ARM 模板依赖于 keyvault 访问策略
ARM template dependsOn on a keyvault access policy
我的问题如下:
我们有一个部署函数应用程序的 ARM 模板。在模板中,我们通过以下方式将函数应用程序的访问策略添加到我们的密钥库。
{
"name": "[concat(parameters('keyVaultName'), '/add')]",
"type": "Microsoft.KeyVault/vaults/accessPolicies",
"apiVersion": "2019-09-01",
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', variables('skuAPIHostingPlan'))]",
"[resourceId('Microsoft.Web/sites', variables('functionAppName'))]"
],
"properties": {
"accessPolicies": [
{
"tenantId": "[parameters('tenantId')]",
"objectId": "[reference(variables('functionAppResourceId'), '2021-01-15', 'Full').identity.principalId]",
"permissions": {
"secrets": "[parameters('functionSecretsPermissions')]"
}
}
]
}
}
我想在模板的另一个资源中有一个 dependsOn 语句引用新创建的访问策略,但不太清楚如何构造它。我想我不能使用 resourceId 函数(就像我在访问策略资源中所做的那样),因为访问策略不是使用特定的资源名称创建的(我需要将其传递给 resourceId 函数)。
关于如何从模板中另一个资源的 dependsOn 部分引用我的访问策略有什么想法吗?
您有两个选择:
- 直接使用资源id:
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults/accessPolicies', parameters('keyVaultName'), 'add')]"
]
- 按照@Stringfellow 的建议,您将访问策略资源放在嵌套模板中,其他资源将依赖于此资源:
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2019-10-01",
"name": "key-vault-access-policy",
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', variables('skuAPIHostingPlan'))]",
"[resourceId('Microsoft.Web/sites', variables('functionAppName'))]"
],
"properties": {
"expressionEvaluationOptions": {
"scope": "inner"
},
"mode": "Incremental",
"parameters": {
"functionAppResourceId": {
"value": "[variables('functionAppResourceId')]"
},
"functionSecretsPermissions": {
"value": "[parameters('functionSecretsPermissions')]"
},
"keyVaultName": {
"value": "[parameters('keyVaultName')]"
},
"tenantId": {
"value": "[parameters('tenantId')]"
}
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"keyVaultName": {
"type": "string"
},
"tenantId": {
"type": "string"
},
"functionAppResourceId": {
"type": "string"
},
"functionSecretsPermissions": {
"type": "array"
}
},
"resources": [
{
"type": "Microsoft.KeyVault/vaults/accessPolicies",
"apiVersion": "2020-04-01-preview",
"name": "[format('{0}/add', parameters('keyVaultName'))]",
"properties": {
"accessPolicies": [
{
"tenantId": "[parameters('tenantId')]",
"objectId": "[reference(parameters('functionAppResourceId'), '2021-01-15', 'Full').identity.principalId]",
"permissions": {
"secrets": "[parameters('functionSecretsPermissions')]"
}
}
]
}
}
]
}
}
}
然后就可以使用Microsoft.Resources/deployments的资源id:
"dependsOn": [
"[resourceId('Microsoft.Resources/deployments', 'key-vault-access-policy')]"
]
我的问题如下:
我们有一个部署函数应用程序的 ARM 模板。在模板中,我们通过以下方式将函数应用程序的访问策略添加到我们的密钥库。
{
"name": "[concat(parameters('keyVaultName'), '/add')]",
"type": "Microsoft.KeyVault/vaults/accessPolicies",
"apiVersion": "2019-09-01",
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', variables('skuAPIHostingPlan'))]",
"[resourceId('Microsoft.Web/sites', variables('functionAppName'))]"
],
"properties": {
"accessPolicies": [
{
"tenantId": "[parameters('tenantId')]",
"objectId": "[reference(variables('functionAppResourceId'), '2021-01-15', 'Full').identity.principalId]",
"permissions": {
"secrets": "[parameters('functionSecretsPermissions')]"
}
}
]
}
}
我想在模板的另一个资源中有一个 dependsOn 语句引用新创建的访问策略,但不太清楚如何构造它。我想我不能使用 resourceId 函数(就像我在访问策略资源中所做的那样),因为访问策略不是使用特定的资源名称创建的(我需要将其传递给 resourceId 函数)。
关于如何从模板中另一个资源的 dependsOn 部分引用我的访问策略有什么想法吗?
您有两个选择:
- 直接使用资源id:
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults/accessPolicies', parameters('keyVaultName'), 'add')]"
]
- 按照@Stringfellow 的建议,您将访问策略资源放在嵌套模板中,其他资源将依赖于此资源:
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2019-10-01",
"name": "key-vault-access-policy",
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', variables('skuAPIHostingPlan'))]",
"[resourceId('Microsoft.Web/sites', variables('functionAppName'))]"
],
"properties": {
"expressionEvaluationOptions": {
"scope": "inner"
},
"mode": "Incremental",
"parameters": {
"functionAppResourceId": {
"value": "[variables('functionAppResourceId')]"
},
"functionSecretsPermissions": {
"value": "[parameters('functionSecretsPermissions')]"
},
"keyVaultName": {
"value": "[parameters('keyVaultName')]"
},
"tenantId": {
"value": "[parameters('tenantId')]"
}
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"keyVaultName": {
"type": "string"
},
"tenantId": {
"type": "string"
},
"functionAppResourceId": {
"type": "string"
},
"functionSecretsPermissions": {
"type": "array"
}
},
"resources": [
{
"type": "Microsoft.KeyVault/vaults/accessPolicies",
"apiVersion": "2020-04-01-preview",
"name": "[format('{0}/add', parameters('keyVaultName'))]",
"properties": {
"accessPolicies": [
{
"tenantId": "[parameters('tenantId')]",
"objectId": "[reference(parameters('functionAppResourceId'), '2021-01-15', 'Full').identity.principalId]",
"permissions": {
"secrets": "[parameters('functionSecretsPermissions')]"
}
}
]
}
}
]
}
}
}
然后就可以使用Microsoft.Resources/deployments的资源id:
"dependsOn": [
"[resourceId('Microsoft.Resources/deployments', 'key-vault-access-policy')]"
]