无法在链接的 ARM 模板之间传递安全值
Unable to pass secure values between linked ARM templates
我正在尝试输出在一个链接模板中创建的秘密,并将其作为另一个参数引用。
测试场景:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"templateBaseUrl": {
"type": "string"
}
},
"variables": {
"deployment1url": "[concat(parameters('templateBaseUrl'), '/deployment1.json')]",
"deployment2url": "[concat(parameters('templateBaseUrl'), '/deployment2.json')]"
},
"resources": [
{
"apiVersion": "2017-08-01",
"name": "deployment1",
"dependsOn": [],
"type": "Microsoft.Resources/deployments",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "[variables('deployment1url')]",
"contentVersion": "1.0.0.0"
},
"parameters": {}
}
},
{
"apiVersion": "2017-08-01",
"name": "deployment2",
"dependsOn": [],
"type": "Microsoft.Resources/deployments",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "[variables('deployment2url')]",
"contentVersion": "1.0.0.0"
},
"parameters": {
"testInput2": {
"value": "[reference('deployment1').outputs.testOutput1.value]"
}
}
}
}
],
"outputs": {}
}
部署 1:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
},
"resources": [],
"outputs": {
"testOutput1": {
"type": "securestring",
"value": "thisisapassword"
}
}
}
部署 2:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"testInput2": {
"type": "securestring"
}
},
"resources": [],
"outputs": {}
}
运行 这种情况会抛出错误
“无法处理资源的模板语言表达式
'/subscriptions//resourceGroups/testrg1/providers/Microsoft.Resources/deployments/deployment2' 在第 34 行和第 9 列。
'语言表达式 属性 'value' 不存在,可用属性为 'type'。'""
因此,如果我将引用参数更改为
,安全字符串输出上的“.value”将不起作用
"testInput2": {
"value": "[reference('deployment1').outputs.testOutput1]"
}
错误更改为“部署模板验证失败:”在第“5”行和“23”列为模板参数 'testInput2' 提供的值无效。'。'
有没有可能实现我正在做的事情?
提前致谢
我认为跨部署传递 secureStrings 的唯一方法是使用 KeyVault 引用。 secureString 输出不是很有用,因为 securestrings 在部署级别被 ARM 屏蔽。
有帮助吗?
我正在尝试输出在一个链接模板中创建的秘密,并将其作为另一个参数引用。 测试场景:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"templateBaseUrl": {
"type": "string"
}
},
"variables": {
"deployment1url": "[concat(parameters('templateBaseUrl'), '/deployment1.json')]",
"deployment2url": "[concat(parameters('templateBaseUrl'), '/deployment2.json')]"
},
"resources": [
{
"apiVersion": "2017-08-01",
"name": "deployment1",
"dependsOn": [],
"type": "Microsoft.Resources/deployments",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "[variables('deployment1url')]",
"contentVersion": "1.0.0.0"
},
"parameters": {}
}
},
{
"apiVersion": "2017-08-01",
"name": "deployment2",
"dependsOn": [],
"type": "Microsoft.Resources/deployments",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "[variables('deployment2url')]",
"contentVersion": "1.0.0.0"
},
"parameters": {
"testInput2": {
"value": "[reference('deployment1').outputs.testOutput1.value]"
}
}
}
}
],
"outputs": {}
}
部署 1:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
},
"resources": [],
"outputs": {
"testOutput1": {
"type": "securestring",
"value": "thisisapassword"
}
}
}
部署 2:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"testInput2": {
"type": "securestring"
}
},
"resources": [],
"outputs": {}
}
运行 这种情况会抛出错误 “无法处理资源的模板语言表达式 '/subscriptions//resourceGroups/testrg1/providers/Microsoft.Resources/deployments/deployment2' 在第 34 行和第 9 列。 '语言表达式 属性 'value' 不存在,可用属性为 'type'。'""
因此,如果我将引用参数更改为
,安全字符串输出上的“.value”将不起作用"testInput2": {
"value": "[reference('deployment1').outputs.testOutput1]"
}
错误更改为“部署模板验证失败:”在第“5”行和“23”列为模板参数 'testInput2' 提供的值无效。'。'
有没有可能实现我正在做的事情?
提前致谢
我认为跨部署传递 secureStrings 的唯一方法是使用 KeyVault 引用。 secureString 输出不是很有用,因为 securestrings 在部署级别被 ARM 屏蔽。
有帮助吗?