在单个ARM脚本中创建批处理帐户和密钥保管库

时间:2017-09-04 14:29:37

标签: azure azure-resource-manager arm-template

我尝试在ARM脚本中添加批量帐户(在用户订阅模式下)配置,但我遇到了循环依赖的问题。

  • 批量帐户需要KeyVaultReference。
  • 密钥保管库访问政策 需要BatchAccount对象id。

在这种情况下,我无法创建完全配置的服务。您知道如何从同一个ARM脚本创建两种服务吗?

请参阅以下示例:

{
  "name": "[variables('keyVaultName')]",
  "type": "Microsoft.KeyVault/vaults",
  "location": "[resourceGroup().location]",
  "apiVersion": "2015-06-01",
  "properties": {
    "sku": {
      "family": "A",
      "name": "Standard"
    },
    "tenantId": "[subscription().tenantId]",
    "accessPolicies": [
      {
        "tenantId": "[subscription().tenantId]",
        "objectId": "[resourceId('Microsoft.Batch/batchAccounts', variables('batchAccountName'))]",
        "permissions": {
          "keys": [
            "Update"
          ]
        }
      }
    ]
  },
  "dependsOn": [
    "[resourceId('Microsoft.Batch/batchAccounts', variables('batchAccountName'))]"
  ]
},
{
  "name": "[variables('batchAccountName')]",
  "type": "Microsoft.Batch/batchAccounts",
  "location": "[resourceGroup().location]",
  "apiVersion": "2017-05-01",
  "properties": {
    "poolAllocationMode": "UserSubscription",
    "autoStorage": {
      "storageAccountId": "[resourceId('Microsoft.Storage/storageAccounts', variables('batchAccountStorageAccountName'))]"
    },
    "keyVaultReference": {
      "id": "[concat(subscription().id, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.KeyVault/vaults/', variables('keyVaultName'))]",
      "url": "[concat('https://', variables('keyVaultName'), '.vault.azure.net/')]"
    }
  },
  "dependsOn": [
    "[resourceId('Microsoft.Storage/storageAccounts', variables('batchAccountStorageAccountName'))]",
    "[resourceId('Microsoft.KeyVault/vaults', variables('keyVaultName'))]"
  ]
}

1 个答案:

答案 0 :(得分:1)

  

密钥保管库访问策略需要BatchAccount对象ID。

对象ID与批处理帐户无关。对象标识是您设置的可以访问密钥保管库的用户对象标识。用户可以是Azure AD帐户,Microsoft帐户或服务主体。对于Azure AD帐户,您可以使用PowerShell cmdlet Get-AzureRmADUser获取ID。这blog可能有帮助。

  

批量帐户需要KeyVaultReference。

正如您所做的那样,您可以在创建批量帐户时添加依赖于密钥保管库的内容。以下模板适用于我。

{
    "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "location": {
            "defaultValue": "eastus",
            "type": "string"
        },
        "batchAccountName": {
            "defaultValue": "shui568",
            "type": "string"
        },
        "storageAccountName": {
            "defaultValue": "shui41f",
            "type": "string"
        },
        "storageAccountType": {
            "defaultValue": "Standard_LRS",
            "type": "string"
        },
         "vaults_shuibatch_name": {
            "defaultValue": "shui225",
            "type": "String"
        }
    },
    "variables": {},
    "resources": [
        {
            "name": "[parameters('batchAccountName')]",
            "type": "Microsoft.Batch/batchAccounts",
            "apiVersion": "2017-05-01",
            "location": "[parameters('location')]",
            "dependsOn": [
                "[concat('Microsoft.Storage/storageAccounts/', parameters('storageAccountName'))]",
                "[concat('Microsoft.KeyVault/vaults/', parameters('vaults_shuibatch_name'))]"
            ],
            "properties": {
                "poolAllocationMode": "usersubscription",
                "KeyVaultReference": {

                    "id": "[resourceId('Microsoft.KeyVault/vaults', parameters('vaults_shuibatch_name'))]",
                    "url": "[concat('https://',parameters('vaults_shuibatch_name'),'.vault.azure.net/')]"
                },
                "autoStorage": {
                    "storageAccountId": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]"
                }
            }
        },
        {
            "name": "[parameters('storageAccountName')]",
            "type": "Microsoft.Storage/storageAccounts",
            "apiVersion": "2015-06-15",
            "location": "[parameters('location')]",
            "properties": {
                "accountType": "[parameters('storageAccountType')]"
            }
        },
            {
            "comments": "Generalized from resource: '/subscriptions/***************/resourceGroups/shuibatch/providers/Microsoft.KeyVault/vaults/shuibatch'.",
            "type": "Microsoft.KeyVault/vaults",
            "name": "[parameters('vaults_shuibatch_name')]",
            "apiVersion": "2015-06-01",
            "location": "eastus",
            "tags": {},
            "scale": null,
            "properties": {
                "sku": {
                    "family": "A",
                    "name": "Standard"
                },
                "tenantId": "[subscription().tenantId]",
                "accessPolicies": [
                    {
                        "tenantId": "[subscription().tenantId]",
                        "objectId": "3ff89f78-2a60-4fef-8ee5-c249d03549d1",
                        "permissions": {
                            "secrets": [
                                "All"
                            ]
                        }
                    }
                ],
                "enabledForDeployment": true
            },
            "dependsOn": []
        }
    ]
}