问题描述
我有下面的二头肌模板,我想使用基于身份的连接,我如何相应地构建模板。
我使用了 https://docs.microsoft.com/en-us/azure/azure-resource-manager/bicep/quickstart-create-bicep-use-visual-studio-code?tabs=PowerShell 此处的指南进行部署。
New-AzResourceGroup -Name exampleRG -Location eastus
New-AzResourceGroupDeployment -ResourceGroupName exampleRG -TemplateFile ./main.bicep -storageName "{your-unique-name}"
但是,我在处理模板文件时遇到错误 - Code=InvalidTemplateDeployment; Message=模板部署“bicepeg”是 根据验证程序无效
var baseName = uniqueString('identityRepro',subscription().id)
var location = 'uksouth'
resource stg 'Microsoft.Storage/storageAccounts@2019-06-01' = {
name: baseName
location: location
sku: {
name: 'Standard_lrs'
}
kind: 'StorageV2'
}
resource asp 'Microsoft.Web/serverfarms@2019-08-01' = {
name: baseName
location: location
sku: {
name: 'Y1'
tier: 'Dynamic'
}
}
resource ai 'Microsoft.Insights/components@2015-05-01' = {
name: baseName
location: location
kind: 'web'
properties: {
Application_Type: 'web'
}
}
resource fa 'Microsoft.Web/sites@2019-08-01' = {
name: baseName
location: location
identity: {
type: 'SystemAssigned'
}
properties: {
serverFarmId: asp.id
}
kind: 'functionapp'
resource appSettings 'config@2018-11-01' = {
name: 'appsettings'
properties: {
'AzureWebJobsstorage__accountName': stg.name
'FUNCTIONS_WORKER_RUNTIME': 'powershell'
'FUNCTIONS_WORKER_RUNTIME_VERSION': '~7'
'APPINSIGHTS_INSTRUMENTATIONKEY': ai.properties.InstrumentationKey
}
}
}
resource blobContrib 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
name: guid(fa.name,stg.name,'ba92f.........d-a403-e96b0029c9fe')
properties: {
principalId: fa.identity.principalId
roleDeFinitionId: resourceId('Microsoft.Authorization/roleDeFinitions','ba92f.......-a403-e96b0029c9fe')
principalType: 'ServicePrincipal'
}
scope: stg
}
解决方法
我认为您的问题是角色的 id。角色在订阅级别定义,而不是在资源组中定义。在您的代码中,resourceId 函数使用 subscriptionResourceId。
更新:当您对 github 问题进行了更多澄清时,您的另一个问题是名称的构造方式。 uniqueString
函数根据种子(您提供给函数的参数)生成伪随机字符串(哈希)。当你给出完全相同的值时 - 你会得到同样的结果。
下面的代码对我有用
var baseName = uniqueString(resourceGroup().id)
var location = 'uksouth'
resource stg 'Microsoft.Storage/storageAccounts@2019-06-01' = {
name: baseName
location: location
sku: {
name: 'Standard_LRS'
}
kind: 'StorageV2'
}
resource asp 'Microsoft.Web/serverfarms@2019-08-01' = {
name: baseName
location: location
sku: {
name: 'Y1'
tier: 'Dynamic'
}
}
resource ai 'Microsoft.Insights/components@2015-05-01' = {
name: baseName
location: location
kind: 'web'
properties: {
Application_Type: 'web'
}
}
resource fa 'Microsoft.Web/sites@2019-08-01' = {
name: baseName
location: location
identity: {
type: 'SystemAssigned'
}
properties: {
serverFarmId: asp.id
}
kind: 'functionapp'
resource appSettings 'config@2018-11-01' = {
name: 'appsettings'
properties: {
'AzureWebJobsStorage__accountName': stg.name
'FUNCTIONS_WORKER_RUNTIME': 'powershell'
'FUNCTIONS_WORKER_RUNTIME_VERSION': '~7'
'APPINSIGHTS_INSTRUMENTATIONKEY': ai.properties.InstrumentationKey
}
}
}
resource blobContrib 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
name: guid(fa.name,stg.name,'ba92f5b4-2d11-453d-a403-e96b0029c9fe')
properties: {
principalId: fa.identity.principalId
roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions','ba92f5b4-2d11-453d-a403-e96b0029c9fe')
principalType: 'ServicePrincipal'
}
scope: stg
}
在您的代码中使用 resourceGroup().id
作为 uniqueString
参数 - 因为它包含您订阅的唯一 guid 和资源组名称,该名称在订阅中必须是唯一的 - 您的哈希也应该是唯一的。仅提供 subscription().id
将为该订阅和其中的资源组的所有部署生成相同的字符串。