azure - 逻辑应用连接器策略引发 "Property Immutable"错误

Question

有一种逻辑应用标准使用 Dataverse 连接器。需要访问策略，以便逻辑应用中的工作流可以使用连接器。以下是二头肌文件，但我无权访问的服务计划除外。使用各种快速入门 templates from Azure repos似乎没有解决问题。

问题是为什么会出现这个错误以及可以采取什么措施来解决？

仅当添加访问策略时才会引发错误，如下所示:

"errorCode: PropertyImmutable. Message: The property 'ConnectionAceStorageEntity.PrincipalId' is immutable."

二头肌连接器:

param DataverseConnectionClient string
param DataverseConnectionName string
param DataverseConnectionTenant string
param Location string

@secure()
param DataverseConnectionSecret string

resource DataverseConnection 'Microsoft.Web/connections@2016-06-01' = {
  // This property may give a warning but the it should work and passed further
  // https://github.com/Azure/bicep/issues/3512
  kind: 'V2'
  name: DataverseConnectionName
  location: Location
  properties: {
    displayName: DataverseConnectionName
    parameterValues: {
      'token:TenantId': DataverseConnectionTenant
      'token:clientId': DataverseConnectionClient
      'token:grantType': 'client_credentials'
      'token:clientSecret': DataverseConnectionSecret
    }
    api: {
      name: 'commondataservice'
      displayName: 'Microsoft Dataverse (legacy)'
      description: 'Provides access to the environment database in Microsoft Dataverse.'
      category: 'Standard'
      id: '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Web/locations/${Location}/managedApis/commondataservice'
      type: 'Microsoft.Web/locations/managedApis'
    }
  }
}

// This reference may give a warning but the top level property 'connectionRuntimeUrl' should be offered back
// https://github.com/Azure/bicep/issues/3494
output connectionRuntimeUrl string = DataverseConnection.properties.connectionRuntimeUrl

逻辑应用程序的二头肌:

    resource LogicAppSite 'Microsoft.Web/sites@2022-09-01' = {
  name: LogicAppSiteName
  location: LogicAppLocation
  tags: {
    'hidden-link: /app-insights-resource-id': '/subscriptions/${subscription().subscriptionId}/resourceGroups/${resourceGroup().name}/providers/Microsoft.Insights/components/${AppInsightsName}'
  }
  kind: 'functionapp,workflowapp'
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    enabled: true
    serverFarmId: ServerFarmId
    reserved: false
    isXenon: false
    hyperV: false
    vnetRouteAllEnabled: false
    vnetImagePullEnabled: false
    vnetContentShareEnabled: false
    siteConfig: {
      numberOfWorkers: 1
      acrUseManagedIdentityCreds: false
      alwaysOn: false
      http20Enabled: false
      appSettings: [
        {
          name: 'APP_KIND'
          value: 'workflowApp'
        }
        {
          name: 'AzureFunctionsJobHost__extensionBundle__id'
          value: 'Microsoft.Azure.Functions.ExtensionBundle.Workflows'
        }
        {
          name: 'AzureFunctionsJobHost__extensionBundle__version'
          value: '[1.*, 2.0.0)'
        }
        {
          name: 'AzureWebJobsStorage'
          value: 'DefaultEndpointsProtocol=https;AccountName=${StorageAccountName};AccountKey=${listKeys('${resourceGroup().id}/providers/Microsoft.Storage/storageAccounts/${StorageAccountName}', '2019-06-01').keys[0].value};EndpointSuffix=core.windows.net'
        }
        // {
        //   name: 'WEBSITE_CONTENTAZUREFILECONNECTIONSTRING'
        //   value: 'DefaultEndpointsProtocol=https;AccountName=${StorageAccountName};AccountKey=${listKeys('${resourceGroup().id}/providers/Microsoft.Storage/storageAccounts/${StorageAccountName}', '2019-06-01').keys[0].value};EndpointSuffix=core.windows.net'
        // }
        // {
        //   name: 'WEBSITE_CONTENTSHARE'
        //   value: LogicAppSiteName
        // }
        {
          name: 'FUNCTIONS_EXTENSION_VERSION'
          value: '~4'
        }
        {
          name: 'WEBSITE_CONTENTOVERVNET'
          value: '1'
        }
        {
          name: 'APPLICATIONINSIGHTS_CONNECTION_STRING'
          value: reference(resourceId('Microsoft.Insights/components', AppInsightsName), '2020-02-02').ConnectionString
        }
        {
          name: 'WORKFLOWS_SUBSCRIPTION_ID'
          value: subscription().subscriptionId
        }
        {
          name: 'WORKFLOWS_LOCATION_NAME'
          value: LogicAppLocation
        }
        {
          name: 'WORKFLOWS_RESOURCE_GROUP_NAME'
          value: resourceGroup().name
        }
        {
          name: 'WORKFLOWS_DATAVERSE_CONNECTION_NAME'
          value: DataverseConnectionName
        }
        {
          name: 'WORKFLOWS_DATAVERSE_CONN_ID'
          value: DataverseConnection.id
        }
        {
          name: 'WORKFLOWS_DATAVERSE_CONN_RUNTIMEURL'
          // This reference may give a warning but the top level property 'connectionRuntimeUrl' should be offered back
          // https://github.com/Azure/bicep/issues/3494
          value: DataverseConnection.properties.connectionRuntimeUrl
        }
        {
          name: 'WORKFLOWS_DATAVERSE_URL'
          value: DataverseUrl
        }
      ]
    }
    scmSiteAlsoStopped: false
    clientAffinityEnabled: false
    clientCertEnabled: false
    clientCertMode: 'Required'
    hostNamesDisabled: false
    customDomainVerificationId: '...'
    containerSize: 1536
    dailyMemoryTimeQuota: 0
    httpsOnly: true
    redundancyMode: 'None'
    publicNetworkAccess: 'Enabled'
    storageAccountRequired: false
    keyVaultReferenceIdentity: 'SystemAssigned'
    
