Question

我想更改我的arm模板，以便设置keyvault的诊断设置以使用存储帐户和oms工作区。

目前我只能使用存储帐户，但当我尝试提供OMS工作区时，它提供了一个非常无用的错误：

    ERROR: At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-debug for usage details. {
  "code": null,
  "message": null
}  Correlation ID: 26a5b601-ef98-415a-9963-e2b872f035b7

如果我删除workspaceId值，它可以正常工作，我已经仔细检查了我给它一个有效的工作区名称值 - 我有一个空白的oms工作区设置

{  
  "$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion":"1.0.0.0",
  "parameters":{  
    "keyVaultName":{  
      "type":"string",
      "minLength":1,
      "metadata":{  
        "description":"Name of the Key Vault"
      }
    },
    "accessPolicies":{  
      "type":"array",
      "defaultValue":"{}",
      "metadata":{  
        "description":"Access policies object"
      }
    },
    "logsRetentionInDays":{  
      "type":"int",
      "defaultValue":0,
      "minValue":0,
      "maxValue":365,
      "metadata":{  
        "description":"Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely."
      }
    },
    "enableVaultForDeployment":{  
      "type":"bool",
      "defaultValue":false,
      "allowedValues":[  
        true,
        false
      ],
      "metadata":{  
        "description":"Specifies if the vault is enabled for deployment by script or compute"
      }
    },
    "enableVaultForTemplateDeployment":{  
      "type":"bool",
      "defaultValue":false,
      "allowedValues":[  
        true,
        false
      ],
      "metadata":{  
        "description":"Specifies if the vault is enabled for a template deployment"
      }
    },
    "enableVaultForDiskEncryption":{  
      "type":"bool",
      "defaultValue":false,
      "allowedValues":[  
        true,
        false
      ],
      "metadata":{  
        "description":"Specifies if the azure platform has access to the vault for enabling disk encryption scenarios."
      }
    },
    "vaultSku":{  
      "type":"string",
      "defaultValue":"Premium",
      "allowedValues":[  
        "Premium"
      ],
      "metadata":{  
        "description":"Specifies the SKU for the vault"
      }
    },
    "diagnosticStorageAccountPrefix":{  
      "type":"string",
      "minLength":1,
      "metadata":{  
        "description":"Prefix for the diagnostic storage account"
      }
    },
    "omsWorkspaceName":{  
      "type":"string",
      "minLength":1,
      "metadata":{  
        "description":"Name of the OMS workspace used for diagnostic log integration."
      }
    }
  },
  "variables":{  
    "uniqueString":"[uniqueString(subscription().id, resourceGroup().id)]",
    "diagnosticStorageAccountName":"[toLower(substring(replace(concat(parameters('diagnosticStorageAccountPrefix'), variables('uniqueString'), variables('uniqueString')), '-', ''), 0, 23) )]"
  },
  "resources":[  
    {  
      "type":"Microsoft.Storage/storageAccounts",
      "name":"[variables('diagnosticStorageAccountName')]",
      "apiVersion":"2016-12-01",
      "location":"[resourceGroup().location]",
      "sku":{  
        "name":"Standard_LRS"
      },
      "kind":"Storage",
      "tags":{  
        "displayName":"Key Vault Diagnostic Storage Account')"
      },
      "properties": {
        "encryption": {
          "keySource":"Microsoft.Storage",
          "services": {
            "blob": {
              "enabled":true
            }
          }
        }
      }
    },
    {  
      "type":"Microsoft.KeyVault/vaults",
      "name":"[parameters('keyVaultName')]",
      "apiVersion":"2016-10-01",
      "location":"[resourceGroup().location]",
      "tags":{  
        "displayName":"Key Vault"
      },
      "properties":{  
        "enabledForDeployment":"[parameters('enableVaultForDeployment')]",
        "enabledForTemplateDeployment":"[parameters('enableVaultForTemplateDeployment')]",
        "enabledForDiskEncryption":"[parameters('enableVaultForDiskEncryption')]",
        "tenantId":"[subscription().tenantId]",
        "accessPolicies":"[parameters('AccessPolicies')]",
        "sku":{  
          "name":"[parameters('vaultSku')]",
          "family":"A"
        }
      },
      "resources":[  
        {  
          "type":"Microsoft.KeyVault/vaults/providers/diagnosticsettings",
          "name":"[concat(parameters('keyVaultName'), '/Microsoft.Insights/service')]",
          "apiVersion":"2016-09-01",
          "location":"[resourceGroup().location]",
          "dependsOn":[  
            "[concat('Microsoft.KeyVault/vaults/', parameters('keyVaultName'))]",
            "[concat('Microsoft.Storage/storageAccounts/', variables('diagnosticStorageAccountName'))]"
          ],
          "properties":{  
            "storageAccountId":"[resourceId('Microsoft.Storage/storageAccounts', variables('diagnosticStorageAccountName'))]",
            "workspaceId":"[resourceId('Microsoft.OperationalInsights/workspaces', parameters('omsWorkspaceName'))]",
            "logs":[  
              {  
                "category":"AuditEvent",
                "enabled":true,
                "retentionPolicy":{  
                  "enabled":true,
                  "days":"[parameters('LogsRetentionInDays')]"
                }
              }
            ]
          }
        }
      ]
    },
    {  
      "type":"Microsoft.KeyVault/vaults/providers/locks",
      "apiVersion":"2016-09-01",
      "name":"[concat(parameters('keyVaultName'), '/Microsoft.Authorization/keyVaultDoNotDelete')]",
      "dependsOn":[  
        "[concat('Microsoft.KeyVault/vaults/', parameters('keyVaultName'))]"
      ],
      "comments":"Resource lock on key vault",
      "properties":{  
        "level":"CannotDelete"
      }
    },
    {  
      "type":"Microsoft.Storage/storageAccounts/providers/locks",
      "apiVersion":"2016-09-01",
      "name":"[concat(variables('diagnosticStorageAccountName'), '/Microsoft.Authorization/storageDoNotDelete')]",
      "dependsOn":[  
        "[concat('Microsoft.Storage/storageAccounts/', variables('diagnosticStorageAccountName'))]"
      ],
      "comments":"Resource lock on key vault diagnostic storage account",
      "properties":{  
        "level":"CannotDelete"
      }
    }
  ],
  "outputs":{  

  }
}

Answer 1

由于oms位于其他资源组中，因此您需要为其提供资源组。

"workspaceId":"[resourceId('myresourcegroup', 'Microsoft.OperationalInsights/workspaces', parameters('omsWorkspaceName'))]",

Azure密钥保管库ARM模板诊断设置

1 个答案: