Azure ARM 模板。使用来自 Key Vault 的唯一机密部署副本 VM
Azure RM Template. Deploy copy VM with unique secret from Key Vault
我希望能够创建我通过参数指定的 VM 数量(通过副本实现),每个 VM 具有不同的秘密(例如 VM1 的 secret1,VM2 的 secret2 等)这是一个基本的复制虚拟机模板示例:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"numberOfVMs": {
"type": "int",
"defaultValue": 1,
"minvalue": 1
},
"vmAdminUserName": {
"type": "string",
"minLength": 1
},
"vmAdminPassword": {
"type": "securestring"
}
},
"variables": {
"storageAccountName": "[concat('stor567', uniqueString(resourceGroup().id))]",
"storageAccountType": "Standard_LRS",
"vmWindowsOSVersion": "2016-Datacenter",
"vnetPrefix": "10.0.0.0/16",
"vnetSubnet1Name": "Subnet-1",
"vnetSubnet1Prefix": "10.0.0.0/24",
"nicVnetID": "[resourceId('Microsoft.Network/virtualNetworks', 'vnet')]",
"nicSubnetRef": "[concat(variables('nicVnetID'), '/subnets/', variables('vnetSubnet1Name'))]",
"vmImagePublisher": "MicrosoftWindowsServer",
"vmImageOffer": "WindowsServer",
"vmVmSize": "Standard_DS1_v2",
"vmVnetID": "[resourceId('Microsoft.Network/virtualNetworks', 'vnet')]",
"vmSubnetRef": "[concat(variables('vmVnetID'), '/subnets/', variables('vnetSubnet1Name'))]",
"vmStorageAccountContainerName": "vhds"
},
"resources": [
{
"name": "[variables('storageAccountName')]",
"type": "Microsoft.Storage/storageAccounts",
"location": "[resourceGroup().location]",
"apiVersion": "2015-06-15",
"dependsOn": [ ],
"properties": {
"accountType": "[variables('storageAccountType')]"
}
},
{
"name": "vnet",
"type": "Microsoft.Network/virtualNetworks",
"location": "[resourceGroup().location]",
"apiVersion": "2016-03-30",
"dependsOn": [ ],
"tags": {
"displayName": "vnet"
},
"properties": {
"addressSpace": {
"addressPrefixes": [
"[variables('vnetPrefix')]"
]
},
"subnets": [
{
"name": "[variables('vnetSubnet1Name')]",
"properties": {
"addressPrefix": "[variables('vnetSubnet1Prefix')]"
}
}
]
}
},
{
"name": "[concat('NIC',copyindex())]",
"type": "Microsoft.Network/networkInterfaces",
"location": "[resourceGroup().location]",
"copy": {
"name": "nicLoop",
"count": "[parameters('numberOfVMs')]"
},
"apiVersion": "2016-03-30",
"dependsOn": [
"[resourceId('Microsoft.Network/virtualNetworks', 'vnet')]"
],
"tags": {
"displayName": "nic"
},
"properties": {
"ipConfigurations": [
{
"name": "ipconfig1",
"properties": {
"privateIPAllocationMethod": "Dynamic",
"subnet": {
"id": "[variables('nicSubnetRef')]"
}
}
}
]
}
},
{
"name": "[concat('VM',copyindex())]",
"type": "Microsoft.Compute/virtualMachines",
"location": "[resourceGroup().location]",
"copy": {
"name": "virtualMachineLoop",
"count": "[parameters('numberOfVMs')]"
},
"apiVersion": "2015-06-15",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]",
"nicLoop"
],
"tags": {
"displayName": "vm"
},
"properties": {
"hardwareProfile": {
"vmSize": "[variables('vmVmSize')]"
},
"osProfile": {
"computerName": "[concat('VM',copyindex())]",
"adminUsername": "[parameters('vmAdminUsername')]",
"adminPassword": "[parameters('vmAdminPassword')]"
},
"storageProfile": {
"imageReference": {
"publisher": "[variables('vmImagePublisher')]",
"offer": "[variables('vmImageOffer')]",
"sku": "[variables('vmWindowsOSVersion')]",
"version": "latest"
},
"osDisk": {
"name": "vmOSDisk",
"vhd": {
"uri": "[concat(reference(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2016-01-01').primaryEndpoints.blob, variables('vmStorageAccountContainerName'), '/', 'VM',copyIndex(),'-','OSdisk.vhd')]"
},
"caching": "ReadWrite",
"createOption": "FromImage"
}
},
"networkProfile": {
"networkInterfaces": [
{
"id": "[resourceId('Microsoft.Network/networkInterfaces', concat('NIC',copyindex()))]"
}
]
}
}
}],
"outputs": {}
}
但是,我正在努力将密码作为 Key Vault 的唯一机密集成到该模板中。如果我将官方文档 Reference a secret with static id VMs with secret1 for each VM will be created. And I can’t wrap Reference a secret with dynamic id 中的示例用于嵌套模板,因为这会针对我想要部署的每个虚拟机数量一次又一次地部署我复制的虚拟机。请帮助我理解,如何解决这个挑战?
