Azure ARM 在复制块中部署具有多个访问策略的 keyVault
Azure ARM deployment of a keyVault with multiple accessPolicies in a copy-block
我正在尝试基于数组中的 objectIds 部署具有多个 accessPolicies 的 Azure KeyVault。我想使用复制块,因为将来可能会添加更多 ID,我不想在模板中多次复制整个块,而是将它们作为参数列表传递。
我无法在 KeyVault/vaults 资源中添加 accessPolicies 的复制块,因为它需要多个 keyVault 而不是多个 accessPolicies。这就是为什么我将 KeyVault/vaults/accessPolicies 作为具有自己的复制块的顶级资源 - 在 this documentation.
之后
但是,现在我遇到了命名 accessPolicies-block 的问题:根据 this documentation 我需要在 parent-keyVault-resource 之后命名 accessPolicies-block扩展 /add - 但 ARM 也抱怨我 cannot have multiple resources with the same name.
我尝试将 accessPolicies 块的名称更改为:
concat('/add/', copyIndex()) -> 错误:incorrect segment lengthconcat('/add', copyIndex()) -> 错误:Provided concat params invalid. Either all or none of the parameters must be an array
我 运行 不知道如何将复制块与 accessPolicies 结合使用作为顶级资源。有什么解决办法吗?
JSON:
"parameters":{
"objectIdList": {
"type": "array"
}
},
"variables": {
"keyVaultName" : "[....]"
},
"resources": [
{
"type": "Microsoft.KeyVault/vaults",
"name": "[variables('keyVaultName')]",
"location": "[resourceGroup().location]",
"apiVersion": "2019-09-01",
"properties": {
"sku": {
"family": "A",
"name": "standard"
},
"tenantId": "[subscription().tenantId]",
"enableRbacAuthorization": false,
"accessPolicies": [
],
"publicNetworkAccess": "Enabled",
"networkAcls": {
"defaultAction": "Allow",
"bypass": "AzureServices"
}
},
{
"type": "Microsoft.KeyVault/vaults/accessPolicies",
"apiVersion": "2019-09-01",
"name": "[concat(variables('keyVaultName'), '/add')]",
"properties": {
"accessPolicies": [
{
"objectId": "[parameters('objectIdList')[copyIndex()]]",
"permissions": {
"certificates": [ "all" ],
"keys": [ "all" ],
"secrets": [ "all" ],
"storage": [ "all" ]
},
"tenantId": "[subscription().tenantId]"
}
]
},
"copy": {
"name": "accessPolicies",
"count": "[length(parameters('objectIdList'))]"
},
"dependsOn": [
"[variables('keyVaultName')]"
]
}
15 分钟后按字面意思找到了解决方案...这里还有 copy 块的另一种语法。
我只需要 /add 一个 top-level accessPolicies 资源,其中包含多个策略,并在 copy-block 中使用 accessPolicies 作为名称=15=] 块迭代我的数组。
JSON解法:
{
"type": "Microsoft.KeyVault/vaults/accessPolicies",
"apiVersion": "2019-09-01",
"name": "[concat(variables('keyVaultName'), '/add')]",
"properties": {
"copy": [
{
"name": "accessPolicies",
"count": "[length(parameters('objectIdList'))]",
"input": {
"objectId": "[parameters('objectIdList')[copyIndex('accessPolicies')]]",
"permissions": {
"certificates": [ "all", "purge" ],
"keys": [ "all", "purge" ],
"secrets": [ "all", "purge" ],
"storage": [ "all" ]
},
"tenantId": "[subscription().tenantId]"
}
}
]
},
"dependsOn": [
"[variables('keyVaultName')]"
]
}
我正在尝试基于数组中的 objectIds 部署具有多个 accessPolicies 的 Azure KeyVault。我想使用复制块,因为将来可能会添加更多 ID,我不想在模板中多次复制整个块,而是将它们作为参数列表传递。
我无法在 KeyVault/vaults 资源中添加 accessPolicies 的复制块,因为它需要多个 keyVault 而不是多个 accessPolicies。这就是为什么我将 KeyVault/vaults/accessPolicies 作为具有自己的复制块的顶级资源 - 在 this documentation.
但是,现在我遇到了命名 accessPolicies-block 的问题:根据 this documentation 我需要在 parent-keyVault-resource 之后命名 accessPolicies-block扩展 /add - 但 ARM 也抱怨我 cannot have multiple resources with the same name.
我尝试将 accessPolicies 块的名称更改为:
concat('/add/', copyIndex())-> 错误:incorrect segment lengthconcat('/add', copyIndex())-> 错误:Provided concat params invalid. Either all or none of the parameters must be an array
我 运行 不知道如何将复制块与 accessPolicies 结合使用作为顶级资源。有什么解决办法吗?
JSON:
"parameters":{
"objectIdList": {
"type": "array"
}
},
"variables": {
"keyVaultName" : "[....]"
},
"resources": [
{
"type": "Microsoft.KeyVault/vaults",
"name": "[variables('keyVaultName')]",
"location": "[resourceGroup().location]",
"apiVersion": "2019-09-01",
"properties": {
"sku": {
"family": "A",
"name": "standard"
},
"tenantId": "[subscription().tenantId]",
"enableRbacAuthorization": false,
"accessPolicies": [
],
"publicNetworkAccess": "Enabled",
"networkAcls": {
"defaultAction": "Allow",
"bypass": "AzureServices"
}
},
{
"type": "Microsoft.KeyVault/vaults/accessPolicies",
"apiVersion": "2019-09-01",
"name": "[concat(variables('keyVaultName'), '/add')]",
"properties": {
"accessPolicies": [
{
"objectId": "[parameters('objectIdList')[copyIndex()]]",
"permissions": {
"certificates": [ "all" ],
"keys": [ "all" ],
"secrets": [ "all" ],
"storage": [ "all" ]
},
"tenantId": "[subscription().tenantId]"
}
]
},
"copy": {
"name": "accessPolicies",
"count": "[length(parameters('objectIdList'))]"
},
"dependsOn": [
"[variables('keyVaultName')]"
]
}
15 分钟后按字面意思找到了解决方案...这里还有 copy 块的另一种语法。
我只需要 /add 一个 top-level accessPolicies 资源,其中包含多个策略,并在 copy-block 中使用 accessPolicies 作为名称=15=] 块迭代我的数组。
JSON解法:
{
"type": "Microsoft.KeyVault/vaults/accessPolicies",
"apiVersion": "2019-09-01",
"name": "[concat(variables('keyVaultName'), '/add')]",
"properties": {
"copy": [
{
"name": "accessPolicies",
"count": "[length(parameters('objectIdList'))]",
"input": {
"objectId": "[parameters('objectIdList')[copyIndex('accessPolicies')]]",
"permissions": {
"certificates": [ "all", "purge" ],
"keys": [ "all", "purge" ],
"secrets": [ "all", "purge" ],
"storage": [ "all" ]
},
"tenantId": "[subscription().tenantId]"
}
}
]
},
"dependsOn": [
"[variables('keyVaultName')]"
]
}