我正在重写ARM模板,因为我们不再使用链接模板。链接模板使我们难以控制版本。我正在使用订阅级别的部署来部署资源组,其中嵌套了删除锁,存储帐户,keyvault,2个functionapps,用户分配的受管身份和keyvault访问策略。
我使用的ARM模板:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#","contentVersion": "1.0.0.0","parameters": {
"deplocation": {
"type": "string","allowedValues": [
"West Europe","North Europe"
],"defaultvalue": "West Europe","metadata": {
"description": "Location for all resources."
}
},"tags": {
"type": "object"
},"rgName": {
"type": "string"
},"saName": {
"type": "string","metadata": {
"description": "The name of the resource."
}
},"saType": {
"type": "string","allowedValues": [
"Standard_LRS","Standard_GRS","Standard_ZRS","Premium_LRS"
],"defaultvalue": "Standard_LRS","metadata": {
"description": "Gets or sets the SKU name. Required for account creation; optional for update. Note that in older versions,SKU name was called accountType. - Standard_LRS,Standard_GRS,Standard_RAGRS,Standard_ZRS,Premium_LRS,Premium_ZRS,Standard_GZRS,Standard_RAGZRS"
}
},"saKind": {
"type": "string","allowedValues": [
"StorageV2","BlobStorage","FileStorage","BlockBlobStorage"
],"defaultvalue": "StorageV2","metadata": {
"description": "Indicates the type of storage account. - Storage,StorageV2,BlobStorage,FileStorage,BlockBlobStorage"
}
},"saaccessTier": {
"type": "string"
},"saSupportsHttpsTrafficOnly": {
"type": "bool"
},"kvName": {
"type": "string"
},"kvSkuName": {
"type": "string"
},"kvSkuFamily": {
"type": "string"
},"kvSecretsPermissions": {
"type": "array"
},"uamiName": {
"type": "string"
},"fa1Name": {
"type": "string"
},"fa2Name": {
"type": "string"
},"aspName": {
"type": "string"
},"aspRg": {
"type": "string"
},"appInsightsname": {
"type": "string"
},"appInsightsrg": {
"type": "string"
}
},"variables": {
"tenantId": "[subscription().tenantId]","subscriptionId": "[subscription().subscriptionId]"
},"resources": [
{
"type": "microsoft.Resources/resourceGroups","apiVersion": "2018-05-01","location": "[parameters('depLocation')]","name": "[parameters('rgName')]","tags": "[parameters('tags')]","properties": {
}
},{
"type": "microsoft.Resources/deployments","name": "resourceDeployment","resourceGroup": "[parameters('rgName')]","dependsOn": [
"[resourceId('microsoft.Resources/resourceGroups/',parameters('rgName'))]"
],"properties": {
"mode": "Incremental","template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","resources": [
{
"name": "DeletionLock","type": "microsoft.Authorization/locks","apiVersion": "2017-04-01","properties": {
"level": "CanNotDelete","notes": "[parameters('rgName')]"
}
},{
"name": "[parameters('saName')]","type": "microsoft.Storage/storageaccounts","apiVersion": "2019-04-01","sku": {
"name": "[parameters('saType')]"
},"kind": "[parameters('saKind')]","location": "[parameters('deplocation')]","properties": {
"accessTier": "[parameters('saaccessTier')]","supportsHttpsTrafficOnly": "[parameters('saSupportsHttpsTrafficOnly')]"
}
},{
"name": "[concat(parameters('saName'),'/default')]","type": "microsoft.Storage/storageaccounts/blobServices","dependsOn": [
"[resourceId('microsoft.Storage/storageaccounts',parameters('saName'))]"
],"properties": {
"cors": {
"corsRules": [
]
},"deleteRetentionPolicy": {
"enabled": false
}
}
},{
"name": "[parameters('kvName')]","type": "microsoft.KeyVault/vaults","apiVersion": "2018-02-14","properties": {
"tenantId": "[variables('tenantId')]","accesspolicies": [
],"sku": {
"name": "[parameters('kvSkuName')]","family": "[parameters('kvSkuFamily')]"
}
}
},{
"name": "[parameters('uamiName')]","type": "microsoft.ManagedIdentity/userAssignedIdentities","apiVersion": "2018-11-30","properties": {
}
},{
"name": "[parameters('fa1Name')]","type": "microsoft.Web/sites","apiVersion": "2019-08-01","kind": "functionapp","dependsOn": [
"[resourceId('microsoft.ManagedIdentity/userAssignedIdentities/',parameters('uamiName'))]","[resourceId('microsoft.Storage/storageaccounts/',"identity": {
"type": "SystemAssigned,UserAssigned","userAssignedIdentities": {
