ARM KeyVault访问策略有条件添加

时间:2020-09-02 13:43:10

标签: azure-keyvault arm-template

是否可以通过条件语句添加访问策略?基本上,如果环境==生产,我不想添加注册。

我的模板中包含以下内容,但是如果环境是生产环境,我不希望添加名为foobarApplicationId的应用程序。我可以内联吗?还是需要单独的模板?将foobarApplicationId设置为空字符串会起作用吗?

    {
      "name": "[variables('keyVault-name')]",
      "type": "Microsoft.KeyVault/vaults",
      "apiVersion": "2016-10-01",
      "location": "[resourceGroup().location]",
      "properties": {
        "tenantId": "[subscription().tenantId]",
        "sku": {
          "family": "A",
          "name": "standard"
        },
        "accessPolicies": [
          {
            "tenantId": "[subscription().tenantId]",
            "objectId": "[parameters('keyVaultOwner')]",
            "permissions": {
              "keys": [
                "all"
              ],
              "secrets": [
                "all"
              ],
              "certificates": [
                "all"
              ],
              "storage": [
              ]
            }
          },
          {
            "tenantId": "[subscription().tenantId]",
            "objectId": "[parameters('foobarApplicationId')]",
            "permissions": {
              "keys": [
                "get",
                "wrapKey",
                "unwrapKey",
                "sign",
                "verify",
                "list"
              ],
              "secrets": [
                "get",
                "list"
              ],
              "certificates": [
                "get",
                "list"
              ],
              "storage": [
              ]
            }
          },

2 个答案:

答案 0 :(得分:1)

这将是在单个访问策略中添加条件部分,该部分将采用如下环境参数:

 {
        "condition": "[not(equals(parameters('environment'),'PROD'))]"
        "tenantId": "[subscription().tenantId]",
        "objectId": "[parameters('foobarApplicationId')]",
        "permissions": {
          "keys": [
            "get",
            "wrapKey",
            "unwrapKey",
            "sign",
            "verify",
            "list"
          ],
          "secrets": [
            "get",
            "list"
          ],
          "certificates": [
            "get",
            "list"
          ],
          "storage": [
          ]
        }
      }

答案 1 :(得分:0)

"condition" 中的

"accessPolicies" 似乎对我没有任何影响。它不会导致任何验证或部署错误,但即使条件评估为 false,也会添加访问策略。

我发现以下技巧更有效:对您的 if"objectId" 使用 "permissions" 子句,这样如果条件为假,您将分配一组空权限给空 GUID,有效地成为空操作。

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",

  "variables": {
    "keyVaultNoPermissions": { },
    "keyVaultAppReadPermissions": {
      "keys": [ "get", "wrapKey", "unwrapKey", "sign", "verify", "list" ],
      "secrets": [ "get", "list" ],
      "certificates": [ "get", "list" ]
    }
  },

  "resources": [
    // ...
    {
      "type": "Microsoft.KeyVault/vaults/accessPolicies",
      "apiVersion": "2016-10-01",
      "name": "[concat(parameters('keyVaultName'), '/add')]",
      "location": "[resourceGroup().location]",
      "dependsOn": [
        "[parameters('keyVaultName')]"
      ],
      "properties": {
        "accessPolicies": [
          {
            "tenantId": "[subscription().tenantId]",
            "objectId": "[if(not(equals(parameters('environment'), 'PROD')), parameters('foobarApplicationId'), '00000000-0000-0000-0000-000000000000')]",
            "permissions": "[if(not(equals(parameters('environment'), 'PROD')), variables('keyVaultAppReadPermissions'), variables('keyVaultNoPermissions'))]"
          }
        ]
      }
    }
  ]
}
相关问题
最新问题