Azure RM模板。从Key Vault部署具有唯一秘密的复制VM

时间:2017-02-17 15:57:30

标签: azure azure-keyvault

我希望能够创建我通过参数(通过复制实现)指定的VM数量,每个VM具有不同的秘密(例如,VM1为secret1,VM2为secret2等)。这是一个基本示例复制VM模板:

    {
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "numberOfVMs": {
      "type": "int",
      "defaultValue":  1,
      "minvalue": 1
    },
    "vmAdminUserName": {
      "type": "string",
      "minLength": 1
    },
      "vmAdminPassword": {
          "type": "securestring"
      }
  },
  "variables": {
    "storageAccountName": "[concat('stor567', uniqueString(resourceGroup().id))]",
    "storageAccountType": "Standard_LRS",
    "vmWindowsOSVersion": "2016-Datacenter",
    "vnetPrefix": "10.0.0.0/16",
    "vnetSubnet1Name": "Subnet-1",
    "vnetSubnet1Prefix": "10.0.0.0/24",
    "nicVnetID": "[resourceId('Microsoft.Network/virtualNetworks', 'vnet')]",
    "nicSubnetRef": "[concat(variables('nicVnetID'), '/subnets/', variables('vnetSubnet1Name'))]",
    "vmImagePublisher": "MicrosoftWindowsServer",
    "vmImageOffer": "WindowsServer",
    "vmVmSize": "Standard_DS1_v2",
    "vmVnetID": "[resourceId('Microsoft.Network/virtualNetworks', 'vnet')]",
    "vmSubnetRef": "[concat(variables('vmVnetID'), '/subnets/', variables('vnetSubnet1Name'))]",
    "vmStorageAccountContainerName": "vhds"
  },
  "resources": [
      {
          "name": "[variables('storageAccountName')]",
          "type": "Microsoft.Storage/storageAccounts",
          "location": "[resourceGroup().location]",
          "apiVersion": "2015-06-15",
          "dependsOn": [ ],
        "properties": {
          "accountType": "[variables('storageAccountType')]"
        }
      },
      {
          "name": "vnet",
          "type": "Microsoft.Network/virtualNetworks",
          "location": "[resourceGroup().location]",
          "apiVersion": "2016-03-30",
          "dependsOn": [ ],
          "tags": {
              "displayName": "vnet"
          },
          "properties": {
              "addressSpace": {
                  "addressPrefixes": [
                      "[variables('vnetPrefix')]"
                  ]
              },
              "subnets": [
                  {
                      "name": "[variables('vnetSubnet1Name')]",
                      "properties": {
                          "addressPrefix": "[variables('vnetSubnet1Prefix')]"
                      }
                  }
              ]
          }
      },
    {
      "name": "[concat('NIC',copyindex())]",
      "type": "Microsoft.Network/networkInterfaces",
      "location": "[resourceGroup().location]",
      "copy": {
        "name": "nicLoop",
        "count": "[parameters('numberOfVMs')]"
      },
      "apiVersion": "2016-03-30",
      "dependsOn": [
        "[resourceId('Microsoft.Network/virtualNetworks', 'vnet')]"
      ],
      "tags": {
        "displayName": "nic"
      },
      "properties": {
        "ipConfigurations": [
          {
            "name": "ipconfig1",
            "properties": {
              "privateIPAllocationMethod": "Dynamic",
              "subnet": {
                "id": "[variables('nicSubnetRef')]"
              }
            }
          }
        ]
      }
    },
    {
      "name": "[concat('VM',copyindex())]",
      "type": "Microsoft.Compute/virtualMachines",
      "location": "[resourceGroup().location]",
      "copy": {
        "name": "virtualMachineLoop",
        "count": "[parameters('numberOfVMs')]"
      },
      "apiVersion": "2015-06-15",
      "dependsOn": [
        "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]",
        "nicLoop"
      ],
      "tags": {
        "displayName": "vm"
      },
      "properties": {
        "hardwareProfile": {
          "vmSize": "[variables('vmVmSize')]"
        },
        "osProfile": {
          "computerName": "[concat('VM',copyindex())]",
          "adminUsername": "[parameters('vmAdminUsername')]",
          "adminPassword": "[parameters('vmAdminPassword')]"
        },
        "storageProfile": {
          "imageReference": {
            "publisher": "[variables('vmImagePublisher')]",
            "offer": "[variables('vmImageOffer')]",
            "sku": "[variables('vmWindowsOSVersion')]",
            "version": "latest"
          },
          "osDisk": {
            "name": "vmOSDisk",
            "vhd": {
              "uri": "[concat(reference(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2016-01-01').primaryEndpoints.blob, variables('vmStorageAccountContainerName'), '/', 'VM',copyIndex(),'-','OSdisk.vhd')]"
            },
            "caching": "ReadWrite",
            "createOption": "FromImage"
          }
        },
        "networkProfile": {
          "networkInterfaces": [
            {
              "id": "[resourceId('Microsoft.Network/networkInterfaces', concat('NIC',copyindex()))]"
            }
          ]
        }
      }
    }],
  "outputs": {}
}

但是,我努力将密码的使用整合为该模板中Key Vault的独特秘密。如果我使用官方文档中的示例Reference a secret with static id将为每个VM创建具有secret1的VM。而且我无法将Reference a secret with dynamic id包装到嵌套模板中,因为这会一次又一次地为我想要部署的每个VM部署我复制的VM。请帮助我理解,这个挑战如何解决?

1 个答案:

答案 0 :(得分:3)

链接:ParentNested。 我不确定这是不是你的意思(因为我仍然认为我很难理解你的问题)。

这些模板允许部署可变数量的vm,并使用不同的keyvault密钥作为密码。例如:

2个Windows VM有一个秘密,3个Ubuntu VM有另一个 1个具有一个机密的Windows VM和4个具有另一个机密的Ubuntu VM

您可以轻松地将其扩展到其他图像,例如centos 正如您在查看模板后我们可以看到的那样,我使用arrayscopyindex()来提供属于它们的正确值。

告诉我,这不是你所追求的。使用时要小心,github原始链接使用某种形式的缓存,因此从github部署可能对你没有错误,在这种情况下只需使用我提供的链接(NOT RAW)复制到本地机器和上传到像pastebin这样的服务,然后从那里部署。

相关问题
最新问题