使用ARM Subscription Level Deployment部署多个资源的问题

问题描述 投票:1回答:1

我正在重写ARM模板,因为我们不再使用链接模板。链接模板使我们难以控制版本。我正在使用订阅级别的部署来部署资源组,其中嵌套了删除锁,存储帐户,keyvault,2个functionapps,用户分配的受管身份和keyvault访问策略。

我使用的ARM模板:

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "deplocation": {
            "type": "string",
            "allowedValues": [
                "West Europe",
                "North Europe"
            ],
            "defaultValue": "West Europe",
            "metadata": {
                "description": "Location for all resources."
            }
        },
        "tags": {
            "type": "object"
        },
        "rgName": {
            "type": "string"
        },
        "saName": {
            "type": "string",
            "metadata": {
                "description": "The name of the resource."
            }
        },
        "saType": {
            "type": "string",
            "allowedValues": [
                "Standard_LRS",
                "Standard_GRS",
                "Standard_ZRS",
                "Premium_LRS"
            ],
            "defaultValue": "Standard_LRS",
            "metadata": {
                "description": "Gets or sets the SKU name. Required for account creation; optional for update. Note that in older versions, SKU name was called accountType. - Standard_LRS, Standard_GRS, Standard_RAGRS, Standard_ZRS, Premium_LRS, Premium_ZRS, Standard_GZRS, Standard_RAGZRS"
            }
        },
        "saKind": {
            "type": "string",
            "allowedValues": [
                "StorageV2",
                "BlobStorage",
                "FileStorage",
                "BlockBlobStorage"
            ],
            "defaultValue": "StorageV2",
            "metadata": {
                "description": "Indicates the type of storage account. - Storage, StorageV2, BlobStorage, FileStorage, BlockBlobStorage"
            }
        },
        "saAccessTier": {
            "type": "string"
        },
        "saSupportsHttpsTrafficOnly": {
            "type": "bool"
        },
        "kvName": {
            "type": "string"
        },
        "kvSkuName": {
            "type": "string"
        },
        "kvSkuFamily": {
            "type": "string"
        },
        "kvSecretsPermissions": {
            "type": "array"
        },
        "uamiName": {
            "type": "string"
        },
        "fa1Name": {
            "type": "string"
        },
        "fa2Name": {
            "type": "string"
        },
        "aspName": {
            "type": "string"
        },
        "aspRg": {
            "type": "string"
        },
        "appInsightsName": {
            "type": "string"
        },
        "appInsightsRg": {
            "type": "string"
        }
    },
    "variables": {
        "tenantId": "[subscription().tenantId]",
        "subscriptionId": "[subscription().subscriptionId]"
    },
    "resources": [
        {
            "type": "Microsoft.Resources/resourceGroups",
            "apiVersion": "2018-05-01",
            "location": "[parameters('depLocation')]",
            "name": "[parameters('rgName')]",
            "tags": "[parameters('tags')]",
            "properties": {
            }
        },
        {
            "type": "Microsoft.Resources/deployments",
            "apiVersion": "2018-05-01",
            "name": "resourceDeployment",
            "resourceGroup": "[parameters('rgName')]",
            "dependsOn": [
                "[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]"
            ],
            "properties": {
                "mode": "Incremental",
                "template": {
                    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                    "contentVersion": "1.0.0.0",
                    "resources": [
                        {
                            "name": "DeletionLock",
                            "type": "Microsoft.Authorization/locks",
                            "apiVersion": "2017-04-01",
                            "properties": {
                                "level": "CanNotDelete",
                                "notes": "[parameters('rgName')]"
                            }
                        },
                        {
                            "name": "[parameters('saName')]",
                            "type": "Microsoft.Storage/storageAccounts",
                            "apiVersion": "2019-04-01",
                            "sku": {
                                "name": "[parameters('saType')]"
                            },
                            "kind": "[parameters('saKind')]",
                            "location": "[parameters('deplocation')]",
                            "tags": "[parameters('tags')]",
                            "properties": {
                                "accessTier": "[parameters('saAccessTier')]",
                                "supportsHttpsTrafficOnly": "[parameters('saSupportsHttpsTrafficOnly')]"
                            }
                        },
                        {
                            "name": "[concat(parameters('saName'), '/default')]",
                            "type": "Microsoft.Storage/storageAccounts/blobServices",
                            "apiVersion": "2019-04-01",
                            "dependsOn": [
                                "[resourceId('Microsoft.Storage/storageAccounts', parameters('saName'))]"
                            ],
                            "properties": {
                                "cors": {
                                    "corsRules": [
                                    ]
                                },
                                "deleteRetentionPolicy": {
                                    "enabled": false
