在嵌套模板中创建 Azure KeyVault 机密作为子资源
Creating Azure KeyVault secret as a child resource in nested template
我正在尝试使用具有订阅级别范围的单个模板 json 创建资源组、密钥保管库和密钥保管库机密。我能够毫无问题地创建资源组和密钥保管库。但是,将密钥保管库机密模板作为子资源添加到具有 'dependsOn' 部分的密钥保管库模板会生成错误,例如“密钥保管库机密不依赖于父资源。请使用 'dependsOn' 语法显式添加依赖项”这是模板:
{
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {... parameters for key vault and key vault secret resources ...},
"variables": {
"rgName": "[concat('rg-', substring(uniqueString(subscription().id), 0, 4))]",
"keyvaultName": "[concat('keyvault-', substring(uniqueString(subscription().id), 0, 4))]"
},
"resources": [
{
"type": "Microsoft.Resources/resourceGroups",
"apiVersion": "2021-04-01",
"location": "[parameters('location')]",
"name": "[variables('rgName')]"
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2021-04-01",
"name": "keyvaultDeployment",
"resourceGroup": "[variables('rgName')]",
"dependsOn": [
"[subscriptionResourceId('Microsoft.Resources/resourceGroups', variables('rgName'))]"
],
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2021-10-01",
"name": "[variables('keyvaultName')]",
"location": "[parameters('location')]",
"properties": {... key vault properties ...},
"resources": [
{
"type": "Microsoft.KeyVault/vaults/secrets",
"apiVersion": "2021-10-01",
"name": "[concat(variables('keyvaultName'), '/', parameters('keyvaultSecretName'))]",
"dependsOn": [
"[subscriptionResourceId('Microsoft.KeyVault/vaults', variables('keyvaultName'))]"
],
"properties": {... key vault secret properties ...}
}
]
}
]
}
}
}
]
}
我还尝试将密钥保管库机密模板移出密钥保管库部分:
{
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {... parameters for key vault and key vault secret resources ...},
"variables": {
"rgName": "[concat('rg-', substring(uniqueString(subscription().id), 0, 4))]",
"keyvaultName": "[concat('keyvault-', substring(uniqueString(subscription().id), 0, 4))]"
},
"resources": [
{
"type": "Microsoft.Resources/resourceGroups",
"apiVersion": "2021-04-01",
"location": "[parameters('location')]",
"name": "[variables('rgName')]"
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2021-04-01",
"name": "keyvaultDeployment",
"resourceGroup": "[variables('rgName')]",
"dependsOn": [
"[resourceId('Microsoft.Resources/resourceGroups', variables('rgName'))]"
],
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2021-10-01",
"name": "[variables('keyvaultName')]",
"location": "[parameters('location')]",
"properties": {... key vault properties ...}
},
{
"type": "Microsoft.KeyVault/vaults/secrets",
"apiVersion": "2021-10-01",
"name": "[concat(variables('keyvaultName'), '/', parameters('keyvaultSecretName'))]",
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults', variables('keyvaultName'))]"
],
"properties": {... key vault secret properties ...}
}
]
}
}
}
]
}
但它生成了错误“Key Vault 资源未在模板中定义。”有没有办法在订阅范围模板中使用子资源?