链接:Parent and Nested。
我不确定这是否是你的意思(因为我仍然认为我很难理解你的问题)。
这些模板允许部署可变数量的虚拟机,并使用不同的密钥库密钥作为这些虚拟机的密码。示例:
2 Windows 个 VM 有一个秘密,3 个 Ubuntu VM 有另一个
1 Windows 个 VM 有一个秘密,4 个 Ubuntu VM 有另一个
您可以轻松地将其扩展到其他图像,例如 centos。
正如您在查看模板后可能看到的那样,我正在使用 arrays 和 copyindex() 在它们所属的位置提供适当的值。
如果这不是您想要的,请告诉我。使用这些时要小心,github 原始链接使用某种形式的缓存,因此从 github 部署可能不适合您并出现错误,在这种情况下,只需使用我提供的链接(非原始链接)复制到本地机器并上传到一些服务,如 pastebin,然后从那里部署。
我希望能够创建我通过参数指定的 VM 数量(通过副本实现),每个 VM 具有不同的秘密(例如 VM1 的 secret1,VM2 的 secret2 等)这是一个基本的复制虚拟机模板示例:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"numberOfVMs": {
"type": "int",
"defaultValue": 1,
"minvalue": 1
},
"vmAdminUserName": {
"type": "string",
"minLength": 1
},
"vmAdminPassword": {
"type": "securestring"
}
},
"variables": {
"storageAccountName": "[concat('stor567', uniqueString(resourceGroup().id))]",
"storageAccountType": "Standard_LRS",
"vmWindowsOSVersion": "2016-Datacenter",
"vnetPrefix": "10.0.0.0/16",
"vnetSubnet1Name": "Subnet-1",
"vnetSubnet1Prefix": "10.0.0.0/24",
"nicVnetID": "[resourceId('Microsoft.Network/virtualNetworks', 'vnet')]",
"nicSubnetRef": "[concat(variables('nicVnetID'), '/subnets/', variables('vnetSubnet1Name'))]",
"vmImagePublisher": "MicrosoftWindowsServer",
"vmImageOffer": "WindowsServer",
"vmVmSize": "Standard_DS1_v2",
"vmVnetID": "[resourceId('Microsoft.Network/virtualNetworks', 'vnet')]",
"vmSubnetRef": "[concat(variables('vmVnetID'), '/subnets/', variables('vnetSubnet1Name'))]",
"vmStorageAccountContainerName": "vhds"
},
"resources": [
{
"name": "[variables('storageAccountName')]",
"type": "Microsoft.Storage/storageAccounts",
"location": "[resourceGroup().location]",
"apiVersion": "2015-06-15",
"dependsOn": [ ],
"properties": {
"accountType": "[variables('storageAccountType')]"
}
},
{
"name": "vnet",
"type": "Microsoft.Network/virtualNetworks",
"location": "[resourceGroup().location]",
"apiVersion": "2016-03-30",
"dependsOn": [ ],
"tags": {
"displayName": "vnet"
},
"properties": {
"addressSpace": {
"addressPrefixes": [
"[variables('vnetPrefix')]"
]
},
"subnets": [
{
"name": "[variables('vnetSubnet1Name')]",
"properties": {
"addressPrefix": "[variables('vnetSubnet1Prefix')]"
}
}
]
}
},
{
"name": "[concat('NIC',copyindex())]",
"type": "Microsoft.Network/networkInterfaces",
"location": "[resourceGroup().location]",