                                }
                            }
                        },
                        {
                            "name": "[parameters('kvName')]",
                            "type": "Microsoft.KeyVault/vaults",
                            "apiVersion": "2018-02-14",
                            "location": "[parameters('deplocation')]",
                            "tags": "[parameters('tags')]",
                            "properties": {
                                "tenantId": "[variables('tenantId')]",
                                "accessPolicies": [
                                ],
                                "sku": {
                                    "name": "[parameters('kvSkuName')]",
                                    "family": "[parameters('kvSkuFamily')]"
                                }
                            }
                        },
                        {
                            "name": "[parameters('uamiName')]",
                            "type": "Microsoft.ManagedIdentity/userAssignedIdentities",
                            "apiVersion": "2018-11-30",
                            "location": "[parameters('deplocation')]",
                            "tags": "[parameters('tags')]",
                            "properties": {
                            }
                        },
                        {
                            "name": "[parameters('fa1Name')]",
                            "type": "Microsoft.Web/sites",
                            "apiVersion": "2019-08-01",
                            "kind": "functionapp",
                            "location": "[parameters('deplocation')]",
                            "tags": "[parameters('tags')]",
                            "dependsOn": [
                                "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities/', parameters('uamiName'))]",
                                "[resourceId('Microsoft.Storage/storageAccounts/', parameters('saName'))]"
                            ],
                            "identity": {
                                "type": "SystemAssigned, UserAssigned",
                                "userAssignedIdentities": {
                                    "[concat('/subscriptions/', variables('subscriptionId'), '/resourceGroups/', parameters('rgName'), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', parameters('uamiName'))]": {
                                    }
                                }
                            },
                            "properties": {
                                "siteConfig": {
                                    "appSettings": [
                                        {
                                            "name": "FUNCTIONS_WORKER_RUNTIME",
                                            "value": "dotnet"
                                        },
                                        {
                                            "name": "WEBSITE_TIME_ZONE",
                                            "value": "W. Europe Standard Time"
                                        },
                                        {
                                            "name": "AzureWebJobsStorage",
                                            "value": "[concat('DefaultEndpointsProtocol=https;AccountName=',parameters('saName'),';AccountKey=',listKeys(concat('/subscriptions/',variables('subscriptionId'),'/resourceGroups/',parameters('rgName'),'/providers/Microsoft.Storage/storageAccounts/',parameters('saName')),providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).keys[0].value,';')]"
                                        },
                                        {
                                            "name": "FUNCTIONS_EXTENSION_VERSION",
                                            "value": "~2"
                                        },
                                        {
                                            "name": "WEBSITE_RUN_FROM_PACKAGE",
                                            "value": "1"
                                        },
                                        {
                                            "name": "APPINSIGHTS_INSTRUMENTATIONKEY",
                                            "value": "[reference(concat('/subscriptions/',variables('subscriptionId'),'/resourceGroups/',parameters('appInsightsRg'),'/providers/microsoft.insights/components/',parameters('appInsightsName')),providers('microsoft.insights', 'components').apiVersions[0]).InstrumentationKey]"
                                        }
                                    ],
                                    "alwaysOn": true
                                },
                                "serverFarmId": "[concat('/subscriptions/',variables('subscriptionId'),'/resourceGroups/',parameters('aspRg'),'/providers/Microsoft.Web/serverfarms/',parameters('aspName'))]",
                                "httpsOnly": true
                            }
                        },
                        {
                            "name": "[parameters('fa2Name')]",
                            "type": "Microsoft.Web/sites",
                            "apiVersion": "2019-08-01",
                            "kind": "functionapp",
                            "location": "[parameters('deplocation')]",
                            "tags": "[parameters('tags')]",
                            "dependsOn": [
                                "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities/',parameters('uamiName'))]",
                                "[resourceId('Microsoft.Storage/storageAccounts/', parameters('saName'))]"
                            ],
