如何将 CosmosDb SQL 帐户作为 bicep 模块参数传递?
How to pass CosmosDb SQL Account as bicep module parameter?
我如何创建一个 cosmos 数据库帐户并将其作为参数传递给二头肌模块?我想通过将角色定义和角色分配移动到单独的模块来增强 this sample bicep script。
这是我尝试创建一个模块(编译并创建一个没有错误的 CosmosDBAccount):
//@description ('cosmosDbAccount')
//param cosmosDbAccount object
@description ('cosmosDbAccountId')
param cosmosDbAccountId string
@description ('cosmosDbAccountName')
param cosmosDbAccountName string
@description('iteration')
param it int
@description('Principal ID of the managed identity')
param principalId string
var roleDefId = guid('sql-role-definition-', principalId, cosmosDbAccountId)
var roleDefName = 'Custom Read/Write role-${it}'
var roleAssignId = guid(roleDefId, principalId, cosmosDbAccountId)
resource roleDefinition 'Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions@2021-06-15' = {
name: '${cosmosDbAccountName}/${roleDefId}'
properties: {
roleName: roleDefName
type: 'CustomRole'
assignableScopes: [
cosmosDbAccountId
]
permissions: [
{
dataActions: [
'Microsoft.DocumentDB/databaseAccounts/readMetadata'
'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/*'
]
}
]
}
}
resource roleAssignment 'Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments@2021-06-15' = {
name: '${cosmosDbAccountName}/${roleAssignId}'
properties: {
roleDefinitionId: roleDefinition.id
principalId: principalId
scope: cosmosDbAccountId
}
}
这是我调用模块的尝试:
@batchSize(1)
module cosmosRole 'cosmosRole.bicep' = [for (princId, jj) in principals: {
name: 'cosmos-role-definition-and-assignment-${jj}'
params: {
// cosmosDbAccount: cosmosDbAccount
cosmosDbAccountId: cosmosDbAccount.id
cosmosDbAccountName: cosmosDbAccount.name
principalId: princId
it: jj
}
}]
如您所见,原始代码使用 cosmosDbAccount.id,我已将其替换为名为 cosmosDbAccountId 的字符串。当我尝试取消注释上述代码并传递 cosmosDbObject 并使用原始语法(“cosmosDbAccount.id”和“cosmosDbAccount.name”)时,我收到此错误
ERROR: ..."Deployment template validation failed: 'The template variable 'roleDefId' is not valid: The language expression property 'id' doesn't exist, available properties are 'apiVersion, location, tags, identity, kind, properties, condition, deploymentResourceLineInfo, existing, isConditionTrue, subscriptionId, resourceGroupName, scope, resourceId, referenceApiVersion, isTemplateResource, isAction, provisioningOperation'..
问题:
我更喜欢新模块中的原始语法(更少的参数)。我该怎么做?
如何确认脚本创建了 roleAssignment 和 roleDefinition?我在 the azure portal 中找不到这些。当我使用二头肌输出语句时,它们会出现,但我希望使用门户网页查看它们。
这里没有什么东西。
传递资源类型参数是一项实验性功能,您必须启用它(有关详细信息,请参阅 Proposal - simplifying resource referencing)
在部署二头肌文件之前,您需要设置此环境变量:
# powershell example
$env:BICEP_RESOURCE_TYPED_PARAMS_AND_OUTPUTS_EXPERIMENTAL="true"
它仍然会在 visual studio 代码中显示错误,但部署成功。
这里是修改后的模块,参数类型为resource:
param cosmosDbAccount resource 'Microsoft.DocumentDB/databaseAccounts@2021-11-15-preview'
param it int
param principalId string
var roleDefId = guid('sql-role-definition-', principalId, cosmosDbAccount.id)
var roleDefName = 'Custom Read/Write role-${it}'
var roleAssignId = guid(roleDefId, principalId, cosmosDbAccount.id)
resource roleDefinition 'Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions@2021-06-15' = {
name: '${cosmosDbAccount.name}/${roleDefId}'
properties: {
roleName: roleDefName
type: 'CustomRole'
assignableScopes: [
cosmosDbAccount.id
]
permissions: [
{
dataActions: [
'Microsoft.DocumentDB/databaseAccounts/readMetadata'
'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/*'
]
}
]
}
}
resource roleAssignment 'Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments@2021-06-15' = {
name: '${cosmosDbAccount.name}/${roleAssignId}'
properties: {
roleDefinitionId: roleDefinition.id
principalId: principalId
scope: cosmosDbAccount.id
}
}
在主二头肌文件中,我们可以将 cosmosDbAccount 作为参数传递:
@batchSize(1)
module cosmosRole 'cosmosRole.bicep' = [for (princId, jj) in principals: if (!empty(principals)) {
name: 'cosmos-role-definition-and-assignment-${jj}'
params: {
cosmosDbAccount: cosmosDbAccount
principalId: princId
it: jj
}
}]
此解决方案仍处于实验阶段,虽然 运行 az deployment group create,但您会看到这个大警告:
警告:Resource-typed ARM 中的参数和输出是实验性的,应仅出于测试目的启用。不要为任何生产使用启用此设置,否则您可能随时会意外损坏!
