我正在使用bicep为我的资源分配角色-第一次运行效果很好,但任何连续运行都会失败,因为角色已经存在。diagnosticLogs也是如此——如果它们已经存在,那么管道就会失败。
是否有任何方法可以检查资源是否存在,如果存在则跳过资源部署?或者至少将严重性降低到"严重性";"警告";,这样管道就不会出故障?
我花了一段时间才弄清楚这个问题,因为Azure Pipelines的日志甚至没有返回错误描述,只是失败了。。。
##[error]At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.
##[error]Details:
##[error]DeploymentFailed: At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.
##[error]Check out the troubleshooting guide to see if your issue is addressed: https://learn.microsoft.com/en-us/azure/devops/pipelines/tasks/deploy/azure-resource-group-deployment?view=azure-devops#troubleshooting
##[error]Task failed while creating or updating the template deployment.
以下是资源组部署的日志-diagnosticLogs:
{"code":"DeploymentFailed","message":"At least one resource deployment operation failed.
Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{
"code":"Conflict",
"message":"Data sink '/subscriptions/X-X-X-X-X/resourceGroups/<NAME>/providers/Microsoft.Storage/storageAccounts/<NAME>'
is already used in diagnostic setting '<NAME>' for category 'allLogs'.
Data sinks can't be reused in different settings on the same category for the same resource."
}]}
角色分配的错误:
{"code":"DeploymentFailed",
"message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{
"code":"RoleAssignmentExists",
"message":"The role assignment already exists."
}]}
以下是部署的二头肌代码:
// roleAssignment
resource role_developer_adls_blob_contributors 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
name: guid(resourceGroup().id, aad_admin_developer_group_object_id)
scope: resourceGroup()
properties:{
description: 'Developer Group - BlobStorageContributor.'
principalId: aad_admin_developer_group_object_id
principalType: 'Group'
roleDefinitionId: resourceId('Microsoft.Authorization/roleDefinitions', storageBlobDataContributorRoleID)
}
}
// diagnosticLogs
resource keyvault_diagnostic_settings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
name: '${keyVaultName}-log-adls'
scope: key_vault
properties: {
storageAccountId: adls_storage_base.id
logs: [
{
categoryGroup: 'allLogs'
enabled : true
}
]
}
}
角色分配name对于给定的主体、角色和作用域需要是唯一的。guid()函数的种子不够唯一。应该是:
name: guid(resourceGroup().id, aad_admin_developer_group_object_id, storageBlobDataContributorRoleID)
请注意,由于你已经有了校长的角色分配,这些排列在该范围内,你必须删除";旧的";角色分配,然后才能使用新的命名方案。