                            "identity": {
                                "type": "SystemAssigned, UserAssigned",
                                "userAssignedIdentities": {
                                    "[concat('/subscriptions/',variables('subscriptionId'),'/resourceGroups/',parameters('rgName'),'/providers/Microsoft.ManagedIdentity/userAssignedIdentities/',parameters('uamiName'))]": {
                                    }
                                }
                            },
                            "properties": {
                                "siteConfig": {
                                    "appSettings": [
                                        {
                                            "name": "FUNCTIONS_WORKER_RUNTIME",
                                            "value": "dotnet"
                                        },
                                        {
                                            "name": "WEBSITE_TIME_ZONE",
                                            "value": "W. Europe Standard Time"
                                        },
                                        {
                                            "name": "AzureWebJobsStorage",
                                            "value": "[concat('DefaultEndpointsProtocol=https;AccountName=',parameters('saName'),';AccountKey=',listKeys(concat('/subscriptions/',variables('subscriptionId'),'/resourceGroups/',parameters('rgName'),'/providers/Microsoft.Storage/storageAccounts/',parameters('saName')),providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).keys[0].value,';')]"
                                        },
                                        {
                                            "name": "FUNCTIONS_EXTENSION_VERSION",
                                            "value": "~2"
                                        },
                                        {
                                            "name": "WEBSITE_RUN_FROM_PACKAGE",
                                            "value": "1"
                                        },
                                        {
                                            "name": "APPINSIGHTS_INSTRUMENTATIONKEY",
                                            "value": "[reference(concat('/subscriptions/',variables('subscriptionId'),'/resourceGroups/',parameters('appInsightsRg'),'/providers/microsoft.insights/components/',parameters('appInsightsName')),providers('microsoft.insights', 'components').apiVersions[0]).InstrumentationKey]"
                                        }
                                    ],
                                    "alwaysOn": true
                                },
                                "serverFarmId": "[concat('/subscriptions/',variables('subscriptionId'),'/resourceGroups/',parameters('aspRg'),'/providers/Microsoft.Web/serverfarms/',parameters('aspName'))]",
                                "httpsOnly": true
                            }
                        },
                        {
                            "name": "[concat(parameters('kvName'), '/add')]",
                            "type": "Microsoft.KeyVault/vaults/accessPolicies",
                            "apiVersion": "2018-02-14",
                            "dependsOn": [
                                "[resourceId('Microsoft.KeyVault/vaults', parameters('kvName'))]",
                                "[resourceId('Microsoft.Web/sites', parameters('fa1Name'))]",
                                "[resourceId('Microsoft.Web/sites', parameters('fa2Name'))]"
                            ],
                            "properties": {
                                "accessPolicies": [
                                    {
                                        "tenantId": "[variables('tenantId')]",
                                        "objectId": "[reference(concat('/subscriptions/',variables('subscriptionId'),'/resourceGroups/',parameters('rgName'),'/providers/Microsoft.Web/sites/', parameters('fa1Name'), '/providers/Microsoft.ManagedIdentity/Identities/default'),providers('Microsoft.ManagedIdentity', 'Identities').apiVersions[0]).principalId]",
                                        "permissions": {
                                            "secrets": "[parameters('kvSecretsPermissions')]"
                                        }
                                    }
                                    ,
                                    {
                                        "tenantId": "[variables('tenantId')]",
                                        "objectId": "[reference(concat('/subscriptions/',variables('subscriptionId'),'/resourceGroups/',parameters('rgName'),'/providers/Microsoft.Web/sites/', parameters('fa2Name'), '/providers/Microsoft.ManagedIdentity/Identities/default'),providers('Microsoft.ManagedIdentity', 'Identities').apiVersions[0]).principalId]",
                                        "permissions": {
                                            "secrets": "[parameters('kvSecretsPermissions')]"
                                        }
                                    }
                                ]
                            }
                        }
                    ]
                }
            }
        }
    ],
    "outputs": {
        // "uamiPrincipalId": {            
        //     "value": "[reference(concat('/subscriptions/',variables('subscriptionId'),'/resourceGroups/',parameters('rgName'),'/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', parameters('uamiName')), providers('Microsoft.ManagedIdentity', 'userAssignedIdentities').apiVersions[0]).principalId]",
        //     "type": "string"
        // }
    }
}