"copy": {
"name": "nicLoop",
"count": "[parameters('numberOfVMs')]"
},
"apiVersion": "2016-03-30",
"dependsOn": [
"[resourceId('Microsoft.Network/virtualNetworks', 'vnet')]"
],
"tags": {
"displayName": "nic"
},
"properties": {
"ipConfigurations": [
{
"name": "ipconfig1",
"properties": {
"privateIPAllocationMethod": "Dynamic",
"subnet": {
"id": "[variables('nicSubnetRef')]"
}
}
}
]
}
},
{
"name": "[concat('VM',copyindex())]",
"type": "Microsoft.Compute/virtualMachines",
"location": "[resourceGroup().location]",
"copy": {
"name": "virtualMachineLoop",
"count": "[parameters('numberOfVMs')]"
},
"apiVersion": "2015-06-15",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]",
"nicLoop"
],
"tags": {
"displayName": "vm"
},
"properties": {
"hardwareProfile": {
"vmSize": "[variables('vmVmSize')]"
},
"osProfile": {
"computerName": "[concat('VM',copyindex())]",
"adminUsername": "[parameters('vmAdminUsername')]",
"adminPassword": "[parameters('vmAdminPassword')]"
},
"storageProfile": {
"imageReference": {
"publisher": "[variables('vmImagePublisher')]",
"offer": "[variables('vmImageOffer')]",
"sku": "[variables('vmWindowsOSVersion')]",
"version": "latest"
},
"osDisk": {
"name": "vmOSDisk",
"vhd": {
"uri": "[concat(reference(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2016-01-01').primaryEndpoints.blob, variables('vmStorageAccountContainerName'), '/', 'VM',copyIndex(),'-','OSdisk.vhd')]"
},
"caching": "ReadWrite",
"createOption": "FromImage"
}
},
"networkProfile": {
"networkInterfaces": [
{
"id": "[resourceId('Microsoft.Network/networkInterfaces', concat('NIC',copyindex()))]"
}
]
}
}
}],
"outputs": {}
}
但是,我正在努力将密码作为 Key Vault 的唯一机密集成到该模板中。如果我将官方文档 Reference a secret with static id VMs with secret1 for each VM will be created. And I can’t wrap Reference a secret with dynamic id 中的示例用于嵌套模板,因为这会针对我想要部署的每个虚拟机数量一次又一次地部署我复制的虚拟机。请帮助我理解,如何解决这个挑战?
链接:Parent and Nested。 我不确定这是否是你的意思(因为我仍然认为我很难理解你的问题)。
这些模板允许部署可变数量的虚拟机,并使用不同的密钥库密钥作为这些虚拟机的密码。示例:
2 Windows 个 VM 有一个秘密,3 个 Ubuntu VM 有另一个
1 Windows 个 VM 有一个秘密,4 个 Ubuntu VM 有另一个
您可以轻松地将其扩展到其他图像,例如 centos。
正如您在查看模板后可能看到的那样,我正在使用 arrays 和 copyindex() 在它们所属的位置提供适当的值。
如果这不是您想要的,请告诉我。使用这些时要小心,github 原始链接使用某种形式的缓存,因此从 github 部署可能不适合您并出现错误,在这种情况下,只需使用我提供的链接(非原始链接)复制到本地机器并上传到一些服务,如 pastebin,然后从那里部署。