[英]Azure bicep use key vault from different resource group
I've an Azure Key Vault(KV) that has shared secrets and a cert that needs to be pulled into different deployments.我有一个 Azure Key Vault(KV),它具有共享的秘密和需要拉入不同部署的证书。
Eg DEV, TEST, UAT, Production all have their own key vaults BUT need access to the shared KV for wild card ssl cert.例如,DEV、TEST、UAT、Production 都有自己的密钥库,但需要访问通配符 ssl 证书的共享 KV。
I've tried a number of approaches but each has errors.我尝试了多种方法,但每种方法都有错误。 I'm doing something similar for KV within the deployment resource group without issues
我正在为部署资源组中的 KV 做类似的事情,没有问题
Is it possible to have this and then use it as a module?是否可以拥有它然后将其用作模块? Something like this...
像这样的东西......
sharedKV.bicep共享KV.bicep
var kvResourceGroup = 'project-shared-rg'
var subscriptionId = subscription().id
var name = 'project-shared-kv'
resource project_shared_kv 'Microsoft.KeyVault/vaults@2021-06-01-preview' existing = {
name: name
scope: resourceGroup(subscriptionId, kvResourceGroup )
}
And then uses like: template.bicep然后像这样使用:template.bicep
module shared_kv './sharedKeyVault/template.bicep' = {
name: 'sharedKeyVault'
}
resource add_secrect 'Microsoft.KeyVault/vaults/secrets@2021-06-01-preview' = {
name: '${shared_kv.name}/mySecretKey'
properties: {
contentType: 'string'
value: 'secretValue'
attributes: {
enabled: true
}
}
}
If you need to target a different resourceGroup (and/or sub) than the rest of the deployment, the module's scope property needs to target that RG/sub.如果您需要针对与部署的 rest 不同的资源组(和/或子资源组),则模块的 scope 属性需要针对该 RG/sub。 eg
例如
module shared_kv './sharedKeyVault/template.bicep' = {
scope: resourceGroup(kvSubscription, kvResourceGroupName)
name: 'sharedKeyVault'
params: {
subId: kvSubscription
rg: kvResourceGroupName
...
}
}
Ideally, the sub/rg for the KV would be passed in to the module rather than hardcoded (which you probably knew, but just in case...)理想情况下,KV 的 sub/rg 将被传递到模块而不是硬编码(您可能知道,但以防万一......)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.