用于部署模板的Powershell代码。

#region variableDeclaration
$ErrorActionPreference = "Stop"
$subscriptionId = "subscription id here"
$location = "West Europe"
#endregion variableDeclaration

Set-location -path $PSScriptRoot

#region connectToSubscription
Connect-AzAccount -ErrorAction Stop
Set-AzContext -Subscription $subscriptionId
#endregion connectToSubscription

#region createAzureResources
$workloadInputResources = @{
    depLocation                = $location
    tags                       = @{
        dienst         = "-"
        kostenplaats   = "-"
        omgeving       = "-"
        contactpersoon = "-"
        eigenaar       = "-"
        referentie     = "-"
        omschrijving   = "-"
    }    
    rgName                     = "resources-dev-rg"
    saName                     = "resourcesdevsa"
    saType                     = "Standard_LRS"
    saKind                     = "StorageV2"
    saAccessTier               = "Hot"
    saSupportsHttpsTrafficOnly = $true
    kvName                     = "resourcesdevkv"
    kvSkuName                  = "Standard"
    kvSkuFamily                = "A"
    kvSecretsPermissions       = @("get", "list" )
    uamiName                   = "resources-dev-uami"
    fa1Name                    = "resources-dev-fa1"
    fa2Name                    = "resources-dev-fa2"
    aspName                    = "resources-dev-asp"
    aspRg                      = "resources-asp-dev-rg"
    appInsightsName            = "resources-dev-appins"
    appInsightsRg              = "resources-appins-dev-rg"
}


New-AzDeployment -Name "deployResources" -Location $location -TemplateFile .\deploy.json  @workloadInputResources

#endregion createAzureResources

问题:

  1. 按原样部署手臂模板时,出现以下错误:
Resource Microsoft.Storage/storageAccounts 'resourcesdevsa' failed with message '{
  "error": {
    "code": "ResourceGroupNotFound",
    "message": "Resource group 'resources-dev-rg' could not be found."
  }
}'

但是资源组的创建成功。

  1. 重新运行脚本时,出现以下错误:
Resource Microsoft.Storage/storageAccounts 'resourcesdevsa' failed with message '{
  "error": {
    "code": "ResourceNotFound",
    "message": "The Resource 'Microsoft.Storage/storageAccounts/saName' under resource group 'resources-dev-rg' was not found."
  }
}'
  1. 当我注释掉部署fa1,fa2和访问策略时,第二个问题消失了>>
  2. 我给人的印象是,使用dependsOn解决了依赖性问题,但显然我错了,使用不当或在某个地方缺少了DependOn。

现在已经盯着这个问题几个小时了,我似乎找不到问题。任何帮助表示赞赏。

我正在重写ARM模板,因为我们不再使用链接模板。链接模板使我们难以控制版本。我正在使用订阅级别的部署来部署资源组,并使用...

azure arm azure-resource-manager arm-template
1个回答
0
投票

小更新,因为解决了部分问题。不过仍然有几个问题。

© www.soinside.com 2019 - 2024. All rights reserved.