如何解决如何使用用户管理的身份部署ARM模板并分配订阅级别角色?
下面的ARM模板应该创建以下资源:
let data = { 'sc.SignatureObjects':
{ 'sc.ExtendedSignatureObject': { '@WhichDocument': 'AISDoc1',Base64Signature: {obj: 'data'} } } }
console.log(data['sc.SignatureObjects']['sc.ExtendedSignatureObject'].Base64Signature)
当前,部署显然失败,并显示错误resource group
- user managed identity
- subscription level Contributor role assignment
,这是因为角色分配步骤似乎未遵守"error": { "code": "ResourceGroupNotFound","message": "Resource group 'rg-myproject-deploy' could not be found." }
语句,该语句应强制执行该语句仅应在创建资源组之后进行。有没有办法在单个ARM模板中部署所有这些资源?
dependsOn
解决方法
我认为您遇到了这个问题:
https://bmoore-msft.blog/2020/07/26/resource-not-found-dependson-is-not-working/
此修复程序比我想象的要复杂得多,但总结一下:
- 规定MI的嵌套部署必须设置为内部范围评估
- 从该部署中输出principalId,并在您的引用中使用它(即,不直接引用)
由于#1,我在(params / vars)中移动了一些东西
{
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#","contentVersion": "1.0.0.0","parameters": {
"projectName": {
"type": "string","defaultValue": "myproject","maxLength": 11,"metadata": {
"description": "The name of the project"
}
},"location": {
"type": "string","defaultValue": "westus2","metadata": {
"description": "The region were to deploy assets"
}
}
},"variables": {
"identityDeploymentName": "deployment-assets-except-role-assignment","resourceGroupName": "[concat('rg-',parameters('projectName'),'-deploy')]","managedIdentityName": "[concat('msi-',"managedIdentityId": "[concat('/subscriptions/',subscription().subscriptionId,'/resourceGroups/',variables('resourceGroupName'),'/providers/Microsoft.ManagedIdentity/userAssignedIdentities/',variables('managedIdentityName'))]","bootstrapRoleAssignmentId": "[guid(subscription().id,variables('contributorRoleDefinitionId'),variables('managedIdentityId'))]","contributorRoleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','b24988ac-6180-42a0-ab88-20f7382dd24c')]",},"resources": [
{
"type": "Microsoft.Resources/resourceGroups","apiVersion": "2019-10-01","name": "[variables('resourceGroupName')]","location": "[parameters('location')]","properties": {}
},{
"type": "Microsoft.Resources/deployments","name": "[variables('identityDeploymentName')]","resourceGroup": "[variables('resourceGroupName')]","dependsOn": [
"[resourceId('Microsoft.Resources/resourceGroups',variables('resourceGroupName'))]"
],"properties": {
"mode": "Incremental","expressionEvaluationOptions":{
"scope": "inner"
},"parameters": {
"location": {
"value": "[parameters('location')]"
},"managedIdentityName": {
"value": "[variables('managedIdentityName')]"
}
},"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#","parameters": {
"location": {
"type": "string"
},"managedIdentityName": {
"type": "string"
}
},"variables": {},"resources": [
{
"type": "Microsoft.ManagedIdentity/userAssignedIdentities","name": "[parameters('managedIdentityName')]","apiVersion": "2018-11-30","location": "[parameters('location')]"
}
],"outputs": {
"principalId": {
"type": "string","value": "[reference(parameters('managedIdentityName')).principalId]"
}
}
}
}
},{
"type": "Microsoft.Authorization/roleAssignments","apiVersion": "2020-04-01-preview","name": "[variables('bootstrapRoleAssignmentId')]","dependsOn": [
"[subscriptionResourceId('Microsoft.Resources/resourceGroups',variables('resourceGroupName'))]","[variables('identityDeploymentName')]"
],"properties": {
"roleDefinitionId": "[variables('contributorRoleDefinitionId')]","principalId": "[reference(variables('identityDeploymentName')).outputs.principalId.value]","principalType": "ServicePrincipal","scope": "[subscription().id]"
}
}
]
}
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。