0

我正在使用 VSTS 部署天蓝色资源。我使用任务“Azure 资源组部署”来部署 ARM 模板。对于特定参数,如何使用 ARM 函数(concat、listkeys 等)覆盖该值?

示例:我的 ARM 模板有一个参数是存储帐户密钥,而不是直接提供密钥,我想通过传递 [listkeys(...)] 来提供它

4

2 回答 2

1

您不能这样做,listKeys()仅在运行时评估几个函数(如 )。我不知道你想要达到什么目标,所以可能有一些方法可以做你想要达到的目标。

如果要隐藏密钥,可以将它们存储在 Key Vault 中并在部署时检索:

"password": {
    "reference": {
        "keyVault": {
            "id": "[resourceId('kvGroup', 'Microsoft.KeyVault/vaults', 'kvName')]"
        },
        "secretName": "secret"
    }
},
于 2018-07-04T14:01:12.810 回答
0

如果存储帐户不是在同一个 ARM 模板中创建的,我将使用参数提供存储帐户的名称,然后在 ARM 模板中使用 listkeys() 来获取存储帐户连接字符串。

如果您在管道中的先前 ARM 模板部署中创建存储帐户,则可以使用输出参数使连接字符串在管道中可用。这是一个xxx代表您的公司命名前缀的示例:

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "environment": {
      "type": "string",
      "defaultValue": "d",
      "metadata": {
        "description": "The deployment environment, given by develop (d), testing (t), production (p) or quality assurance (q)"
      }
    }
  },
  "variables": {
    "busUnit": "vendor_name_here",

    //storage account names must be lowercase and are limited to 24 alpha numeric characters
    "storage_account_name": "[concat('xxx', parameters('environment'), variables('busUnit'), 'stor')]"        
  },
  "resources": [
    {
      "type": "Microsoft.Storage/storageAccounts",
      "sku": {
        "name": "Standard_LRS", //this is a hard coded SKU
        "tier": "Standard" //general purpose versus blob-only
      },
      "kind": "Storage", 
      "name": "[variables('storage_account_name')]",
      "apiVersion": "2017-06-01",
      "location": "[resourceGroup().location]", //add it to the same region/location as the resource group
      "properties": {
        "encryption": {
          "keySource": "Microsoft.Storage",
          "services": {
            "blob": {
              "enabled": true
            }
          }
        },
        "networkAcls": {
          "bypass": "AzureServices",
          "defaultAction": "Allow",
          "ipRules": [],
          "virtualNetworkRules": []
        }
      },
      "dependsOn": []
    }
  ],
  "outputs": {
    "storageAccountKey": {
      //"description": "This works if the storage account is in the same resource group. It returns the access key for the account",
      "type": "securestring",
      "value": "[listKeys(variables('storage_account_name'),'2015-05-01-preview').key1]"
    },
    "storageAccountName": {
      //"description": "This is the computed name of the storage account, based on naming conventions in the variables",
      "type": "string",
      "value": "[variables('storage_account_name')]"
    }
  }
}
于 2018-07-04T19:26:58.727 回答