azure - 如何使用 Bicep 创建资源组并向其中添加 key 保管库？

Question

我正在尝试创建一个资源组并向其中添加一个 key 保管库。

但是，我无法将新资源组设置为 Key Vault 的目标资源组。

如何将 key 保管库分配给新创建的资源组，而不为其创建第二个 Bicep 模块？

var loc = 'westus'

// outputs the newly created resource group
module rgCreate 'test.rg.bicep' = {
  scope: subscription()
  name: 'rgCreate'
  params: {
    rgLocation: loc
  }
}

resource keyVault 'Microsoft.KeyVault/vaults@2021-10-01' = {
  name: 'Test'
  location: loc
  properties: {
    enabledForTemplateDeployment: true
    sku: {
      family: 'A'
      name: 'standard'
    }
    tenantId: tenant().tenantId
  }
}

这是我的目标工作流程:

Answer 1

首先，如果资源组不存在，则 main.bicep 文件中不能包含 targetScope = 'resourceGroup'。命令 az Deployment Group create 将失败:

{"code": "ResourceGroupNotFound", "message": "Resource group '' could not be found."}

您始终可以从已存在的另一个资源触发部署(不确定这是否是一个好主意)。

一种方法可能是让 main.bicep 调用两个模块:一个用于资源组创建，一个用于资源创建:

// =========== rg.bicep ===========

// Setting target scope
targetScope = 'subscription'

param name string
param location string

// Creating resource group
resource rg 'Microsoft.Resources/resourceGroups@2021-01-01' = {
  name: name
  location: location
}

// =========== resources.bicep ===========

param location string = resourceGroup().location
param keyVaultName string
...

//Deploying key vault
resource keyVault 'Microsoft.KeyVault/vaults@2021-10-01' = {
  name: keyVaultName
  location: location
  properties: {
    enabledForTemplateDeployment: true
    sku: {
      family: 'A'
      name: 'standard'
    }
    tenantId: tenant().tenantId
  }
}

// Deploying other resources
...

// =========== main.bicep ===========

// Setting target scope
targetScope = 'subscription'

// Parameters
param rgName string = 'test-rg'
param rgLocation string = 'westus'
param keyVaultName string
...

// Creating resource group
module rgModule 'rg.bicep' = {
  scope: subscription()
  name: '${rgName}-create'  
  params:{
    name: rgName
    location: rgLocation
  }  
}

// Deploying resources in the newly created resource
module resources 'resources.bicep' = {
  name: '${rgName}-resources-deployment'
  scope: resourceGroup(rgName)
  dependsOn: [ rgModule ]
  params: {
    location: rgLocation
    keyVaultName: keyVaultName
    ...
  }
}

说实话，您可以在部署模板之前运行 az group create 命令，这会让事情变得更简单。