如何使用用户管理的身份部署ARM模板并分配订阅级别角色?

时间:2020-08-19 00:54:01

标签: azure-resource-manager azure-managed-identity azure-rbac

下面的ARM模板应该创建以下资源:

let data = { 'sc.SignatureObjects':
   { 'sc.ExtendedSignatureObject': { '@WhichDocument': 'AISDoc1', Base64Signature: {obj: 'data'} } } }
   
   
console.log(data['sc.SignatureObjects']['sc.ExtendedSignatureObject'].Base64Signature)

当前,部署显然失败,并显示错误resource group - user managed identity - subscription level Contributor role assignment ,这是因为角色分配步骤似乎未遵守"error": { "code": "ResourceGroupNotFound", "message": "Resource group 'rg-myproject-deploy' could not be found." }语句,该语句应强制执行该语句仅应在创建资源组之后进行。有没有办法在单个ARM模板中部署所有这些资源?

deployment error 

dependsOn

1 个答案:

答案 0 :(得分:1)

我认为您遇到了这个问题:

https://bmoore-msft.blog/2020/07/26/resource-not-found-dependson-is-not-working/

此修复程序比我想象的要复杂得多,但总结一下:

  1. 规定MI的嵌套部署必须设置为内部范围评估
  2. 从该部署中输出principalId,并在您的引用中使用它(即,不直接引用)

由于#1,我在(params / vars)中移动了一些东西

{
    "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
      "projectName": {
        "type": "string",
        "defaultValue": "myproject",
        "maxLength": 11,
        "metadata": {
          "description": "The name of the project"
        }
      },
      "location": {
        "type": "string",
        "defaultValue": "westus2",
        "metadata": {
          "description": "The region were to deploy assets"
        }
      }
    },
    "variables": {
      "identityDeploymentName": "deployment-assets-except-role-assignment",
      "resourceGroupName": "[concat('rg-', parameters('projectName'), '-deploy')]",
      "managedIdentityName": "[concat('msi-', parameters('projectName'), '-deploy')]",
      "managedIdentityId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', variables('resourceGroupName'), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', variables('managedIdentityName'))]",
      "bootstrapRoleAssignmentId": "[guid(subscription().id, variables('contributorRoleDefinitionId'),variables('managedIdentityId'))]",
      "contributorRoleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",
    },
    "resources": [
      {
        "type": "Microsoft.Resources/resourceGroups",
        "apiVersion": "2019-10-01",
        "name": "[variables('resourceGroupName')]",
        "location": "[parameters('location')]",
        "properties": {}
      },
      {
        "type": "Microsoft.Resources/deployments",
        "apiVersion": "2019-10-01",
        "name": "[variables('identityDeploymentName')]",
        "resourceGroup": "[variables('resourceGroupName')]",
        "dependsOn": [
          "[resourceId('Microsoft.Resources/resourceGroups', variables('resourceGroupName'))]"
        ],
        "properties": {
          "mode": "Incremental",
          "expressionEvaluationOptions":{
              "scope": "inner"
          },
          "parameters": {
              "location": {
                  "value": "[parameters('location')]" 
              },
              "managedIdentityName": {
                  "value": "[variables('managedIdentityName')]" 
              }
          },
          "template": {
            "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
            "contentVersion": "1.0.0.0",
            "parameters": {
                "location": {
                    "type": "string"
                },
                "managedIdentityName": {
                    "type": "string"
                }
            },
            "variables": {},
            "resources": [
              {
                "type": "Microsoft.ManagedIdentity/userAssignedIdentities",
                "name": "[parameters('managedIdentityName')]",
                "apiVersion": "2018-11-30",
                "location": "[parameters('location')]"
              }
            ],
            "outputs": {
                "principalId": {
                    "type": "string",
                    "value": "[reference(parameters('managedIdentityName')).principalId]"
                }
            }
          }
        }
      }
      ,
      {
        "type": "Microsoft.Authorization/roleAssignments",
        "apiVersion": "2020-04-01-preview",
        "name": "[variables('bootstrapRoleAssignmentId')]",
        "dependsOn": [
          "[subscriptionResourceId('Microsoft.Resources/resourceGroups', variables('resourceGroupName'))]",
          "[variables('identityDeploymentName')]"
        ],
        "properties": {
          "roleDefinitionId": "[variables('contributorRoleDefinitionId')]",
          "principalId": "[reference(variables('identityDeploymentName')).outputs.principalId.value]",
          "principalType": "ServicePrincipal",
          "scope": "[subscription().id]"
        }
      }
    ]
  }
相关问题
最新问题