代码之家  ›  专栏  ›  技术社区  ›  average.everyman

azure二头肌模块-现有资源的条件-如何?

azure-bicep azure-resource-manager azure
  •  0
  • average.everyman  · 技术社区  · 2 年前

    我正在尝试使用模块部署不同类型的机密。其思想是拥有“通用”机密和“存储相关”机密,其中机密值不是直接传递的,而是从存储的属性中检索的。我设计了以下 Secret.bicep : 

    param keyVaultName string
param secretName string

@secure()
param secretValue string

@allowed([
  'general'
  'storage_conn_string'
])
param secretType string = 'general'

@description('For secretType = storage_*, this is how we will be passing storage name')
param storageAccountName string = 'dummyvalue123'


resource kv 'Microsoft.KeyVault/vaults@2023-02-01' existing = {
  name: keyVaultName
}

resource secret'Microsoft.KeyVault/vaults/secrets@2023-02-01' = if (secretType == 'general') {
  parent: kv
  name: secretName
  properties: {
    value: secretValue
  }
}

// for secrets related to storage we will need to have storage resource:
resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' existing = if (startsWith(secretType, 'storage_')) {
  name: storageAccountName
}

// storage connection string
resource secret_conn_string 'Microsoft.KeyVault/vaults/secrets@2023-02-01' = if (secretType == 'storage_conn_string') {
  parent: kv
  name: secretName
  properties: {
    value: 'DefaultEndpointsProtocol=https;AccountName=${storageAccountName};EndpointSuffix=${environment().suffixes.storage};AccountKey=${storageAccount.listKeys().keys[0].value}'
  }
}

    现在 main.bicep 我有以下内容: 

    
@secure()
param secretValueAPIkey string

...

module secretStorageDataConnectionString 'modules/KeyVault/Secret.bicep' = {
  // this needs to be a module and not a resource because we need 
  // to pass a connection string to storage, and storage is declared here as a module
  // so we cannot use the listKeys() method
  name: 'secretStorageDataConnectionString'
  params: {
    keyVaultName: kv.outputs.keyVaultName
    secretType : 'storage_conn_string'
    storageAccountName: storageAccount4data.outputs.dtls.name
    secretName: 'secretStorageDataConnectionString'
    secretValue: 'some-dummy-secret-value' //passing dummy value, we will retrieve it in via the module
  }
}

module secretAPIkey 'modules/KeyVault/Secret.bicep' = {
  name: 'secretAPIkey'
  params: {
    keyVaultName: kv.outputs.keyVaultName
    secretType: 'general'
    secretName: 'secretAPIkey'
    secretValue: secretValueAPIkey
  }
}

    (请注意,我跳过了一些部分,例如密钥库模块或存储模块。它们部署起来没有问题。)

    编辑:

    存储帐户创建为 单元 : 

    module storageAccount4data 'modules/Storage/StorageAccount.bicep' = {
  name: storageAccount4dataName
  params: {
    location: location
    storageAccountName: storageAccount4dataName
  }
}

    StorageAccount.bicep: 

    param storageAccountName string

...

resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {
  name: storageAccountName
  location: location
  sku: {
    name: storageAccountSkuName
  }
  kind: 'StorageV2'
}

output dtls object = {
  id: storageAccount.id
  name: storageAccount.name
  apiVersion: storageAccount.apiVersion
}

    编辑结束

    现在,在部署时 secretStorageDataConnectionString 模块的创建没有任何问题,但是 secreAPIkey 模块返回错误: 

    \"target\": \"/subscriptions/<...>/providers/Microsoft.Resources/deployments/secretAPIkey\"
\"message\": \"The Resource 'Microsoft.Storage/storageAccounts/dummyvalue123' under resource group <resource-group> was not found. ..."

    由于某种原因,尽管存在if条件,但仍试图创建存储资源。。。?

    我还使用以下方法进行了测试: 

    //secret.bicep
param storageAccountName string = ''

...

resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' existing = if (!empty(storageAccountName)) {
  name: storageAccountName
}

    但这个似乎也没有正确评估。。。

    0 回复  |  直到 2 年前
        1
  •  0
  •   Jahnavi    2 年前

    问题在于 if 条件,因为它在二头肌代码中没有正确评估。

    通常,如果 storageAccountName 参数在部署期间保留为空,则不会创建存储资源。如果 storageAccountName 参数在部署时不为空,即使在 secretAPIkey 单元

