在密钥保管库访问策略中引用托管身份时，Azure ARM模板ResourceNotFound错误

Question

在启用的Logic App上部署对受管身份具有访问策略的KeyVault服务时，该服务将失败，因为它尚不存在。我确实为逻辑应用程序添加了dependon。

奇怪的是，该模板已经工作了几周，现在每次都失败了，所以我有点困惑。我从MS的快速入门模板复制了此内容。但这不是问题，因为如果您查看错误，它将指向正确的目标资源。如果在失败后单击重新部署，则该模板也可以使用，因为那时托管身份已经存在。我对其进行了测试，但它还是失败了。

这是我的ARM模板

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "logicAppName": {
            "type": "string",
            "minLength": 1,
            "metadata": {
                "description": "Describes the name of the Logic App resource"
            },
            "defaultValue": "demo"
        },
        "location": {
            "type": "string",
            "defaultValue": "[resourceGroup().location]",
            "metadata": {
                "description": "Specifies the Azure location where the key vault should be created."
            }
        }
    },
    "variables": {
        "keyVaultName": "[concat('eakeyvault', uniquestring(resourceGroup().id))]",
        "logicAppName": "[parameters('logicAppName')]"
    },
    "resources": [
        {
            "type": "Microsoft.KeyVault/vaults",
            "name": "[variables('keyVaultName')]",
            "apiVersion": "2018-02-14",
            "location": "[parameters('location')]",
            "dependsOn": [
                "[resourceId('Microsoft.Logic/workflows', variables('logicAppName'))]"
            ],
            "properties": {
                "enabledForDeployment": false,
                "enabledForDiskEncryption": false,
                "enabledForTemplateDeployment": false,
                "tenantId": "[subscription().tenantId]",
                "accessPolicies": [
                    {
                        "objectId": "[reference(concat(resourceId('Microsoft.Logic/workflows/', variables('logicAppName')), '/providers/Microsoft.ManagedIdentity/Identities/default'), '2018-11-30').principalId]",
                        "tenantId": "[subscription().tenantId]",
                        "permissions": {
                            "secrets": ["get"]
                        }
                    }
                ],
                "sku": {
                    "name": "standard",
                    "family": "A"
                },
                "networkAcls": {
                    "value": {
                        "defaultAction": "Allow",
                        "bypass": "AzureServices"
                    }
                }
            }
        },
        {
            "type": "Microsoft.Logic/workflows",
            "apiVersion": "2017-07-01",
            "name": "[variables('logicAppName')]",
            "location": "[resourceGroup().location]",
            "identity": {
                "type": "SystemAssigned"
            },
            "properties": {
                "state": "Disabled",
                "definition": {
                    "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
                    "actions": {

                    },
                    "contentVersion": "1.0.0.0",
                    "outputs": {},
                    "parameters": {
                        "$connections": {
                            "defaultValue": {},
                            "type": "Object"
                        }
                    },
                    "triggers": {
                        "Recurrence": {
                            "recurrence": {
                                "frequency": "Day",
                                "interval": 1,
                                "schedule": {
                                    "hours": [
                                        "3"
                                    ]
                                }
                            },
                            "type": "Recurrence"
                        }
                    }
                },
                "parameters": {

                }
            }
        }
    ]
}

错误

{
   "id":"/subscriptions/x/resourceGroups/demo6/providers/Microsoft.Resources/deployments/Microsoft.Template/operations/272BE07B42936635",
   "operationId":"272BE07B42936635",
   "properties":{
      "provisioningOperation":"Read",
      "provisioningState":"Failed",
      "timestamp":"2019-10-06T15:09:38.8112774Z",
      "duration":"PT1.3818083S",
      "trackingId":"faf54706-3f6f-469a-9917-a65bdba9768f",
      "statusCode":"NotFound",
      "statusMessage":{
         "error":{
            "code":"ResourceNotFound",
            "message":"The Resource 'Microsoft.Logic/workflows/demo' under resource group 'demo6' was not found."
         }
      },
      "targetResource":{
         "id":"/subscriptions/x/resourceGroups/demo6/providers/Microsoft.Logic/workflows/demo/providers/Microsoft.ManagedIdentity/Identities/default",
         "resourceType":"Microsoft.ManagedIdentity/Identities",
         "resourceName":"default",
         "apiVersion":"2018-11-30"
      }
   }
}

Answer 1

我已将其用作App Service的参考：

[reference(resourceId('Microsoft.Web/sites', variables('webAppName')), '2016-08-01', 'Full').identity.principalId]

当然还有dependsOn：

[resourceId('Microsoft.Web/sites', variables('webAppName'))]

Answer 2

您的resourceId()函数中有错字：

reference(concat(resourceId('Microsoft.Logic/workflows', variables('logicAppName')), '/providers/Microsoft.ManagedIdentity/Identities/default'), '2018-11-30').principalId

在/之后注意多余的workflows。

Answer 3

这是一种理论，但是尝试使用其他的DependsOn更新您的访问策略：

"dependsOn:" [
"[resourceId('Microsoft.Logic/workflows', variables('logicAppName'))]"
]

想法access policy components与实际的Key Vault创建不同。

两个飞机都使用Azure Active Directory（Azure AD）进行身份验证。 对于授权，管理平面使用基于角色的访问控制 （RBAC）和数据平面使用Key Vault访问策略

这对错误有意义，因为如果尚未创建工作流程，则无法分配访问策略。

Answer 4

我想补充的一件非常重要的事情是，官方文档在此处声明：

https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/error-not-found#solution-1---set-dependencies

当引用资源和资源被部署在同一模板中并且由其名称（不是资源ID）引用时，引用函数和列表*函数将对引用资源创建隐式依赖。

>

我遇到这样的问题，我在用资源ID声明我的“ dependsOn”：

"dependsOn": [
                "[resourceId('Microsoft.Web/sites', parameters('serv_webjobs_as_name'))]"
            ],

这仍然使创建失败并使创建过程忽略我的依赖性。 但是，当我将依赖项放在“名称”而非ID的基础上时，它开始起作用：

"dependsOn": [
                "[parameters('serv_webjobs_as_name')]"
            ],