我的 ARM 模板给我带来了一些麻烦。我将其部署到订阅级别一资源组,然后将服务总线部署到新创建的资源组。服务总线本身有 4 个授权规则、一个队列、4 个主题,其中两个主题有自己的授权规则。这一切都很好。我尝试将后两个授权规则的 PrimaryConnectionString 作为 secret 添加到不同资源组中的 KeyVault,这就是我开始遇到问题的地方。以下是完整的 ARM 模板。我目前仅尝试从 shared-context 主题的 SharedCtxListenerServiceAccessKeyauthorizationRule 获取 PrimaryConnectionString。
{
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"tags": {
"type": "object",
"metadata": {
"description": "Specifies the tags for the Service Bus related Azure Resources."
}
},
"environment": {
"type": "object",
"metadata": {
"description": "Specifies the Team Environment information."
}
},
"serviceBus": {
"type": "object",
"metadata": {
"description": "Specifies the Service Bus information."
}
}
},
"variables": {
"serviceBus": {
"namespace": {
"name": "[concat('team-', toLower(parameters('environment').name),'-sbn')]"
},
"ResourceGroupName": "[concat('Team-ServiceBus-',parameters('environment').suffix)]"
},
"keyVault": {
"Name": "[concat('Team-Utilities-',parameters('environment').suffix, '-kv')]",
"ResourceGroupName": "[concat('Team-Utilities-',parameters('environment').suffix)]"
}
},
"resources": [
{
"type": "Microsoft.Resources/resourceGroups",
"apiVersion": "2019-10-01",
"name": "[variables('serviceBus').ResourceGroupName]",
"location": "[parameters('environment').location]",
"properties": {
},
"tags": {
"Department": "[parameters('tags').Department]",
"Product": "[parameters('tags').Product]",
"Service": "[parameters('tags').Service]",
"Environment": "[parameters('tags').environment]"
}
},
{
"type": "Microsoft.Resources/deployments",
"name": "ServiceBus_Infrastructure",
"apiVersion": "2017-05-10",
"resourceGroup": "[variables('serviceBus').ResourceGroupName]",
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "[variables('serviceBus').namespace.name]",
"type": "Microsoft.ServiceBus/namespaces",
"apiVersion": "2017-04-01",
"location": "[parameters('environment').location]",
"properties": {
},
"sku": {
"name": "[parameters('serviceBus').namespace.sku.name]",
"tier": "[parameters('serviceBus').namespace.sku.tier]"
},
"tags": {
"Department": "[parameters('tags').Department]",
"Product": "[parameters('tags').Product]",
"Service": "[parameters('tags').Service]",
"Environment": "[parameters('tags').environment]"
},
"resources": [
{
"type": "AuthorizationRules",
"name": "RootManagerSharedAccessKey",
"apiVersion": "2017-04-01",
"properties": {
"rights": [
"Listen",
"Manage",
"Send"
]
},
"dependsOn": [
"[concat('Microsoft.ServiceBus/namespaces/',variables('serviceBus').namespace.name)]"
]
},
{
"type": "AuthorizationRules",
"name": "PubSubSharedAccessKey",
"apiVersion": "2017-04-01",
"properties": {
"rights": [
"Listen",
"Send"
]
},
"dependsOn": [
"[concat('Microsoft.ServiceBus/namespaces/',variables('serviceBus').namespace.name)]",
"[concat('Microsoft.ServiceBus/namespaces/',variables('serviceBus').namespace.name, '/authorizationRules/RootManagerSharedAccessKey')]"
]
},
{
"type": "AuthorizationRules",
"name": "PublishSharedAccessKey",
"apiVersion": "2017-04-01",
"properties": {
"rights": [
"Send"
]
},
"dependsOn": [
"[concat('Microsoft.ServiceBus/namespaces/',variables('serviceBus').namespace.name)]",
"[concat('Microsoft.ServiceBus/namespaces/',variables('serviceBus').namespace.name, '/authorizationRules/PubSubSharedAccessKey')]"
]
},
{
"type": "AuthorizationRules",
"name": "ClientSharedAccessKey",
"apiVersion": "2017-04-01",
"properties": {
"rights": [
"Listen"
]
},
"dependsOn": [
"[concat('Microsoft.ServiceBus/namespaces/',variables('serviceBus').namespace.name)]",
"[concat('Microsoft.ServiceBus/namespaces/',variables('serviceBus').namespace.name, '/authorizationRules/PublishSharedAccessKey')]"
]
},
{
"type": "queues",
"name": "activity-log",
"apiVersion": "2017-04-01",
"properties": {
"lockDuration": "PT5M",
"maxSizeInMegabytes": 5120,
"requiresDuplicateDetection": false,
"requiresSession": false,
"defaultMessageTimeToLive": "P10675199DT2H48M5.4775807S",
"deadLetteringOnMessageExpiration": false,
"maxDeliveryCount": 10,
