问题描述
是否可以通过条件语句添加访问策略?基本上,如果环境==生产,我不想添加注册。
我的模板中包含以下内容,但是如果环境是生产环境,我不希望添加名为foobarapplicationId
的应用程序。我可以内联吗?还是需要单独的模板?将foobarapplicationId
设置为空字符串会起作用吗?
{
"name": "[variables('keyvault-name')]","type": "Microsoft.keyvault/vaults","apiVersion": "2016-10-01","location": "[resourceGroup().location]","properties": {
"tenantId": "[subscription().tenantId]","sku": {
"family": "A","name": "standard"
},"accesspolicies": [
{
"tenantId": "[subscription().tenantId]","objectId": "[parameters('keyvaultOwner')]","permissions": {
"keys": [
"all"
],"secrets": [
"all"
],"certificates": [
"all"
],"storage": [
]
}
},{
"tenantId": "[subscription().tenantId]","objectId": "[parameters('foobarapplicationId')]","permissions": {
"keys": [
"get","wrapKey","unwrapKey","sign","verify","list"
],"secrets": [
"get","certificates": [
"get",
解决方法
这将是在单个访问策略中添加条件部分,该部分将采用如下环境参数:
{
"condition": "[not(equals(parameters('environment'),'PROD'))]"
"tenantId": "[subscription().tenantId]","objectId": "[parameters('foobarApplicationId')]","permissions": {
"keys": [
"get","wrapKey","unwrapKey","sign","verify","list"
],"secrets": [
"get","certificates": [
"get","storage": [
]
}
}
,
"condition"
中的 "accessPolicies"
似乎对我没有任何影响。它不会导致任何验证或部署错误,但即使条件评估为 false,也会添加访问策略。
我发现以下技巧更有效:对您的 if
和 "objectId"
使用 "permissions"
子句,这样如果条件为假,您将分配一组空权限给空 GUID,有效地成为空操作。
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#","contentVersion": "1.0.0.0","variables": {
"keyVaultNoPermissions": { },"keyVaultAppReadPermissions": {
"keys": [ "get","list" ],"secrets": [ "get","certificates": [ "get","list" ]
}
},"resources": [
// ...
{
"type": "Microsoft.KeyVault/vaults/accessPolicies","apiVersion": "2016-10-01","name": "[concat(parameters('keyVaultName'),'/add')]","location": "[resourceGroup().location]","dependsOn": [
"[parameters('keyVaultName')]"
],"properties": {
"accessPolicies": [
{
"tenantId": "[subscription().tenantId]","objectId": "[if(not(equals(parameters('environment'),'PROD')),parameters('foobarApplicationId'),'00000000-0000-0000-0000-000000000000')]","permissions": "[if(not(equals(parameters('environment'),variables('keyVaultAppReadPermissions'),variables('keyVaultNoPermissions'))]"
}
]
}
}
]
}