    部署二头肌代码时,确保存储帐户名称不为空,即使它已提供给模块。

    在使用与您使用的代码相同的代码提供存储帐户名称后,一切都按预期进行。

    param storageAccountName string

    secret.bicep: 

    param keyVaultName string = 'newvaultj'
param secretName string
@secure()
param secretValue string 
@allowed([
  'general'
  'storage_conn_string'
])
param secretType string = 'general'

@description('For secretType = storage_*, this is how we will be passing storage name')
param storageAccountName string = 'xxxxx'


resource kv 'Microsoft.KeyVault/vaults@2023-02-01' existing = {
  name: keyVaultName
}

resource secret'Microsoft.KeyVault/vaults/secrets@2023-02-01' = if (secretType == 'general') {
  parent: kv
  name: secretName
  properties: {
    value: secretValue
  }
}

resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' existing = if (startsWith(secretType, 'storage_')) {
  name: storageAccountName
}

resource secret_conn_string 'Microsoft.KeyVault/vaults/secrets@2023-02-01' = if (secretType == 'storage_conn_string') {
  parent: kv
  name: secretName
  properties: {
    value: 'DefaultEndpointsProtocol=https;AccountName=${storageAccountName};EndpointSuffix=${environment().suffixes.storage};AccountKey=${storageAccount.listKeys().keys[0].value}'
  }
}

    main.bicep: 

    @secure()
param secretValueAPIkey string = 'newapikey'
param keyVaultName string = 'newvaultj'
param storageAccountName string = 'xxxxx'

module secretStorageDataConnectionString 'secret.bicep' = {
  name: 'secretStorageDataConnectionString'
  params: {
    keyVaultName: kv.name
    secretType : 'storage_conn_string'
    storageAccountName: storageAccount.name
    secretName: 'secretStorageDataConnectionString'
    secretValue: 'some-dummy-secret-value'
  }
}

module secretAPIkey 'secret.bicep' = {
  name: 'secretAPIkey'
  params: {
    keyVaultName: kv.name
    secretType: 'general'
    secretName: 'secretAPIkey'
    secretValue: secretValueAPIkey
  }
}

    更新代码: 

    param secretValueAPIkey string = 'newapikey'
param keyVaultName string = 'newvaultj'
param storageAccountName string = 'jaxxxx9920'
param location string = resourceGroup().location
resource kv 'Microsoft.KeyVault/vaults@2023-02-01' existing = {
  name: keyVaultName
}
module storageAccount4data 'StorageAccount.bicep' = {
  name: storageAccountName
  params: {
    location: location
    storageAccountName: storageAccountName
  }
}

module secretStorageDataConnectionString 'secret.bicep' = {
  name: 'secretStorageDataConnectionString'
  params: {
    keyVaultName: kv.name
    secretType : 'storage_conn_string'
    storageAccountName: storageAccount4data.name
    secretName: 'secretStorageDataConnectionString'
    secretValue: 'some-dummy-secret-value' //passing dummy value, we will retrieve it in via the module
  }
}

module secretAPIkey 'secret.bicep' = {
  name: 'secretAPIkey'
  params: {
    keyVaultName: kv.name
    secretType: 'general'
    secretName: 'secretAPIkey'
    secretValue: secretValueAPIkey
  }
}

    部署成功:

    enter image description here

    enter image description here

    推荐文章
    BPengu  ·  发现运算符-eq的操作数无效
    10 月前
    Scott  ·  Terraform Azure包含带有子网部署的NSG
    10 月前
    akaparadox  ·  使用Microsoft Entra(Azure AD)获取SPA应用程序的刷新令牌
    11 月前
    nop  ·  如何在本地环境中加载secrets.json而不是在ASP。NET核心?
    11 月前
    Amit Kanala  ·  我尝试在microsoft outlook日历中创建事件,但出现错误,访问令牌验证失败。无效受众
    11 月前
    Adnane Bady Soussi  ·  我试图更新我在代码中通过graphapi创建的一个现有用户,但我从azure graphapi返回了403错误
    11 月前
    Luca  ·  问题/如何使用GRAPH API获取我的SharePoint网站的文档库
    11 月前
    VivekAnandChakravarthy  ·  在azure逻辑应用程序标准vs代码中以设计器身份打开工作流时出错
    11 月前
    Romeo  ·  密钥保管库机密问题-防火墙已打开,您的客户端IP地址无权访问此密钥保管库
    11 月前
    T McKeown  ·  您是否可以使用Azure API/M调用基于WCF SOAP的端点?
    1 年前
    关于   移动版
    代码之家 - 一站式码农服务社区
    沪ICP备11025650号