在我的Bicep文件中,我正在使用Azure KeyVault资源,如下所示:
resource kv 'Microsoft.KeyVault/vaults@2021-04-01-preview' existing = {
name: kvName
scope: resourceGroup(subscriptionId, resourceGroup().name)
}
module db 'modules/database.bicep' = if (dbIsEnabled) {
name: 'db'
scope: resourceGroup()
params: {
location: location
namePrefix: namePrefix
regionSuffix: regionSuffix
administratorLogin: dbAdminUsername
administratorLoginPassword: kv.getSecret('dbAdminPassword')
edition: dbEdition
}
}
这很好(我想…(,但只是第一次。
$ az deployment group create --verbose -c --mode Complete -g "$rgName" -f shr.bicep -p "@$paramFile"
{'properties': {'template': <azure.cli.command_modules.resource.custom.JsonCTemplate object at 0x7fbc0079aa90>, 'parameters': {'subscriptionId': {'value': '20d2016b-1234-1234-1234-be72462e1234'}, 'kvName': {'value': 'shrKvTest0830'}, 'tenantPrefix': {'value': 'adv'}, 'environmentSuffix': {'value': 'demo'}, 'regionSuffix': {'value': 'useast'}, 'dbIsEnabled': {'value': True}, 'dbEdition': {'value': 'Premium'}, 'dbAdminUsername': {'value': 'adm'}}, 'mode': 'Complete', 'whatIfSettings': {'resultFormat': 'FullResourcePayloads'}}}
Noneunning ..
Note: The result may contain false positive predictions (noise).
You can help us improve the accuracy of the result by opening an issue here: https://aka.ms/WhatIfIssues.
Resource and property changes are indicated with these symbols:
- Delete
+ Create
The deployment will update the following scope:
Scope: /subscriptions/20d2016b-1234-1234-1234-be72462e1234/resourceGroups/shrDevopsTesting123
- Microsoft.KeyVault/vaults/shrKvTest0830
id: "/subscriptions/20d2016b-1234-1234-1234-be72462e1234/resourceGroups/shrDevopsTesting123/providers/Microsoft.KeyVault/vaults/shrKvTest0830"
location: "westeurope"
name: "shrKvTest0830"
type: "Microsoft.KeyVault/vaults"
+ Microsoft.Sql/servers/adv-demo-db-srv-useast [2021-02-01-preview]
apiVersion: "2021-02-01-preview"
id: "/subscriptions/20d2016b-1234-1234-1234-be72462e1234/resourceGroups/shrDevopsTesting123/providers/Microsoft.Sql/servers/adv-demo-db-srv-useast"
location: "westeurope"
name: "adv-demo-db-srv-useast"
properties.administratorLogin: "*******"
properties.administratorLoginPassword: "*******"
type: "Microsoft.Sql/servers"
Resource changes: 1 to delete, 1 to create.
Are you sure you want to execute the deployment? (y/n): y
{'properties': {'template': <azure.cli.command_modules.resource.custom.JsonCTemplate object at 0x7fb3612dbd68>, 'parameters': {'subscriptionId': {'value': '20d2016b-1234-1234-1234-be72462e1234'}, 'kvName': {'value': 'shrKvTest0830'}, 'tenantPrefix': {'value': 'adv'}, 'environmentSuffix': {'value': 'demo'}, 'regionSuffix': {'value': 'useast'}, 'dbIsEnabled': {'value': True}, 'dbEdition': {'value': 'Premium'}, 'dbAdminUsername': {'value': 'adm'}}, 'mode': 'Complete'}}
{'properties': {'template': <azure.cli.command_modules.resource.custom.JsonCTemplate object at 0x7fb3609fda20>, 'parameters': {'subscriptionId': {'value': '20d2016b-1234-1234-1234-be72462e1234'}, 'kvName': {'value': 'shrKvTest0830'}, 'tenantPrefix': {'value': 'adv'}, 'environmentSuffix': {'value': 'demo'}, 'regionSuffix': {'value': 'useast'}, 'dbIsEnabled': {'value': True}, 'dbEdition': {'value': 'Premium'}, 'dbAdminUsername': {'value': 'adm'}}, 'mode': 'Complete'}}
Noneunning ..
Noneunning ..
Noneunning ..
Noneunning ..
Noneunning ..
Noneunning ..
Noneunning ..
Noneunning ..
Noneunning ..
Noneunning ..
