堆栈内存溢出
  简体   繁体   English

在嵌套模板中创建 Azure KeyVault 机密作为子资源

[英]Creating Azure KeyVault secret as a child resource in nested template

 原文  2022-03-21 12:53:21       azure/ azure-devops/ azure-keyvault/ arm-template

问题描述

I'm trying to create resource group, key vault and key vault secret using a single template json with subscription level scope. I'm able to create resource group and key vault without any issues.我正在尝试使用订阅级别为 scope 的单个模板 json 创建资源组、密钥保管库和密钥保管库机密。我能够毫无问题地创建资源组和密钥保管库。 However, adding a key vault secret template as a child resource to key vault template with 'dependsOn' section generates errors like "Key vault secret doesn't depend on parent resource. Please add dependency explicitly using the 'dependsOn' syntax."但是,将密钥保管库机密模板作为子资源添加到具有“dependsOn”部分的密钥保管库模板会生成错误,例如“密钥保管库机密不依赖于父资源。请使用‘dependsOn’语法显式添加依赖项。” Here is the template:这是模板:

{
    "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {... parameters for key vault and key vault secret resources ...},
    "variables": {
        "rgName": "[concat('rg-', substring(uniqueString(subscription().id), 0, 4))]",
        "keyvaultName": "[concat('keyvault-', substring(uniqueString(subscription().id), 0, 4))]"
    },
    "resources": [
        {
            "type": "Microsoft.Resources/resourceGroups",
            "apiVersion": "2021-04-01",
            "location": "[parameters('location')]",
            "name": "[variables('rgName')]"
        },
        {
            "type": "Microsoft.Resources/deployments",
            "apiVersion": "2021-04-01",
            "name": "keyvaultDeployment",
            "resourceGroup": "[variables('rgName')]",
            "dependsOn": [
                "[subscriptionResourceId('Microsoft.Resources/resourceGroups', variables('rgName'))]"
        ],
            "properties": {
                "mode": "Incremental",
                "template": {
                    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                    "contentVersion": "1.0.0.0",
                    "resources": [
                        {
                            "type": "Microsoft.KeyVault/vaults",
                            "apiVersion": "2021-10-01",
                            "name": "[variables('keyvaultName')]",
                            "location": "[parameters('location')]",
                            "properties": {... key vault properties ...},
                            "resources": [
                                {
                                    "type": "Microsoft.KeyVault/vaults/secrets",
                                    "apiVersion": "2021-10-01",
                                    "name": "[concat(variables('keyvaultName'), '/', parameters('keyvaultSecretName'))]",
                                    "dependsOn": [
                                        "[subscriptionResourceId('Microsoft.KeyVault/vaults', variables('keyvaultName'))]"
                                    ],
                                    "properties": {... key vault secret properties ...}
                                }
                            ]
                        }
                    ]
                }
            }
        }
    ]
}

I've also tried to move key vault secret template out of key vault section:我还尝试将密钥保管库秘密模板移出密钥保管库部分:

{
    "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {... parameters for key vault and key vault secret resources ...},
    "variables": {
        "rgName": "[concat('rg-', substring(uniqueString(subscription().id), 0, 4))]",
        "keyvaultName": "[concat('keyvault-', substring(uniqueString(subscription().id), 0, 4))]"
    },
    "resources": [
        {
            "type": "Microsoft.Resources/resourceGroups",
            "apiVersion": "2021-04-01",
            "location": "[parameters('location')]",
            "name": "[variables('rgName')]"
        },
        {
            "type": "Microsoft.Resources/deployments",
            "apiVersion": "2021-04-01",
            "name": "keyvaultDeployment",
            "resourceGroup": "[variables('rgName')]",
            "dependsOn": [
                "[resourceId('Microsoft.Resources/resourceGroups', variables('rgName'))]"
        ],
            "properties": {
                "mode": "Incremental",
                "template": {
                    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                    "contentVersion": "1.0.0.0",
                    "resources": [
                        {
                            "type": "Microsoft.KeyVault/vaults",
                            "apiVersion": "2021-10-01",
                            "name": "[variables('keyvaultName')]",
                            "location": "[parameters('location')]",
                            "properties": {... key vault properties ...}
                        },
                        {
                            "type": "Microsoft.KeyVault/vaults/secrets",
                            "apiVersion": "2021-10-01",
                            "name": "[concat(variables('keyvaultName'), '/', parameters('keyvaultSecretName'))]",
                            "dependsOn": [
                                "[resourceId('Microsoft.KeyVault/vaults', variables('keyvaultName'))]"
                            ],
                            "properties": {... key vault secret properties ...}
                        }
                    ]
                }
            }
        }
    ]
}

But it has generated the error "Key vault resource is not defined in the template."但它生成了错误“Key Vault 资源未在模板中定义”。 Is there a way to use child resources in subscription scope templates at all?有没有办法在订阅 scope 模板中使用子资源?

