0

我在 Key Vault 中有一个现有证书,我想从我的二头肌模板中引用它。

resource prodCertificate 'Microsoft.Web/certificates@2020-12-01' existing = {
  name: 'my-custom-certificate-name/123809dsfj2jf09j32123123'
  scope: resourceGroup('certificateResourceGroup')
}

当前的二头肌模板将在不同的资源组中运行,appServiceResourceGroup密钥保管库位于certificateResourceGroup

以上不起作用,因为二头肌抱怨名称中不应该有斜线。

如果我只使用my-custom-certificate-name,我会收到一个错误,指出

{
  "code": "DeploymentFailed",
  "message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.",
  "details": [
    {
      "code": "ResourceNotFound",
      "message": "The Resource 'Microsoft.Web/certificates/my-custom-certificate-name' under resource group 'certificateResourceGroup' was not found. For more details please go to https://aka.ms/ARMResourceNotFoundFix"
    }
  ]
}
4

1 回答 1

1

我测试了您正在尝试的相同场景,即将资源组中的密钥库中的证书导入另一个资源组中的应用程序服务。

我使用下面的代码来做到这一点:

param name string
param location string = resourceGroup().location
param keyvaultid string
param certificatesecretname string
@secure()
param pass string
param exisitingappplanresourceid string
resource prodCertificate 'Microsoft.Web/certificates@2021-02-01' = {
  name: name
  location: location
  properties: {
    keyVaultId: keyvaultid
    keyVaultSecretName: certificatesecretname
    password: pass
    serverFarmId: exisitingappplanresourceid
  }
}

输出:

Keyvault 中的现有证书: 在此处输入图像描述

部署和参数:

在此处输入图像描述 在此处输入图像描述

Azure 门户应用服务:

在此处输入图像描述

注意:请确保必须Microsoft.Web Resource Provider有权访问密钥库。您可以通过Keyvault>>access policies>>add a accesspolicy进入abfa0a7c-a6b6-4736-8310-5855508787cd服务主体搜索对话框从门户中执行此操作,以便它将以下资源提供者添加到访问策略中。

在此处输入图像描述

如果您想从 keyvault 添加证书,然后还创建一个 ssl 绑定,那么您可以使用如下所示的内容:

@description('Existing App Service Plan resource id that contains the App Service being updated')
param existingServerFarmId string

@description('User friendly certificate resource name')
param certificateName string

@description('Existing Key Vault resource Id with an access policy to allow Microsoft.Web RP to read Key Vault secrets (Checkout README.md for more information)')
param existingKeyVaultId string

@description('Key Vault Secret that contains a PFX certificate')
param existingKeyVaultSecretName string

@description('Existing App name to use for creating SSL binding. This App should have the hostname assigned as a custom domain')
param existingWebAppName string

@description('Custom hostname for creating SSL binding. This hostname should already be assigned to the Web App')
param hostname string

@description('Location for all resources.')
param location string = resourceGroup().location

resource certificateName_resource 'Microsoft.Web/certificates@2019-08-01' = {
  name: certificateName
  location: location
  properties: {
    keyVaultId: existingKeyVaultId
    keyVaultSecretName: existingKeyVaultSecretName
    serverFarmId: existingServerFarmId
  }
}

resource existingWebAppName_resource 'Microsoft.Web/sites@2019-08-01' = {
  name: existingWebAppName
  location: location
  properties: {
    name: existingWebAppName
    hostNameSslStates: [
      {
        name: hostname
        sslState: 'SniEnabled'
        thumbprint: certificateName_resource.properties.thumbprint
        toUpdate: true
      }
    ]
  }
}

参考:

Microsoft.Web/certificates - Bicep & ARM 模板参考 | 微软文档

于 2021-10-14T09:02:04.707 回答