Json 使用DependsOn提供访问策略
我正在努力做到以下几点:Json 使用DependsOn提供访问策略,json,azure,azure-functions,azure-resource-manager,azure-deployment,Json,Azure,Azure Functions,Azure Resource Manager,Azure Deployment,我正在努力做到以下几点: 创建密钥库(works) 创建AZ函数(works) 将keyvault的Vault URI用作AZ函数的应用程序设置(works) 为AZ功能提供托管标识(工作) 创建一个访问策略,使AZ功能可以访问keyvault(whoopsie!) 最初我是在Keyvault中创建访问策略的,但我必须声明AZ函数取决于Key Vault(这样我就可以获取它的URI)。显然,我当时无法将Key Vault设置为依赖于AZ函数(因为这将创建循环依赖)。然后,我尝试创建Acces
- 创建密钥库(works)
- 创建AZ函数(works)
- 将keyvault的Vault URI用作AZ函数的应用程序设置(works)
- 为AZ功能提供托管标识(工作)
- 创建一个访问策略,使AZ功能可以访问keyvault(whoopsie!)
"resources": [
{
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2016-10-01",
"name": "[variables('keyVaultName')]",
"location": "[ResourceGroup().location]",
"properties": {
"sku": {
"family": "A",
"name": "Standard"
},
"tenantId": "[subscription().tenantId]",
"accessPolicies": [
{
"tenantId": "[subscription().tenantId]",
"objectId": "[parameters('userId')]",
"permissions": {
"keys": [
"Get",
"List",
"Update",
"Create",
"Import",
"Delete",
"Recover",
"Backup",
"Restore"
],
"secrets": [
"Get",
"List",
"Set",
"Delete",
"Recover",
"Backup",
"Restore"
],
"certificates": [
"Get",
"List",
"Update",
"Create",
"Import",
"Delete",
"Recover",
"Backup",
"Restore",
"ManageContacts",
"ManageIssuers",
"GetIssuers",
"ListIssuers",
"SetIssuers",
"DeleteIssuers"
]
}
}
],
"enabledForDeployment": false,
"enabledForDiskEncryption": false,
"enabledForTemplateDeployment": false
}
},
{
"type": "Microsoft.KeyVault/vaults/accessPolicies",
"name": "[concat(variables('keyVaultName'),'/add')]",
"apiVersion": "2018-02-14",
"dependsOn": [
"[resourceId('Microsoft.Web/sites', variables('functionName'))]",
"[resourceId('Microsoft.KeyVault/vaults', variables('keyVaultName'))]"
],
//tried both the above and the below
"dependsOn": [
"[variables('keyVaultName')]",
"[variables('functionName')]"
],
"properties": {
"accessPolicies": [
{
"tenantId": "[subscription().tenantId]",
"objectId": "[reference(concat(resourceId('Microsoft.Web/sites', variables('functionName')), '/providers/Microsoft.ManagedIdentity/Identities/default'), '2015-08-31-PREVIEW').principalId]",
"permissions": {
"keys": [
],
"secrets": [
"Get",
"Set",
"Delete"
],
"certificates": [
]
}
}
]
}
},
.
.
.
.
.
.
.
.
