如何在 bicep 中引用现有的证书资源?
How can I reference an existing certificate resource in bicep?
我在 Key Vault 中有一个现有证书,我想从我的二头肌模板中引用它。
resource prodCertificate 'Microsoft.Web/certificates@2020-12-01' existing = {
name: 'my-custom-certificate-name/123809dsfj2jf09j32123123'
scope: resourceGroup('certificateResourceGroup')
}
当前的 bicep 模板将 运行 在不同的资源组中,appServiceResourceGroup 并且密钥保管库在 certificateResourceGroup
下
上面的方法不起作用,因为二头肌抱怨名称中不应该有斜杠。
如果我只使用 my-custom-certificate-name,我会收到一条错误消息
{
"code": "DeploymentFailed",
"message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.",
"details": [
{
"code": "ResourceNotFound",
"message": "The Resource 'Microsoft.Web/certificates/my-custom-certificate-name' under resource group 'certificateResourceGroup' was not found. For more details please go to https://aka.ms/ARMResourceNotFoundFix"
}
]
}
我测试了您正在尝试的相同场景,即将证书从资源组中的 keyvault 导入到另一个资源组中的应用程序服务。
我使用了下面的代码来做到这一点:
param name string
param location string = resourceGroup().location
param keyvaultid string
param certificatesecretname string
@secure()
param pass string
param exisitingappplanresourceid string
resource prodCertificate 'Microsoft.Web/certificates@2021-02-01' = {
name: name
location: location
properties: {
keyVaultId: keyvaultid
keyVaultSecretName: certificatesecretname
password: pass
serverFarmId: exisitingappplanresourceid
}
}
输出:
Keyvault 中的现有证书:
部署和参数:
Azure 门户应用服务:
注意:请确保Microsoft.Web Resource Provider可以访问密钥库。您可以从门户转到 Keyvault>>access policies>>add a accesspolicy 并在服务主体搜索对话框中输入 abfa0a7c-a6b6-4736-8310-5855508787cd 来执行此操作,这样它会将以下资源提供程序添加到访问策略中。
如果您想从 keyvault 添加证书,然后再创建一个 ssl 绑定,那么您可以使用如下内容:
@description('Existing App Service Plan resource id that contains the App Service being updated')
param existingServerFarmId string
@description('User friendly certificate resource name')
param certificateName string
@description('Existing Key Vault resource Id with an access policy to allow Microsoft.Web RP to read Key Vault secrets (Checkout README.md for more information)')
param existingKeyVaultId string
@description('Key Vault Secret that contains a PFX certificate')
param existingKeyVaultSecretName string
@description('Existing App name to use for creating SSL binding. This App should have the hostname assigned as a custom domain')
param existingWebAppName string
@description('Custom hostname for creating SSL binding. This hostname should already be assigned to the Web App')
param hostname string
@description('Location for all resources.')
param location string = resourceGroup().location
resource certificateName_resource 'Microsoft.Web/certificates@2019-08-01' = {
name: certificateName
location: location
properties: {
keyVaultId: existingKeyVaultId
keyVaultSecretName: existingKeyVaultSecretName
serverFarmId: existingServerFarmId
}
}
resource existingWebAppName_resource 'Microsoft.Web/sites@2019-08-01' = {
name: existingWebAppName
location: location
properties: {
name: existingWebAppName
hostNameSslStates: [
{
name: hostname
sslState: 'SniEnabled'
thumbprint: certificateName_resource.properties.thumbprint
toUpdate: true
}
]
}
}
参考:
Microsoft.Web/certificates - Bicep & ARM template reference | Microsoft Docs
我在 Key Vault 中有一个现有证书,我想从我的二头肌模板中引用它。
resource prodCertificate 'Microsoft.Web/certificates@2020-12-01' existing = {
name: 'my-custom-certificate-name/123809dsfj2jf09j32123123'
scope: resourceGroup('certificateResourceGroup')
}
当前的 bicep 模板将 运行 在不同的资源组中,appServiceResourceGroup 并且密钥保管库在 certificateResourceGroup
上面的方法不起作用,因为二头肌抱怨名称中不应该有斜杠。
如果我只使用 my-custom-certificate-name,我会收到一条错误消息
{
"code": "DeploymentFailed",
"message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.",
"details": [
{
"code": "ResourceNotFound",
"message": "The Resource 'Microsoft.Web/certificates/my-custom-certificate-name' under resource group 'certificateResourceGroup' was not found. For more details please go to https://aka.ms/ARMResourceNotFoundFix"
}
]
}
我测试了您正在尝试的相同场景,即将证书从资源组中的 keyvault 导入到另一个资源组中的应用程序服务。
我使用了下面的代码来做到这一点:
param name string
param location string = resourceGroup().location
param keyvaultid string
param certificatesecretname string
@secure()
param pass string
param exisitingappplanresourceid string
resource prodCertificate 'Microsoft.Web/certificates@2021-02-01' = {
name: name
location: location
properties: {
keyVaultId: keyvaultid
keyVaultSecretName: certificatesecretname
password: pass
serverFarmId: exisitingappplanresourceid
}
}
输出:
Keyvault 中的现有证书:
部署和参数:
Azure 门户应用服务:
注意:请确保Microsoft.Web Resource Provider可以访问密钥库。您可以从门户转到 Keyvault>>access policies>>add a accesspolicy 并在服务主体搜索对话框中输入 abfa0a7c-a6b6-4736-8310-5855508787cd 来执行此操作,这样它会将以下资源提供程序添加到访问策略中。
如果您想从 keyvault 添加证书,然后再创建一个 ssl 绑定,那么您可以使用如下内容:
@description('Existing App Service Plan resource id that contains the App Service being updated')
param existingServerFarmId string
@description('User friendly certificate resource name')
param certificateName string
@description('Existing Key Vault resource Id with an access policy to allow Microsoft.Web RP to read Key Vault secrets (Checkout README.md for more information)')
param existingKeyVaultId string
@description('Key Vault Secret that contains a PFX certificate')
param existingKeyVaultSecretName string
@description('Existing App name to use for creating SSL binding. This App should have the hostname assigned as a custom domain')
param existingWebAppName string
@description('Custom hostname for creating SSL binding. This hostname should already be assigned to the Web App')
param hostname string
@description('Location for all resources.')
param location string = resourceGroup().location
resource certificateName_resource 'Microsoft.Web/certificates@2019-08-01' = {
name: certificateName
location: location
properties: {
keyVaultId: existingKeyVaultId
keyVaultSecretName: existingKeyVaultSecretName
serverFarmId: existingServerFarmId
}
}
resource existingWebAppName_resource 'Microsoft.Web/sites@2019-08-01' = {
name: existingWebAppName
location: location
properties: {
name: existingWebAppName
hostNameSslStates: [
{
name: hostname
sslState: 'SniEnabled'
thumbprint: certificateName_resource.properties.thumbprint
toUpdate: true
}
]
}
}
参考:
Microsoft.Web/certificates - Bicep & ARM template reference | Microsoft Docs