如果您不想传递两个参数,您可以在模块中声明一个现有资源并只传递 cosmosDbAccountName 参数:
param cosmosDbAccountName string
param it int
param principalId string
var roleDefId = guid('sql-role-definition-', principalId, cosmosDbAccount.id)
var roleDefName = 'Custom Read/Write role-${it}'
var roleAssignId = guid(roleDefId, principalId, cosmosDbAccount.id)
resource cosmosDbAccount 'Microsoft.DocumentDB/databaseAccounts@2021-11-15-preview' existing = {
name: cosmosDbAccountName
}
resource roleDefinition 'Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions@2021-06-15' = {
name: '${cosmosDbAccount.name}/${roleDefId}'
properties: {
roleName: roleDefName
type: 'CustomRole'
assignableScopes: [
cosmosDbAccount.id
]
permissions: [
{
dataActions: [
'Microsoft.DocumentDB/databaseAccounts/readMetadata'
'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/*'
]
}
]
}
}
resource roleAssignment 'Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments@2021-06-15' = {
name: '${cosmosDbAccount.name}/${roleAssignId}'
properties: {
roleDefinitionId: roleDefinition.id
principalId: principalId
scope: cosmosDbAccount.id
}
}
您的主文件将如下所示:
@batchSize(1)
module cosmosRole 'cosmos-module.bicep' = [for (princId, jj) in principals: if (!empty(principals)) {
name: 'cosmos-role-definition-and-assignment-${jj}'
params: {
cosmosDbAccountName: cosmosDbAccount.name
principalId: princId
it: jj
}
}]
关于你的第二个问题,如果你导航到你的 cosmos db 帐户然后单击 export template 按钮,你应该能够看到创建的角色和相关分配(我知道这不理想。 ..):
我如何创建一个 cosmos 数据库帐户并将其作为参数传递给二头肌模块?我想通过将角色定义和角色分配移动到单独的模块来增强 this sample bicep script。
这是我尝试创建一个模块(编译并创建一个没有错误的 CosmosDBAccount):
//@description ('cosmosDbAccount')
//param cosmosDbAccount object
@description ('cosmosDbAccountId')
param cosmosDbAccountId string
@description ('cosmosDbAccountName')
param cosmosDbAccountName string
@description('iteration')
param it int
@description('Principal ID of the managed identity')
param principalId string
var roleDefId = guid('sql-role-definition-', principalId, cosmosDbAccountId)
var roleDefName = 'Custom Read/Write role-${it}'
var roleAssignId = guid(roleDefId, principalId, cosmosDbAccountId)
resource roleDefinition 'Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions@2021-06-15' = {
name: '${cosmosDbAccountName}/${roleDefId}'
properties: {
roleName: roleDefName
type: 'CustomRole'
assignableScopes: [
cosmosDbAccountId
]
permissions: [
{
dataActions: [
'Microsoft.DocumentDB/databaseAccounts/readMetadata'
'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/*'
]
}
]
}
}
resource roleAssignment 'Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments@2021-06-15' = {
name: '${cosmosDbAccountName}/${roleAssignId}'
properties: {
roleDefinitionId: roleDefinition.id
principalId: principalId
scope: cosmosDbAccountId
}
}
这是我调用模块的尝试:
@batchSize(1)
module cosmosRole 'cosmosRole.bicep' = [for (princId, jj) in principals: {
name: 'cosmos-role-definition-and-assignment-${jj}'
params: {
// cosmosDbAccount: cosmosDbAccount
cosmosDbAccountId: cosmosDbAccount.id
cosmosDbAccountName: cosmosDbAccount.name
principalId: princId
it: jj
}
}]
如您所见,原始代码使用 cosmosDbAccount.id,我已将其替换为名为 cosmosDbAccountId 的字符串。当我尝试取消注释上述代码并传递 cosmosDbObject 并使用原始语法(“cosmosDbAccount.id”和“cosmosDbAccount.name”)时,我收到此错误
ERROR: ..."Deployment template validation failed: 'The template variable 'roleDefId' is not valid: The language expression property 'id' doesn't exist, available properties are 'apiVersion, location, tags, identity, kind, properties, condition, deploymentResourceLineInfo, existing, isConditionTrue, subscriptionId, resourceGroupName, scope, resourceId, referenceApiVersion, isTemplateResource, isAction, provisioningOperation'..