{
"type": "Microsoft.Web/sites",
"apiVersion": "2016-08-01",
"name": "[variables('functionName')]",
"location": "[ResourceGroup().location]",
"dependsOn": [
"[variables('planName')]",
"[variables('appInsightsName')]",
"[variables('storageAccName')]",
"[variables('keyVaultName')]",
"[variables('databaseName')]"
],
"kind": "functionapp",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"serverFarmId": "[variables('planName')]",
"enabled": true,
"reserved": false
},
"resources": [
{
"apiVersion": "2015-08-01",
"name": "connectionstrings",
"type": "config",
"dependsOn": [
"[variables('functionName')]",
"[variables('databaseName')]"
],
"properties": {
}
},
{
"apiVersion": "2015-08-01",
"name": "appsettings",
"type": "config",
"dependsOn": [
"[variables('functionName')]",
"[variables('appInsightsName')]",
"[variables('storageAccName')]",
"[variables('keyVaultName')]"
],
"properties": "[union(variables('completeAppSettings'),json(concat('{ AzureWebJobsStorage:\"', concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccName'), ';AccountKey=', listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccName')), '2019-04-01').keys[0].value), '\", WEBSITE_CONTENTAZUREFILECONNECTIONSTRING:\"',\tconcat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccName'), ';AccountKey=', listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccName')), '2019-04-01').keys[0].value), '\", WEBSITE_CONTENTSHARE:\"', variables('functionName'), '\", APPINSIGHTS_INSTRUMENTATIONKEY:\"', reference(concat('microsoft.insights/components/', variables('appInsightsName'))).InstrumentationKey, '\", KeyVaultUri:\"', reference(concat('Microsoft.KeyVault/vaults/', variables('keyVaultName'))).vaultUri, '\"}')))]"
},
{
"type": "slots",
"apiVersion": "2016-08-01",
"name": "[variables('functionStagingName')]",
"location": "[ResourceGroup().location]",
"dependsOn": [
"[variables('functionName')]",
"[variables('keyVaultName')]"
],
"kind": "functionapp",
"properties": {
"enabled": false,
"serverFarmId": "[variables('planName')]"
}
}
]
}
]
p.p.s Complete ARM Template:您的模板非常好,因此如果这不起作用,看起来像是一个bug。话虽如此,您始终可以通过将
accessPolicy{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2018-05-01",
"name": "linkedTemplate",
"dependsOn": [
"[variables('keyVaultName')]",
"[variables('functionName')]"
],
"properties": {
"mode": "Incremental",
"templateLink": {
"uri":"https://mystorageaccount.blob.core.windows.net/AzureTemplates/newStorageAccount.json",
"contentVersion":"1.0.0.0"
},
"parameters": {
"managedIdentityId":{"value": "[reference(concat(resourceId('Microsoft.Web/sites', variables('functionName')), '/providers/Microsoft.ManagedIdentity/Identities/default'), '2015-08-31-PREVIEW').principalId]"}
}
}
accessPolicy阅读:尝试从reference()函数中删除apiVersion,该函数会将调用延迟到资源配置之后
[reference(concat(resourceId('Microsoft.Web/sites', variables('functionName')), '/providers/Microsoft.ManagedIdentity/Identities/default')).principalId]"
感谢您的检查。是的,我离开嵌套模板作为最后手段,但我认为我必须回到它们。我看到托管标识对象引用存在一些错误,无论发生什么情况,似乎都是在部署开始时发生的。如果发生这种情况,您需要移动引用函数来检索托管标识插件ide创建嵌套模板后,它就会工作(因为它只会在嵌套模板启动时启动)使用内联嵌套模板尝试此操作,但无效。然后,我更改了逻辑,使我没有将托管标识id作为参数传递,而是传递函数名,然后检索其中的标识…仍然无效。正在研究如何使用链接模板使其工作(因为我必须将其上载到某个位置)这需要一些阅读,因为这是DevOps CICD管道的一部分。老实说,简单的修复方法是只运行模板两次。第一次失败,第二次有效。这是一种很糟糕的方法,但这是一种方法。不幸的是,我的情况没有改善。事实上,现在可能变得更糟了!错误消息:message=Deployment template v验证失败:模板中未定义资源“Microsoft.Web/sites/REDACTEDFORPRIVACY/providers/Microsoft.ManagedEntity/Identifications/default”。确定后,将必须查看您的整个部署…如果资源部署在单独的模板中,则您必须提供apiVersion。但在这种情况下,函数的评估应延迟到部署。如果它在同一个模板中,那么你就不需要apiVersion,因为apiVersion也具有延迟部署的相同效果。如果这样更好,你可以在这里发布或直接给我发电子邮件-微软的微软非常感谢你的帮助,但这不是必需的。我选择使用嵌套模板。你对不过这个版本很好知道!谢谢