  }
}

resource LogicAppSiteName_web 'Microsoft.Web/sites/config@2022-09-01' = {
  parent: LogicAppSite
  name: 'web'
  properties: {
    numberOfWorkers: 1
    defaultDocuments: [
      'Default.htm'
      'Default.html'
      'Default.asp'
      'index.htm'
      'index.html'
      'iisstart.htm'
      'default.aspx'
      'index.php'
    ]
    netFrameworkVersion: 'v6.0'
    requestTracingEnabled: false
    remoteDebuggingEnabled: false
    httpLoggingEnabled: false
    acrUseManagedIdentityCreds: false
    logsDirectorySizeLimit: 35
    detailedErrorLoggingEnabled: false
    publishingUsername: LogicAppSiteName
    scmType: 'None'
    use32BitWorkerProcess: false
    webSocketsEnabled: false
    alwaysOn: false
    managedPipelineMode: 'Integrated'
    preWarmedInstanceCount: 0
    elasticWebAppScaleLimit: 0
    functionsRuntimeScaleMonitoringEnabled: true
    functionAppScaleLimit: 0
    virtualApplications: [
      {
        virtualPath: '/'
        physicalPath: 'site\\wwwroot'
        preloadEnabled: false
      }
    ]
    loadBalancing: 'LeastRequests'
    experiments: {
      rampUpRules: []
    }
    autoHealEnabled: false
    vnetRouteAllEnabled: true
    vnetPrivatePortsCount: 0
    publicNetworkAccess: 'Enabled'
    cors: {
      supportCredentials: false
    }
    localMySqlEnabled: false
    managedServiceIdentityId: 37494
    ipSecurityRestrictions: [
      {
        ipAddress: 'Any'
        action: 'Allow'
        priority: 2147483647
        name: 'Allow all'
        description: 'Allow all access'
      }
    ]
    http20Enabled: false
    minTlsVersion: '1.2'
    scmMinTlsVersion: '1.2'
    azureStorageAccounts: {}
  }
}

resource LogicAppSiteName_LogicAppSiteName_azurewebsites_net 'Microsoft.Web/sites/hostNameBindings@2022-09-01' = {
  parent: LogicAppSite
  name: '${LogicAppSiteName}.azurewebsites.net'
  properties: {
    siteName: LogicAppSiteName
    hostNameType: 'Verified'
  }
}

最后是访问策略的二头肌:

resource connections_dataverse_logicAppSystemAssignedIdentityObjectId 'Microsoft.Web/connections/accessPolicies@2016-06-01' = {
  name: DataversePolicyName
  parent: DataverseConnection
  location: LogicAppLocation
  properties: {
    principal: {
      type: 'ActiveDirectory'
      identity: {
        tenantId: subscription().tenantId
        objectId: LogicAppSite.identity.principalId
      }
    }
  }
}

Answer 1

找到了罪魁祸首:如果在门户中手动创建相同的连接，具有相同的名称但不同的PrincipalID，ARM/Bicep 部署无法覆盖它。

只需确保 Portal.azure.com 中的实验不会与管道中的部署重叠即可。