问题:
我更喜欢新模块中的原始语法(更少的参数)。我该怎么做?
如何确认脚本创建了 roleAssignment 和 roleDefinition?我在 the azure portal 中找不到这些。当我使用二头肌输出语句时,它们会出现,但我希望使用门户网页查看它们。
这里没有什么东西。 传递资源类型参数是一项实验性功能,您必须启用它(有关详细信息,请参阅 Proposal - simplifying resource referencing)
在部署二头肌文件之前,您需要设置此环境变量:
# powershell example
$env:BICEP_RESOURCE_TYPED_PARAMS_AND_OUTPUTS_EXPERIMENTAL="true"
它仍然会在 visual studio 代码中显示错误,但部署成功。
这里是修改后的模块,参数类型为resource:
param cosmosDbAccount resource 'Microsoft.DocumentDB/databaseAccounts@2021-11-15-preview'
param it int
param principalId string
var roleDefId = guid('sql-role-definition-', principalId, cosmosDbAccount.id)
var roleDefName = 'Custom Read/Write role-${it}'
var roleAssignId = guid(roleDefId, principalId, cosmosDbAccount.id)
resource roleDefinition 'Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions@2021-06-15' = {
name: '${cosmosDbAccount.name}/${roleDefId}'
properties: {
roleName: roleDefName
type: 'CustomRole'
assignableScopes: [
cosmosDbAccount.id
]
permissions: [
{
dataActions: [
'Microsoft.DocumentDB/databaseAccounts/readMetadata'
'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/*'
]
}
]
}
}
resource roleAssignment 'Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments@2021-06-15' = {
name: '${cosmosDbAccount.name}/${roleAssignId}'
properties: {
roleDefinitionId: roleDefinition.id
principalId: principalId
scope: cosmosDbAccount.id
}
}
在主二头肌文件中,我们可以将 cosmosDbAccount 作为参数传递:
@batchSize(1)
module cosmosRole 'cosmosRole.bicep' = [for (princId, jj) in principals: if (!empty(principals)) {
name: 'cosmos-role-definition-and-assignment-${jj}'
params: {
cosmosDbAccount: cosmosDbAccount
principalId: princId
it: jj
}
}]
此解决方案仍处于实验阶段,虽然 运行 az deployment group create,但您会看到这个大警告:
警告:Resource-typed ARM 中的参数和输出是实验性的,应仅出于测试目的启用。不要为任何生产使用启用此设置,否则您可能随时会意外损坏!
如果您不想传递两个参数,您可以在模块中声明一个现有资源并只传递 cosmosDbAccountName 参数:
param cosmosDbAccountName string
param it int
param principalId string
var roleDefId = guid('sql-role-definition-', principalId, cosmosDbAccount.id)
var roleDefName = 'Custom Read/Write role-${it}'
var roleAssignId = guid(roleDefId, principalId, cosmosDbAccount.id)
resource cosmosDbAccount 'Microsoft.DocumentDB/databaseAccounts@2021-11-15-preview' existing = {
name: cosmosDbAccountName
}
resource roleDefinition 'Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions@2021-06-15' = {
name: '${cosmosDbAccount.name}/${roleDefId}'
properties: {
roleName: roleDefName
type: 'CustomRole'
assignableScopes: [
cosmosDbAccount.id
]
permissions: [
{
dataActions: [
'Microsoft.DocumentDB/databaseAccounts/readMetadata'
'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/*'
]
}
]
}
}
resource roleAssignment 'Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments@2021-06-15' = {
name: '${cosmosDbAccount.name}/${roleAssignId}'
properties: {
roleDefinitionId: roleDefinition.id
principalId: principalId
scope: cosmosDbAccount.id
}
}
您的主文件将如下所示:
@batchSize(1)
module cosmosRole 'cosmos-module.bicep' = [for (princId, jj) in principals: if (!empty(principals)) {
name: 'cosmos-role-definition-and-assignment-${jj}'
params: {
cosmosDbAccountName: cosmosDbAccount.name
principalId: princId
it: jj
}
}]
关于你的第二个问题,如果你导航到你的 cosmos db 帐户然后单击 export template 按钮,你应该能够看到创建的角色和相关分配(我知道这不理想。 ..):