我有下面的二头肌代码模块,它将客户管理的密钥添加到存储帐户中,问题是它期望密钥保管库与存储帐户位于同一资源组中,但情况可能并非如此。
看看
keyvaulturi
,是否可以在评估resourceid
函数时通过包含资源组来引用它,这样它就可以引用正确的密钥库。
最终目标是重写创建存储帐户的二头肌模块,以便同时创建客户管理密钥,而不是运行两个单独的模块。
resource AssignCMKtoStorageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' = {
name: AssignCMKtoStorageAccountName
location: location
tags: appliedTags
kind: 'StorageV2'
sku: {
name: skuName
}
identity: {
type: 'SystemAssigned'
}
properties: {
publicNetworkAccess: 'Disabled'
allowBlobPublicAccess: false
networkAcls: {
bypass: 'AzureServices'
defaultAction: 'Deny'
}
encryption: {
services: {
file: {
enabled: true
}
blob: {
enabled: true
}
}
keySource: 'Microsoft.Keyvault'
keyvaultproperties: {
keyname: CMKName
keyvaulturi: reference(resourceId('Microsoft.KeyVault/vaults', keyVaultName), '2016-10-01', 'full').properties.vaultUri
}
}
}
}
resourceId
函数将允许您传递资源组名称:
param keyVaultName string
param keyVaultRGName string
keyvaulturi: reference(resourceId(keyVaultRGName, 'Microsoft.KeyVault/vaults', keyVaultName), '2016-10-01', 'full').properties.vaultUri
Tho Bicep 建议使用
existing
资源,这样类似的东西也可以工作:
param keyVaultName string
param keyVaultRGName string
resource keyVault 'Microsoft.KeyVault/vaults@2023-07-01' existing = {
name: keyVaultName
scope: resourceGroup(keyVaultRGName)
}
resource AssignCMKtoStorageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' = {
...
properties: {
...
encryption: {
...
keyvaultproperties: {
...
keyvaulturi: keyVault.properties.vaultUri
}
}
}
}