id: /subscriptions/20d2016b-1234-1234-1234-be72462e1234/resourceGroups/ShrDevopsTesting123/providers/Microsoft.Resources/deployments/shr
location: null
name: shr
properties:
correlationId: fd11a316-604a-42cf-a474-c881be120643
debugSetting: null
dependencies: []
duration: PT4M23.8746353S
error: null
mode: Complete
onErrorDeployment: null
outputResources:
- id: /subscriptions/20d2016b-1234-1234-1234-be72462e1234/resourceGroups/ShrDevopsTesting123/providers/Microsoft.Sql/servers/adv-demo-db-srv-useast
resourceGroup: ShrDevopsTesting123
outputs: null
parameters:
dbAdminUsername:
type: String
value: adm
dbEdition:
type: String
value: Premium
dbIsEnabled:
type: Bool
value: true
environmentSuffix:
type: String
value: demo
kvName:
type: String
value: shrKvTest0830
location:
type: String
value: westeurope
regionSuffix:
type: String
value: useast
subscriptionId:
type: String
value: 20d2016b-1234-1234-1234-be72462e1234
tenantPrefix:
type: String
value: adv
parametersLink: null
providers:
- id: null
namespace: Microsoft.Resources
registrationPolicy: null
registrationState: null
resourceTypes:
- aliases: null
apiProfiles: null
apiVersions: null
capabilities: null
defaultApiVersion: null
locationMappings: null
locations:
- null
properties: null
resourceType: deployments
zoneMappings: null
provisioningState: Succeeded
templateHash: '11903751957628416401'
templateLink: null
timestamp: '2021-06-21T06:44:34.352407+00:00'
validatedResources: null
resourceGroup: ShrDevopsTesting123
tags: null
type: Microsoft.Resources/deployments
Command ran in 333.163 seconds (init: 0.734, invoke: 332.429)
但当我再次运行完全相同的命令时,它失败了(正如"-c"的输出所预测的那样(:
$ az deployment group create --verbose -c --mode Complete -g "$rgName" -f shr.bicep -p "@$paramFile"
{'properties': {'template': <azure.cli.command_modules.resource.custom.JsonCTemplate object at 0x7fa480cb2a90>, 'parameters': {'subscriptionId': {'value': '20d2016b-1234-1234-1234-be72462e1234'}, 'kvName': {'value': 'shrKvTest0830'}, 'tenantPrefix': {'value': 'adv'}, 'environmentSuffix': {'value': 'demo'}, 'regionSuffix': {'value': 'useast'}, 'dbIsEnabled': {'value': True}, 'dbEdition': {'value': 'Premium'}, 'dbAdminUsername': {'value': 'shradmin'}}, 'mode': 'Complete', 'whatIfSettings': {'resultFormat': 'FullResourcePayloads'}}}
Noneunning ..
KeyVaultParameterReferenceNotFound - The specified KeyVault '/subscriptions/20d2016b-1234-1234-1234-be72462e1234/resourceGroups/ShrDevopsTesting123/providers/Microsoft.KeyVault/vaults/shrKvTest0830' could not be found. Please see https://aka.ms/arm-keyvault for usage details.
Command ran in 34.891 seconds (init: 0.432, invoke: 34.458)
我做错了什么?为什么Bicep删除密钥库kv,尽管我引用了";existing";?我以--mode Complete模式运行。
Existing关键字表示我知道该资源存在。它并不是部署模板的一部分——它更像是一个指针,而不是实际的资源。
当bicep编译到ARM时,具有现有关键字的资源将被转换为引用调用。请注意,现有资源可能与您将模板部署到的范围不同。
因此,您的模板没有这样的密钥保管库资源,因此在竞争模式下计划删除。完整模式是确保目标(通常是资源组(的内容与模板指定的内容完全一致。
没有从完整模式部署中排除资源的选项。你可以试着在二头肌的github上发布一个功能请求。
在您的情况下,删除现有关键字并定义密钥保管库的存在方式。
我知道我参加聚会迟到了,但这是我看到的关于将密码保存到KV中的评论的答案。如果你想要sql的随机密码,然后将其保存到KV,而不是使用guid,可以在管道中的powershell中添加以下代码。
这将为您创建一个随机密码,并将其保存到密钥库中。例如,我在创建SQL资源(而不是keyvault的一部分(之前会执行此操作。这意味着我在需要的时候更新或添加我需要的资源,而不是将其作为KV.的一部分
param([string]$secretName,
[string]$kvName)
function Get-RandomPassword {
param (
[Parameter(Mandatory)]
[ValidateRange(4,[int]::MaxValue)]
[int] $length,
[int] $upper = 1,
[int] $lower = 1,
[int] $numeric = 1,
[int] $special = 1
)
if($upper + $lower + $numeric + $special -gt $length) {
throw "number of upper/lower/numeric/special char must be lower or equal to length"
}
$uCharSet = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
$lCharSet = "abcdefghijklmnopqrstuvwxyz"
$nCharSet = "0123456789"
$sCharSet = "/*-+,!?=()@;:._"
$charSet = ""
if($upper -gt 0) { $charSet += $uCharSet }
if($lower -gt 0) { $charSet += $lCharSet }
if($numeric -gt 0) { $charSet += $nCharSet }
if($special -gt 0) { $charSet += $sCharSet }
$charSet = $charSet.ToCharArray()
$rng = New-Object System.Security.Cryptography.RNGCryptoServiceProvider
$bytes = New-Object byte[]($length)
$rng.GetBytes($bytes)
$result = New-Object char[]($length)
for ($i = 0 ; $i -lt $length ; $i++) {
$result[$i] = $charSet[$bytes[$i] % $charSet.Length]
}
$password = (-join $result)
$valid = $true
if($upper -gt ($password.ToCharArray() | Where-Object {$_ -cin $uCharSet.ToCharArray() }).Count) { $valid = $false }
if($lower -gt ($password.ToCharArray() | Where-Object {$_ -cin $lCharSet.ToCharArray() }).Count) { $valid = $false }
if($numeric -gt ($password.ToCharArray() | Where-Object {$_ -cin $nCharSet.ToCharArray() }).Count) { $valid = $false }
if($special -gt ($password.ToCharArray() | Where-Object {$_ -cin $sCharSet.ToCharArray() }).Count) { $valid = $false }
if(!$valid) {
$password = Get-RandomPassword $length $upper $lower $numeric $special
}
return $password
}
try {
$PassComplexCheck = $false
do {
$newPassword=Get-RandomPassword 10 1 1 1 1;
If ( ($newPassword -cmatch "[A-Zp{Lu}s]") `
-and ($newPassword -cmatch "[a-zp{Ll}s]") `
-and ($newPassword -match "[d]") `
-and ($newPassword -match "[^w]")
)
{
$PassComplexCheck=$true
}
} While ($PassComplexCheck -eq $false)
az keyvault secret set --vault-name $kvName --name $secretName --value $newPassword -o none
}
catch {
Write-Host "Secret not generated correctly or saved into keyvault"
Write-Host $_
}