Azurerm Web 应用程序权限

Question

有人知道创建 Azure WebApp 需要什么权限吗？

我有一个通过 Azure-DevOps 运行的 Ansible playbook，它应该创建一个资源组和应用服务:

- hosts: localhost

  vars:
    resource_group: foo
    webapp_name: app-foo123
    plan_name: asp-foobar123
    location: westus2

  tasks:
    - name: Create a resource group
      azure_rm_resourcegroup:
        name: "{{ resource_group }}"
        location: "{{ location }}"

    - name: Create an App Service
      azure_rm_webapp:
        resource_group: "{{ resource_group }}"
        name: "{{ webapp_name }}"
        plan:
          resource_group: "{{ resource_group }}"
          name: "{{ plan_name }}"
          sku: S1
          number_of_workers: 1
        frameworks:
          - name: "net_framework"
            version: "4.8"

资源组已创建，但应用服务失败并出现授权错误:

raise models.DefaultErrorResponseException(self._deserialize, response)\nazure.mgmt.web.models.default_error_response_py3.DefaultErrorResponseException: Operation returned an invalid status code 'Unauthorized'\n", "module_stdout":

所使用的服务主体在订阅级别具有 contributor、Web Plan Contributor 和 Website Contributor 权限，我是否需要授予它任何额外的权限才能使其正常工作，或者我完全错过了一些东西吗？

Answer 1

我创建了一个服务主体，并为其分配了订阅级别的贡献者角色，请参阅下文:-

使用上述服务主体创建了 Azure DevOps 服务连接:-

在我的 azure Devops Ansible 任务中使用相同的服务主体作为身份验证。

当我运行该任务时，资源组已成功创建，但 Web 应用程序出错。 检查冲突的错误消息以及通过在运行管道时启用诊断而收到的错误:-

错误:-

TASK [Create App Service on Linux with Java Runtime] ***************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Error creating the Web App instance: Operation returned an invalid status 'Conflict'\nContent: {\"Code\":\"Conflict\",\"Message\":\"Website with given name myfirstWebApp123 already exists.\",\"Target\":null,\"Details\":[{\"Message\":\"Website with given name myfirstWebApp123 already exists.\"},{\"Code\":\"Conflict\"},{\"ErrorEntity\":{\"ExtendedCode\":\"54001\",\"MessageTemplate\":\"Website with given name {0} already exists.\",\"Parameters\":[\"myfirstWebApp123\"],\"Code\":\"Conflict\",\"Message\":\"Website with given name myfirstWebApp123 already exists.\"}}],\"Innererror\":null}"}

我使用下面的yaml脚本来运行具有我的Web应用程序的唯一名称的ansible任务，请参阅下面:-

代码:-

# Starter pipeline

# Start with a minimal pipeline that you can customize to build and deploy your code.

# Add steps that build, run tests, deploy, and more:

# https://aka.ms/yaml

  

# Starter pipeline

# Start with a minimal pipeline that you can customize to build and deploy your code.

# Add steps that build, run tests, deploy, and more:

# https://aka.ms/yaml

  

# Ansible pipeline

# Tesing

  

trigger:

- master

  

pool:

vmImage: 'ubuntu-latest'

  

steps:

  

- task: UsePythonVersion@0

displayName: 'Install Python'

inputs:

versionSpec: '3.7'

  

- task: AzureCLI@2

displayName: 'Azure CLI'

inputs:

azureSubscription: 'ansible'

scriptType: 'bash'

scriptLocation: 'inlineScript'

inlineScript: |

echo "##vso[task.setvariable variable=ARM_SUBSCRIPTION_ID]$(az account show --query="id" -o tsv)"

echo "##vso[task.setvariable variable=ARM_CLIENT_ID]${servicePrincipalId}"

echo "##vso[task.setvariable variable=ARM_CLIENT_SECRET]${servicePrincipalKey}"

echo "##vso[task.setvariable variable=ARM_TENANT_ID]${tenantId}"

addSpnToEnvironment: true

- script: pip install ansible

displayName: 'Install Ansible'

  

- script: pip install -r https://raw.githubusercontent.com/ansible-collections/azure/dev/requirements-azure.txt

displayName: 'Install Azure modules needed'

  

- script: ansible-galaxy collection install azure.azcollection

displayName: 'Install Ansible Azure Collection'

- script: ansible-playbook -i inv site.yml

displayName: 'Run Ansible Playbook'

env:

AZURE_CLIENT_ID: $(ARM_CLIENT_ID)

AZURE_SECRET: $(ARM_CLIENT_SECRET)

AZURE_TENANT: $(ARM_TENANT_ID)

AZURE_SUBSCRIPTION_ID: $(ARM_SUBSCRIPTION_ID)

我已在此处添加了我的服务连接:-

inputs:

azureSubscription: 'ansible'

我的 site.yml Ansible 剧本:-

- hosts: localhost

connection: local

vars:

resource_group: valleyrg45678

webapp_name: valleywebapp098754

plan_name: valleyappserviceplan3452

location: eastus

tasks:

- name: Create a resource group

azure_rm_resourcegroup:

name: "{{ resource_group }}"

location: "{{ location }}"

  

- name: Create App Service on Linux with Java Runtime

azure_rm_webapp:

resource_group: "{{ resource_group }}"

name: "{{ webapp_name }}"

plan:

resource_group: "{{ resource_group }}"

name: "{{ plan_name }}"

is_linux: true

sku: S1

number_of_workers: 1

frameworks:

- name: "java"

version: "8"

settings:

java_container: tomcat

java_container_version: 8.5

输出:-

Web 应用程序创建任务成功运行，如下所示:-

门户:-

引用:-

Azure DevOps Ansible Pipeline | by Russ Mckendrick | Media Glasses | Medium