0

我有一个创建 2 个 webApp 和一个 KeyVault 的二头肌模板。每个 WebApp 都是使用 managedID 创建的,我需要将其添加到 Keyvault 中,以便 webapp 可以提取机密。

但是在创建 2 个 webapps 时,我不知道如何将两个 ManagedID 分配给 KeyVault。

二头肌模板正在使用模块

  name: 'ciKeyVault'
  params: {
    keyVaultName: keyVaultName
    aclBypass: keyVaultSettings.aclBypass
    aclDefaultAction: keyVaultSettings.aclDefaultAction
    enabledForDeployment: keyVaultSettings.enabledForDeployment
    enabledForDiskEncryption: keyVaultSettings.enabledForDiskEncryption
    enabledForTemplateDeployment: keyVaultSettings.enabledForTemplateDeployment
    keyPermissions: keyVaultSettings.keyPermissions
    keyVaultSettings: keyVaultSettings
    secretsPermissions: keyVaultSettings.secretsPermissions
    skuFamily: keyVaultSettings.skuFamily
    skuName: keyVaultSettings.skuName
    tenantId: subscription().tenantId
    objectId: 'b71e61c4-7cff-41d0-8370-a7d9c01dde84'
  }
}

并且objectId需要从 AppService 部署中检索。使用这个模块:

module AppService '../../../Modules/Azure.App.Service.template.bicep' = [for i in range(0, length(webAppSettings.webApps)): { 
  name: webAppSettings.webApps[i].Name
  dependsOn: [
    frontEndAppServicePlan
  ]
  params: {
    webAppName: webAppSettings.webApps[i].appServiceType == 'functionApp' ? toLower('fnc-${webAppSettings.webApps[i].name}-${resourceGroupNameSuffix}') : toLower('web-${webAppSettings.webApps[i].name}-${resourceGroupNameSuffix}')
    hostingPlan:  frontEndAppServicePlan.outputs.hostingPlanId
    virtualNetworkResourceGroup: virtualNetworkResourceGroup
    environmentName:environmentName
    webAppSettings:webAppSettings
    appServiceType: webAppSettings.webApps[i].appServiceType
    LinuxFX:webAppSettings.webApps[i].LinuxFX
    appSettings:webAppSettings.webapps[i].appSettings
  }
}]

当它是单个 appService 时很好,因为我可以使用output usid string = AppServices.identity.principalId

但是当我有 2 个 appServices 时,我无法弄清楚如何传入两个 ID

有任何想法吗?

干杯

4

1 回答 1

0

假设您有一个Azure.App.Service.template.bicep看起来像这样的模块:

param webAppName string
...

// Create the web app
resource webApp 'Microsoft.Web/sites@2020-09-01' = {
  name: webAppName
  location: resourceGroup().location
  identity: {
    type: 'SystemAssigned'
  }
  ...
}

output usid string = webApp.identity.principalId

在父模板中,您可以创建一个模块数组来创建您的 web 应用程序(与您执行此操作的方式相同),然后创建一个访问策略资源以向所有 web 应用程序授予对密钥保管库的访问权限。

...
// Create the app services
module AppServices '../../../Modules/Azure.App.Service.template.bicep' = [for webApp in webAppSettings.webApps: {
  name: webApp.Name
  params: {
    webAppName: webApp.Name
    ...
  }
}]

// Granting the app services access ot key vault
resource appServicesKeyVaultAccessPolicies 'Microsoft.KeyVault/vaults/accessPolicies@2019-09-01' = {
  name: '${keyVaultName}/add'
  properties: {
    accessPolicies: [for i in range(0, length(webAppSettings.webApps)): {
      tenantId: subscription().tenantId
      objectId: AppServices[i].outputs.usid
      permissions: {
        secrets: keyVaultSettings.secretsPermissions
        keys: keyVaultSettings.keyPermissions
      }
    }]
  }
}
于 2021-10-17T19:01:16.887 回答