这可以实现,但它不是 Bicep 的一个很好的解决方案,因为需要修补 OS 磁盘以关联diskAccess资源,并且这种关联目前不可用 - afaik - 作为ARM或Bicep中的单独资源。因此,需要一些“二头肌模块跳跃”方法来分阶段实现这种修补。
我为虚拟机扩展了现有vm.bicep
模板并为磁盘添加了子网:
...
{
name: subnetDiskName
properties: {
addressPrefix: subnetDiskPrefix
privateEndpointNetworkPolicies: 'Disabled'
}
}
...
最后,vm.bicep
我添加了对该子网的引用,以便可以将其作为参数传递给下一阶段。修补需要分为 2 个阶段/模块:
- 再次获取/获取操作系统磁盘作为对象
- PATCH / PUT OS磁盘与现有对象数据+对
diskAccess
资源的引用
...
resource subnetDisk 'Microsoft.Network/virtualNetworks/subnets@2021-02-01' existing = {
name: subnetDiskName
parent: vnet
}
module patchDisk 'get-patch-disk.bicep' = {
name: 'getPatchDisk'
params: {
virtualMachineName: virtualMachineName
diskName: vm.properties.storageProfile.osDisk.name
location: location
subnetId: subnetDisk.id
}
}
对于第 1 阶段get-patch-disk.bicep
,只需将当前 OS 磁盘作为对象检索并将其传递:
param virtualMachineName string
param diskName string
param location string = resourceGroup().location
param subnetId string
resource vmDiskGet 'Microsoft.Compute/disks@2020-12-01' existing = {
name: diskName
}
module vmDiskPatch 'patch-disk.bicep' = {
name: 'patchDisk'
params: {
virtualMachineName: virtualMachineName
diskName: diskName
vmDiskGet: vmDiskGet
location: location
subnetId: subnetId
}
}
然后在第 2 阶段patch-disk.bicep
创建diskAccess
资源,privateEndpoint
并将其修补到 OS 磁盘中,方法是从刚刚检索到的对象中传输所有给定属性并添加私有磁盘访问所需的属性。
param virtualMachineName string
param diskName string
param location string = resourceGroup().location
param vmDiskGet object
param subnetId string
var privateEndpointName = 'privateEndpoint${uniqueString(resourceGroup().name)}'
var privateLinkConnectionName = 'privateLink${uniqueString(resourceGroup().name)}'
var diskAccessName = 'diskAccess${uniqueString(resourceGroup().name)}'
resource diskAccess 'Microsoft.Compute/diskAccesses@2020-12-01' = {
name: diskAccessName
location: location
tags: {
vmName: virtualMachineName
}
}
resource privateEndpoint 'Microsoft.Network/privateEndpoints@2020-06-01' = {
name: privateEndpointName
location: location
tags: {
vmName: virtualMachineName
}
properties: {
subnet: {
id: subnetId
}
privateLinkServiceConnections: [
{
name: privateLinkConnectionName
properties: {
privateLinkServiceId: diskAccess.id
groupIds: [
'disks'
]
}
}
]
}
}
resource vmDiskPut 'Microsoft.Compute/disks@2020-12-01' = {
name: diskName
location: vmDiskGet.location
properties: {
diskAccessId: diskAccess.id
networkAccessPolicy: 'AllowPrivate'
creationData: vmDiskGet.properties.creationData
diskSizeGB: vmDiskGet.properties.diskSizeGB
}
}
免责声明
我想更聪明的解决方案是diskAccess
在一个二头肌模板中创建资源以及 VM,然后返回diskAccess.id
和vm.properties.storageProfile.osDisk.name
作为输出参数。有了这些输出参数,就可以简单az disk update -n "{diskName}" --network-access-policy AllowPrivate --disk-access "{diskAccessId}"
地进行修补。