使用resourceId引用密钥保管库uri,如何在bicep中引用资源组

问题描述 投票:0回答:1

我有下面的二头肌代码模块,它将客户管理的密钥添加到存储帐户中,问题是它期望密钥保管库与存储帐户位于同一资源组中,但情况可能并非如此。

看看

keyvaulturi
,是否可以在评估
resourceid
函数时通过包含资源组来引用它,这样它就可以引用正确的密钥库。

最终目标是重写创建存储帐户的二头肌模块,以便同时创建客户管理密钥,而不是运行两个单独的模块。

resource AssignCMKtoStorageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' = {
  name: AssignCMKtoStorageAccountName
  location: location
  tags: appliedTags
  kind: 'StorageV2'
  sku: {
    name: skuName
  }
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    publicNetworkAccess: 'Disabled'
    allowBlobPublicAccess: false
    networkAcls: {
      bypass: 'AzureServices'
      defaultAction: 'Deny'
    }
    encryption: {
      services: {
        file: {
          enabled: true
        }
        blob: {
          enabled: true
        }
      }
      keySource: 'Microsoft.Keyvault'
      keyvaultproperties: {
        keyname: CMKName
        keyvaulturi: reference(resourceId('Microsoft.KeyVault/vaults', keyVaultName), '2016-10-01', 'full').properties.vaultUri
      }
    }
  }
}
azure azure-resource-manager azure-keyvault azure-bicep
1个回答
0
投票

resourceId
函数将允许您传递资源组名称:

param keyVaultName string
param keyVaultRGName string

keyvaulturi: reference(resourceId(keyVaultRGName, 'Microsoft.KeyVault/vaults', keyVaultName), '2016-10-01', 'full').properties.vaultUri

Tho Bicep 建议使用 

existing
资源,这样类似的东西也可以工作:

param keyVaultName string
param keyVaultRGName string

resource keyVault 'Microsoft.KeyVault/vaults@2023-07-01' existing = {
  name: keyVaultName
  scope: resourceGroup(keyVaultRGName)
}

resource AssignCMKtoStorageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' = {
  ...
  properties: {
    ...
    encryption: {
      ...
      keyvaultproperties: {
        ...
        keyvaulturi: keyVault.properties.vaultUri
      }
    }
  }
}
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.