我明白了。由于我主要处理资源组部署,因此我使用 resourceId() 函数来传递 'dependsOn' 模板参数的值。但是,在模板 resourceId() 函数中定义子资源的订阅部署方案无法正常工作。事实证明,您必须使用 concat() 或 format() 函数(或纯文本)为子资源传递 'dependsOn' 参数的值。
这是有效的代码:
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2021-04-01",
"name": "keyvaultDeployment",
"resourceGroup": "[variables('rgName')]",
"dependsOn": [
"[resourceId('Microsoft.Resources/resourceGroups', variables('rgName'))]"
],
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2021-10-01",
"name": "[variables('keyvaultName')]",
"location": "[parameters('location')]",
"properties": {... key vault properties ...},
"resources": [
{
"type": "Microsoft.KeyVault/vaults/secrets",
"apiVersion": "2021-10-01",
"name": "[concat(variables('keyvaultName'), '/', parameters('keyvaultSecretName'))]",
"dependsOn": [
"[concat('Microsoft.KeyVault/vaults/', variables('keyvaultName'))]"
],
"properties": {... key vault secret properties ...}
}
]
}
]
}
}
}
这对于更有经验的用户来说可能非常明显,但我在我的管道中使用了多个模板和多个部署任务,所以我不得不使用 resourceId() 函数。可能上面的结论对任何范围(订阅或资源组)的任何子资源都有效。
我正在尝试使用具有订阅级别范围的单个模板 json 创建资源组、密钥保管库和密钥保管库机密。我能够毫无问题地创建资源组和密钥保管库。但是,将密钥保管库机密模板作为子资源添加到具有 'dependsOn' 部分的密钥保管库模板会生成错误,例如“密钥保管库机密不依赖于父资源。请使用 'dependsOn' 语法显式添加依赖项”这是模板:
{
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {... parameters for key vault and key vault secret resources ...},
"variables": {
"rgName": "[concat('rg-', substring(uniqueString(subscription().id), 0, 4))]",
"keyvaultName": "[concat('keyvault-', substring(uniqueString(subscription().id), 0, 4))]"
},
"resources": [
{
"type": "Microsoft.Resources/resourceGroups",
"apiVersion": "2021-04-01",
"location": "[parameters('location')]",
"name": "[variables('rgName')]"
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2021-04-01",
"name": "keyvaultDeployment",
"resourceGroup": "[variables('rgName')]",
"dependsOn": [
"[subscriptionResourceId('Microsoft.Resources/resourceGroups', variables('rgName'))]"
],
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2021-10-01",
"name": "[variables('keyvaultName')]",
"location": "[parameters('location')]",
"properties": {... key vault properties ...},
"resources": [
{
"type": "Microsoft.KeyVault/vaults/secrets",
"apiVersion": "2021-10-01",
"name": "[concat(variables('keyvaultName'), '/', parameters('keyvaultSecretName'))]",
"dependsOn": [
"[subscriptionResourceId('Microsoft.KeyVault/vaults', variables('keyvaultName'))]"
],
"properties": {... key vault secret properties ...}
}
]
}
]
}
}
}
]
}
我还尝试将密钥保管库机密模板移出密钥保管库部分:
{
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {... parameters for key vault and key vault secret resources ...},
"variables": {
"rgName": "[concat('rg-', substring(uniqueString(subscription().id), 0, 4))]",
"keyvaultName": "[concat('keyvault-', substring(uniqueString(subscription().id), 0, 4))]"
},
"resources": [
{
"type": "Microsoft.Resources/resourceGroups",
"apiVersion": "2021-04-01",
"location": "[parameters('location')]",
"name": "[variables('rgName')]"
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2021-04-01",
"name": "keyvaultDeployment",
"resourceGroup": "[variables('rgName')]",
"dependsOn": [
"[resourceId('Microsoft.Resources/resourceGroups', variables('rgName'))]"
],
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2021-10-01",
"name": "[variables('keyvaultName')]",
"location": "[parameters('location')]",
"properties": {... key vault properties ...}
},
{
"type": "Microsoft.KeyVault/vaults/secrets",
"apiVersion": "2021-10-01",
"name": "[concat(variables('keyvaultName'), '/', parameters('keyvaultSecretName'))]",
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults', variables('keyvaultName'))]"
],
"properties": {... key vault secret properties ...}
}
]
}
}
}
]
}
但它生成了错误“Key Vault 资源未在模板中定义。”有没有办法在订阅范围模板中使用子资源?
我明白了。由于我主要处理资源组部署,因此我使用 resourceId() 函数来传递 'dependsOn' 模板参数的值。但是,在模板 resourceId() 函数中定义子资源的订阅部署方案无法正常工作。事实证明,您必须使用 concat() 或 format() 函数(或纯文本)为子资源传递 'dependsOn' 参数的值。
这是有效的代码:
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2021-04-01",
"name": "keyvaultDeployment",
"resourceGroup": "[variables('rgName')]",
"dependsOn": [
"[resourceId('Microsoft.Resources/resourceGroups', variables('rgName'))]"
],
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2021-10-01",
"name": "[variables('keyvaultName')]",
"location": "[parameters('location')]",
"properties": {... key vault properties ...},
"resources": [
{
"type": "Microsoft.KeyVault/vaults/secrets",
"apiVersion": "2021-10-01",
"name": "[concat(variables('keyvaultName'), '/', parameters('keyvaultSecretName'))]",
"dependsOn": [
"[concat('Microsoft.KeyVault/vaults/', variables('keyvaultName'))]"
],
"properties": {... key vault secret properties ...}
}
]
}
]
}
}
}
这对于更有经验的用户来说可能非常明显,但我在我的管道中使用了多个模板和多个部署任务,所以我不得不使用 resourceId() 函数。可能上面的结论对任何范围(订阅或资源组)的任何子资源都有效。