"autoDeleteOnIdle": "P10675199DT2H48M5.4775807S",
"enablePartitioning": false,
"enableExpress": false
},
"dependsOn": [
"[concat('Microsoft.ServiceBus/namespaces/',variables('serviceBus').namespace.name)]"
]
},
{
"type": "topics",
"name": "pdf-splitted",
"apiVersion": "2017-04-01",
"properties": {
},
"dependsOn": [
"[concat('Microsoft.ServiceBus/namespaces/',variables('serviceBus').namespace.name)]"
]
},
{
"type": "topics",
"name": "platform-admin",
"apiVersion": "2017-04-01",
"properties": {
},
"resources": [
{
"type": "authorizationRules",
"name": "PlatformAdminListenerServiceAccessKey",
"apiVersion": "2017-04-01",
"properties": {
"rights": [
"Listen"
]
},
"dependsOn": [
"[concat('Microsoft.ServiceBus/namespaces/',variables('serviceBus').namespace.name, '/topics/platform-admin')]"
]
}
],
"dependsOn": [
"[concat('Microsoft.ServiceBus/namespaces/',variables('serviceBus').namespace.name)]"
]
},
{
"type": "topics",
"name": "shared-context",
"apiVersion": "2017-04-01",
"properties": {
},
"resources": [
{
"type": "authorizationRules",
"name": "SharedCtxListenerServiceAccessKey",
"apiVersion": "2017-04-01",
"properties": {
"rights": [
"Listen"
]
},
"dependsOn": [
"[concat('Microsoft.ServiceBus/namespaces/',variables('serviceBus').namespace.name, '/topics/shared-context')]"
]
}
],
"dependsOn": [
"[concat('Microsoft.ServiceBus/namespaces/',variables('serviceBus').namespace.name)]"
]
},
{
"type": "topics",
"name": "transaction-audit",
"apiVersion": "2017-04-01",
"properties": {
},
"dependsOn": [
"[concat('Microsoft.ServiceBus/namespaces/',variables('serviceBus').namespace.name)]"
]
}
]
}
],
"outputs": {
"SharedCtxListenerServiceAccessKeyResourceId": {
"type": "string",
"value": "[resourceId('Microsoft.ServiceBus/namespaces/topics/authorizationRules',variables('serviceBus').namespace.name, 'shared-context','SharedCtxListenerServiceAccessKey')]"
}
}
}
},
"dependsOn": [
"[resourceId('Microsoft.Resources/resourceGroups/', variables('serviceBus').resourceGroupName)]"
]
},
{
"type": "Microsoft.Resources/deployments",
"name": "ServiceBus_Secrets",
"apiVersion": "2017-05-10",
"resourceGroup": "[variables('keyVault').ResourceGroupName]",
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.KeyVault/vaults/secrets",
"name": "[concat(variables('keyVault').Name,'/SharedContext-Listener-ConnectionString')]",
"apiVersion": "2016-10-01",
"properties": {
"contentType": "ConnectionString",
"value": "[resourceId('Microsoft.ServiceBus/namespaces/topics/authorizationRules',variables('serviceBus').namespace.name, 'shared-context','SharedCtxListenerServiceAccessKey')]"
}
}
]
}
},
"dependsOn": [
"[concat('Microsoft.Resources/deployments/','ServiceBus_Infrastructure')]"
]
}
]
}
在尝试了几种不同的方法之后,我成功地使用 ServiceBus_Infrastructure 部署的输出来发送 resourceId 并将其用作 KeyVault 的 secret ,作为测试其大部分功能是否按预期运行的一种方法。我尝试在输出中使用 listkey() 函数,如下所示:
"SharedCtxListenerServiceAccessKeyResourceId": {
"type": "string",
"value": "[listkeys(resourceId('Microsoft.ServiceBus/namespaces/topics/authorizationRules',variables('serviceBus').namespace.name, 'shared-context','SharedCtxListenerServiceAccessKey'),'2017-04-01').PrimaryConnectionString]"
}
}
但是,这给了我这个错误:{"code":"DeploymentFailed","message":"至少一个资源部署操作失败。请列出部署操作以了解详细信息。请参阅 https://aka。 ms/DeployOperations 了解使用详细信息。","details":[{"code":"NotFound","message":"{\r\n\"error\": {\r\n\"code\":\"ParentResourceNotFound\",\r\n\"message\":\"无法对嵌套资源执行请求的操作。找不到父资源“team-development-sbn”。\"\r\n }\r\n}"}]}
这很奇怪,因为服务总线是在上一个部署中创建的,而最后一个部署资源依赖于该服务总线。我想我在某处读到,由于服务总线资源位于部署资源中,因此它不一定知道它实际上已完成,这可能就是它找不到它的原因?
我还尝试在 keyvault secret 的值字段中执行 listKeys() 函数,但它表示此处不需要引用() 函数。
我的基本问题是:如何获取 PrimaryConnectionString 并将其作为 secret 部署到不同资源组中的 keyvault,最好在同一模板中(因为这是希望可以遵循此模式的众多服务之一,其中创建资源并将必要的值存储在中央 keystore 中)感谢您的帮助!
最佳答案
我想如果你重新运行这个模板它就会起作用。那么发生了什么 - 您正在使用嵌套模板,并且它们同时“渲染”所有内容,因此它们在嵌套模板内实际上没有依赖项(嗯,它们有,但有点奇怪)。简而言之,我建议您使用链接模板(因此将服务总线部署转换为链接模板)并按照这种方式进行操作。
ps。老实说,除非您打算使用 Arm 模板管理订阅级资源,否则完全放弃订阅级部署即可。
关于azure - 将 ARM 模板资源部署到一个资源组,并将 secret 部署到另一资源组中的 key 保管库,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/60499589/