"[concat('/subscriptions/',variables('subscriptionId'),'/resourceGroups/',parameters('rgName'),'/providers/microsoft.ManagedIdentity/userAssignedIdentities/',parameters('uamiName'))]": {
}
}
},"properties": {
"siteConfig": {
"appSettings": [
{
"name": "FUNCTIONS_WORKER_RUNTIME","value": "dotnet"
},{
"name": "WEBSITE_TIME_ZONE","value": "W. Europe Standard Time"
},{
"name": "AzureWebJobsStorage","value": "[concat('DefaultEndpointsProtocol=https;accountName=',parameters('saName'),';accountKey=',listKeys(concat('/subscriptions/','/providers/microsoft.Storage/storageaccounts/',parameters('saName')),providers('microsoft.Storage','storageaccounts').apiVersions[0]).keys[0].value,';')]"
},{
"name": "FUNCTIONS_EXTENSION_VERSION","value": "~2"
},{
"name": "WEBSITE_RUN_FROM_PACKAGE","value": "1"
},{
"name": "APPINSIGHTS_INSTRUMENTATIONKEY","value": "[reference(concat('/subscriptions/',parameters('appInsightsrg'),'/providers/microsoft.insights/components/',parameters('appInsightsname')),providers('microsoft.insights','components').apiVersions[0]).InstrumentationKey]"
}
],"alwaysOn": true
},"serverFarmId": "[concat('/subscriptions/',parameters('aspRg'),'/providers/microsoft.Web/serverfarms/',parameters('aspName'))]","httpsOnly": true
}
},{
"name": "[parameters('fa2Name')]",{
"name": "[concat(parameters('kvName'),'/add')]","type": "microsoft.KeyVault/vaults/accesspolicies","dependsOn": [
"[resourceId('microsoft.KeyVault/vaults',parameters('kvName'))]","[resourceId('microsoft.Web/sites',parameters('fa1Name'))]",parameters('fa2Name'))]"
],"properties": {
"accesspolicies": [
{
"tenantId": "[variables('tenantId')]","objectId": "[reference(concat('/subscriptions/','/providers/microsoft.Web/sites/',parameters('fa1Name'),'/providers/microsoft.ManagedIdentity/Identities/default'),providers('microsoft.ManagedIdentity','Identities').apiVersions[0]).principalId]","permissions": {
"secrets": "[parameters('kvSecretsPermissions')]"
}
},{
"tenantId": "[variables('tenantId')]",parameters('fa2Name'),"permissions": {
"secrets": "[parameters('kvSecretsPermissions')]"
}
}
]
}
}
]
}
}
}
],"outputs": {
// "uamiPrincipalId": {
// "value": "[reference(concat('/subscriptions/',parameters('uamiName')),'userAssignedIdentities').apiVersions[0]).principalId]",// "type": "string"
// }
}
}
Powershell代码以部署模板。
#region variableDeclaration
$ErroractionPreference = "Stop"
$subscriptionId = "subscription id here"
$location = "West Europe"
#endregion variableDeclaration
Set-location -path $PSScriptRoot
#region connectToSubscription
Connect-Azaccount -Erroraction Stop
Set-AzContext -Subscription $subscriptionId
#endregion connectToSubscription
#region createAzureResources
$workloadInputResources = @{
depLocation = $location
tags = @{
dienst = "-"
kostenplaats = "-"
omgeving = "-"
contactpersoon = "-"
eigenaar = "-"
referentie = "-"
omschrijving = "-"
}
rgName = "resources-dev-rg"
saName = "resourcesdevsa"
saType = "Standard_LRS"
saKind = "StorageV2"
saaccessTier = "Hot"
saSupportsHttpsTrafficOnly = $true
kvName = "resourcesdevkv"
kvSkuName = "Standard"
kvSkuFamily = "A"
kvSecretsPermissions = @("get","list" )
uamiName = "resources-dev-uami"
fa1Name = "resources-dev-fa1"
fa2Name = "resources-dev-fa2"
aspName = "resources-dev-asp"
aspRg = "resources-asp-dev-rg"
appInsightsname = "resources-dev-appins"
appInsightsrg = "resources-appins-dev-rg"
}
New-AzDeployment -Name "deployResources" -Location $location -TemplateFile .\deploy.json @workloadInputResources
#endregion createAzureResources
问题:
- 按原样部署arm模板时,出现以下错误:
Resource microsoft.Storage/storageaccounts 'resourcesdevsa' failed with message '{
"error": {
"code": "ResourceGroupNotFound","message": "Resource group 'resources-dev-rg' could not be found."
}
}'
但是资源组的创建成功。
- 重新运行脚本时,出现以下错误:
Resource microsoft.Storage/storageaccounts 'resourcesdevsa' failed with message '{
"error": {
"code": "ResourceNotFound","message": "The Resource 'microsoft.Storage/storageaccounts/saName' under resource group 'resources-dev-rg' was not found."
}
}'
- 当我注释掉部署fa1,fa2和访问策略时,第二个问题消失了
我给人的印象是,使用dependsOn解决了依赖性问题,但显然我错了,使用不当或在某个地方缺少了DependOn。
已经盯着这个问题已经好几个小时了,我似乎找不到问题。 任何帮助表示赞赏。