}

您需要将模板上传到某处(其中应仅包含您的 accessPolicy 分配

正在阅读:https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-group-linked-templates#external-template

关于json - 使用 DependOn 配置访问策略,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/58306388/

25 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com