1 个解决方案

解决方案1
 0 已采纳  2022-03-21 14:31:49

I figured it out.我想到了。 Since I was working mostly with resource group deployments, I've used resourceId() function to pass values for 'dependsOn' template parameter.由于我主要处理资源组部署,因此我使用 resourceId() function 来传递“dependsOn”模板参数的值。 However, in subscription deployment scenario with child resources defined in the template resourceId() function wasn't working properly.但是,在模板 resourceId() function 中定义的子资源订阅部署场景中无法正常工作。 As it turned out, you have to use either concat() or format() functions (or plain text) to pass the value for 'dependsOn' parameter for a child resource.事实证明,您必须使用 concat() 或 format() 函数(或纯文本)来为子资源传递“dependsOn”参数的值。

Here is the code that worked:这是有效的代码:

{
    "type": "Microsoft.Resources/deployments",
    "apiVersion": "2021-04-01",
    "name": "keyvaultDeployment",
    "resourceGroup": "[variables('rgName')]",
    "dependsOn": [
        "[resourceId('Microsoft.Resources/resourceGroups', variables('rgName'))]"
    ],
    "properties": {
        "mode": "Incremental",
        "template": {
            "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
            "contentVersion": "1.0.0.0",
            "resources": [
                {
                    "type": "Microsoft.KeyVault/vaults",
                    "apiVersion": "2021-10-01",
                    "name": "[variables('keyvaultName')]",
                    "location": "[parameters('location')]",
                    "properties": {... key vault properties ...},
                    "resources": [
                        {
                            "type": "Microsoft.KeyVault/vaults/secrets",
                            "apiVersion": "2021-10-01",
                            "name": "[concat(variables('keyvaultName'), '/', parameters('keyvaultSecretName'))]",
                            "dependsOn": [
                                "[concat('Microsoft.KeyVault/vaults/', variables('keyvaultName'))]"
                            ],
                            "properties": {... key vault secret properties ...}
                        }
                    ]
                }
            ]
        }
    }
}

This is probably pretty obvious for more experienced users, but I've worked with multiple templates and multiple deployment tasks in my pipelines so I had to use resourceId() functions.这对于更有经验的用户来说可能是非常明显的,但我在我的管道中使用了多个模板和多个部署任务,所以我不得不使用 resourceId() 函数。 Probably the conclusion above is valid for any child resources in any scope (subscription or resource group).可能上面的结论对任何 scope(订阅或资源组)中的任何子资源都有效。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Azure 启动期间 IConfiguration 中的 KeyVault 秘密值不可用 - Azure KeyVault Secret Value not available in IConfiguration during Startup 在同一个 arm 模板部署中创建多个密钥库机密 - Creating multiple keyvault secrets in same arm template deployment 在 Azure 中国连接到 KeyVault - Connect to KeyVault in Azure China 使用 Azure Keyvault 优化 GetSecret - Optimization for GetSecret with Azure Keyvault Azure Keyvault 本地问题 - Azure Keyvault Local Issues 通过参数文件将 Azure Key Vault secret 读入 ARM 模板 - Reading Azure Key Vault secret into ARM template via parameter file 允许Azure CDN访问Azure KeyVault - Allowing Azure CDN to access Azure KeyVault 从 Bicep 的 keyvault 中检索一个秘密,并用作创建 Synapse 工作区的输入 - Retrieve a secret from keyvault in Bicep and use as input for Synapse Workspace creation 奇怪的结果,错误创建 Azure 基于现有内置策略的 KeyVault 策略 - “字段”属性引用的提供程序不存在 - Odd result, error creating Azure KeyVault Policy based on existing BuiltIn Policy - provider referenced by the 'field' property doesn't exist 使用 Bicep 模板为 Azure Cosmos DB 创建多个角色定义和分配 - Creating several roles definition and assignment with Bicep template for Azure Cosmos DB
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM