使用 DependsOn 提供访问策略

Provision Access Policy with DependsOn

我正在尝试执行以下操作:

最初我是在 Keyvault 中创建访问策略,但我必须将 AZ 函数声明为依赖于 Key Vault(以便我可以获取其 URI)。显然,我当时无法将 Key Vault 设置为依赖于 AZ 函数(因为这会产生循环依赖性)。然后我尝试创建 AccessPolicy 作为另一个步骤,并将其标记为依赖于 KeyVault 和 AZ 函数(认为它会最后配置)。

但是不知道为什么,看部署日志的时候,总觉得是他在先部署!任何帮助,将不胜感激。

为简洁起见截断了 ARM 模板:


  "resources": [
    {
      "type": "Microsoft.KeyVault/vaults",
      "apiVersion": "2016-10-01",
      "name": "[variables('keyVaultName')]",
      "location": "[ResourceGroup().location]",
      "properties": {
        "sku": {
          "family": "A",
          "name": "Standard"
        },
        "tenantId": "[subscription().tenantId]",
        "accessPolicies": [
          {
            "tenantId": "[subscription().tenantId]",
            "objectId": "[parameters('userId')]",
            "permissions": {
              "keys": [
                "Get",
                "List",
                "Update",
                "Create",
                "Import",
                "Delete",
                "Recover",
                "Backup",
                "Restore"
              ],
              "secrets": [
                "Get",
                "List",
                "Set",
                "Delete",
                "Recover",
                "Backup",
                "Restore"
              ],
              "certificates": [
                "Get",
                "List",
                "Update",
                "Create",
                "Import",
                "Delete",
                "Recover",
                "Backup",
                "Restore",
                "ManageContacts",
                "ManageIssuers",
                "GetIssuers",
                "ListIssuers",
                "SetIssuers",
                "DeleteIssuers"
              ]
            }
          }
        ],
        "enabledForDeployment": false,
        "enabledForDiskEncryption": false,
        "enabledForTemplateDeployment": false
      }
    },
    {
      "type": "Microsoft.KeyVault/vaults/accessPolicies",
      "name": "[concat(variables('keyVaultName'),'/add')]",
      "apiVersion": "2018-02-14",
      "dependsOn": [
        "[resourceId('Microsoft.Web/sites', variables('functionName'))]",
        "[resourceId('Microsoft.KeyVault/vaults', variables('keyVaultName'))]"
      ],
      //tried both the above and the below
      "dependsOn": [
        "[variables('keyVaultName')]",
        "[variables('functionName')]"
      ],
      "properties": {
        "accessPolicies": [
          {
            "tenantId": "[subscription().tenantId]",
            "objectId": "[reference(concat(resourceId('Microsoft.Web/sites', variables('functionName')), '/providers/Microsoft.ManagedIdentity/Identities/default'), '2015-08-31-PREVIEW').principalId]",
            "permissions": {
              "keys": [
              ],
              "secrets": [
                "Get",
                "Set",
                "Delete"
              ],
              "certificates": [
              ]
            }
          }
        ]
      }
    },
.
.
.
.
.
.
.
.
    {
      "type": "Microsoft.Web/sites",
      "apiVersion": "2016-08-01",
      "name": "[variables('functionName')]",
      "location": "[ResourceGroup().location]",
      "dependsOn": [
        "[variables('planName')]",
        "[variables('appInsightsName')]",
        "[variables('storageAccName')]",
        "[variables('keyVaultName')]",
        "[variables('databaseName')]"
      ],
      "kind": "functionapp",
      "identity": {
        "type": "SystemAssigned"
      },
      "properties": {
        "serverFarmId": "[variables('planName')]",
        "enabled": true,
        "reserved": false
      },
      "resources": [
        {
          "apiVersion": "2015-08-01",
          "name": "connectionstrings",
          "type": "config",
          "dependsOn": [
            "[variables('functionName')]",
            "[variables('databaseName')]"
          ],
          "properties": {
          }
        },
        {
          "apiVersion": "2015-08-01",
          "name": "appsettings",
          "type": "config",
          "dependsOn": [
            "[variables('functionName')]",
            "[variables('appInsightsName')]",
            "[variables('storageAccName')]",
            "[variables('keyVaultName')]"
          ],
          "properties": "[union(variables('completeAppSettings'),json(concat('{ AzureWebJobsStorage:\"', concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccName'), ';AccountKey=', listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccName')), '2019-04-01').keys[0].value), '\", WEBSITE_CONTENTAZUREFILECONNECTIONSTRING:\"',\tconcat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccName'), ';AccountKey=', listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccName')), '2019-04-01').keys[0].value), '\", WEBSITE_CONTENTSHARE:\"', variables('functionName'), '\", APPINSIGHTS_INSTRUMENTATIONKEY:\"', reference(concat('microsoft.insights/components/', variables('appInsightsName'))).InstrumentationKey, '\", KeyVaultUri:\"', reference(concat('Microsoft.KeyVault/vaults/', variables('keyVaultName'))).vaultUri, '\"}')))]"
        },
        {
          "type": "slots",
          "apiVersion": "2016-08-01",
          "name": "[variables('functionStagingName')]",
          "location": "[ResourceGroup().location]",
          "dependsOn": [
            "[variables('functionName')]",
            "[variables('keyVaultName')]"
          ],
          "kind": "functionapp",
          "properties": {
            "enabled": false,
            "serverFarmId": "[variables('planName')]"
          }
        }
      ]
    }
  ]

P.s。我知道我创建应用程序设置的方式是一件艺术品(讽刺)。请不要评判我,只知道它有效。

P.p.s 完整的 ARM 模板:https://pastebin.com/mma4PyRu

你的模板绝对没问题,所以如果这不起作用,它看起来像是一个错误。话虽如此,您始终可以通过将 accessPolicy 分配移至嵌套模板来解决此问题:

{
   "type": "Microsoft.Resources/deployments",
   "apiVersion": "2018-05-01",
   "name": "linkedTemplate",
   "dependsOn": [
       "[variables('keyVaultName')]",
       "[variables('functionName')]"
   ],
   "properties": {
       "mode": "Incremental",
       "templateLink": {
       "uri":"https://mystorageaccount.blob.core.windows.net/AzureTemplates/newStorageAccount.json",
       "contentVersion":"1.0.0.0"
    },
    "parameters": {
        "managedIdentityId":{"value": "[reference(concat(resourceId('Microsoft.Web/sites', variables('functionName')), '/providers/Microsoft.ManagedIdentity/Identities/default'), '2015-08-31-PREVIEW').principalId]"}
    }
}

您需要将模板上传到某处(其中应该只包含您的 accessPolicy 作业

阅读:https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-linked-templates#external-template

尝试从 reference() 函数中删除 apiVersion,这应该会延迟调用,直到配置资源之后。例如

[reference(concat(resourceId('Microsoft.Web/sites', variables('functionName')), '/providers/Microsoft.ManagedIdentity/Identities/default')).principalId]"