我正在尝试通过 ARM 在 Azure APIM 中管理 CA 证书,但我尝试的所有方法都没有得到积极的结果。
当我查看架构 Microsoft.ApiManagement/service 时,有一个证书部分,我可以在其中设置 storeName 变量,但没有结果。
<块引用>出于理智,我尝试通过 Powershell plus 手动上传它,这两个选项都有效,但是即使我使用了“增量”,在每次部署我的 ARM 模板时,CA 证书都会从 APIM 中擦除选项。
首先,我尝试通过将该块添加到“属性”部分来修改 APIM ARM 模板:
"certificates": [
{
"encodedCertificate": "[parameters('RootCertificateBase64Content')]",
"certificatePassword": "[parameters('RootCertificatePassword')]",
"storeName": "Root"
}]
这是我的第一个完整可追溯性测试片段:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"apimName": {
"type": "string",
"metadata": {
"description": "Name of the apimanagement"
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Location for all resources."
}
},
"sku": {
"type": "string",
"allowedValues": [
"Developer",
"Standard",
"Premium"
],
"defaultValue": "Developer",
"metadata": {
"description": "The pricing tier of this API Management service"
}
},
"skuCapacity": {
"type": "string",
"allowedValues": [
"1",
"2"
],
"defaultValue": "1",
"metadata": {
"description": "The instance size of this API Management service."
}
},
"subnetResourceId": {
"type": "string",
"metadata": {
"description": ""
}
},
"RootCertificateBase64Content": {
"type": "string",
"metadata": {
"description": "The Root certificate content"
}
},
"RootCertificatePassword": {
"type": "string",
"metadata": {
"description": "The Root certificate password"
}
}
},
"variables": {
"publisherEmail": "whatever@heyho.com",
"publisherName": "Whatever Team",
"notificationSenderEmail": "whatever@heygo.com"
},
"resources": [
{
"apiVersion": "2019-12-01",
"name": "[parameters('apimName')]",
"type": "Microsoft.ApiManagement/service",
"location": "[parameters('location')]",
"sku": {
"name": "[parameters('sku')]",
"capacity": "[parameters('skuCapacity')]"
},
"properties": {
"notificationSenderEmail": "[variables('notificationSenderEmail')]",
"publisherEmail": "[variables('publisherEmail')]",
"publisherName": "[variables('publisherName')]",
"virtualNetworkConfiguration": {
"subnetResourceId": "[parameters('subnetResourceId')]"
},
"virtualNetworkType": "Internal",
"certificates": [
{
"encodedCertificate": "[parameters('RootCertificateBase64Content')]",
"certificatePassword": "[parameters('RootCertificatePassword')]",
"storeName": "Root"
}]
},
"identity": {
"type": "SystemAssigned"
}
}
],
"outputs": {
"apiManagementPrivateHostIp": {
"type": "string",
"value": "[reference(concat(resourceId('Microsoft.ApiManagement/service', parameters('apimName')))).privateIPAddresses[0]]"
}
}
}
我尝试的第二种选择是使用 Microsoft.ApiManagement/service/certificates 架构。那里没有指定 StoreName 的选项,所以我认为它不是正确的架构,但我还是尝试了。所有尝试都会在内置证书存储区而不是CA证书存储区中生成一个证书。
这是我第二次尝试的片段:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"apimName": {
"type": "string",
"metadata": {
"description": "The parent APIM name"
}
},
"certificateName": {
"type": "string",
"metadata": {
"description": "The certificate name"
}
},
"CertificateBase64Content": {
"type": "string",
"metadata": {
"description": "The content of the certificate"
}
},
"CertificatePassword": {
"type": "string",
"metadata": {
"description": "The certificate password"
}
}
},
"resources": [
{
"name": "[concat(parameters('apimName'), '/Root/', parameters('certificateName'))]",
"type": "Microsoft.ApiManagement/service/certificates",
"apiVersion": "2019-01-01",
"properties": {
"data": "[parameters('CertificateBase64Content')]",
"password": "[parameters('CertificatePassword')]"
}
}
],
"outputs": {}
}
在查看 terraform 文档时,似乎可以通过基本架构管理这些证书,我通过 terraform azurerm provider source code 确认了这一点(不幸的是,我不能使用 Terraform,在这种情况下我必须使用 ARM)。< /p>
有关如何通过 ARM 在 Azure APIM 中管理 CA 证书的任何线索?
答案 0 :(得分:0)
我假设您要更新现有 APIM 的 CA 证书颁发机构部分?如果是,则只需为 Microsoft.ApiManagement/service
提供所有必需的属性,但对于名称,请使用您想要更新的现有 APIM 名称并选择相同的资源组。
多亏了这一点,它只会使用您提供的属性更新现有的 APIM,而不是创建新的 APIM。所需的属性为 name
、type
、apiVersion
、location
、sku
、properties
。对于 properties
,您需要提供 publisherEmail
和 publisherName
,当然还有 certificates
- 毕竟这是您想要更新的内容。因此,更新的绝对最小值将如下所示:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters":{
"base64EncodedCertificate":{
"defaultValue":"base64 encoded certificate",
"type":"String"
},
"certificatePassword":{
"defaultValue":"certificate password",
"type":"String"
}
},
"variables": {},
"resources": [
{
"name": "existing-apim-name",
"type": "Microsoft.ApiManagement/service",
"apiVersion": "2021-01-01-preview",
"location": "West Europe",
"sku": {
"name": "Developer",
"capacity": 1
},
"properties": {
"publisherEmail": "publisher@gmail.com",
"publisherName": "Publisher Name",
"certificates": [
{
"encodedCertificate": "[parameters('base64EncodedCertificate')]",
"certificatePassword": "[parameters('certificatePassword')]",
"storeName": "Root"
}
]
}
}
]
}
当心。 certificates
数组必须包含您希望在此 APIM 上拥有的所有证书。不在此数组中的所有现有 CA 证书都将被删除。