遍历ARM模板中的值 [英] Looping through values in ARM templates
问题描述
我一直在解决我与ARM模板有关的问题,已经有一天了,而且似乎一直停滞不前,所以请索要SO,以防任何人能提供帮助.
为描述此问题,我已经有一个现有的Azure Key Vault设置,并希望向该资源组添加许多访问策略.作为参考,以下是用于添加Key Vault访问策略的ARM模板参考:
https://docs.microsoft.com/zh-CN/azure/templates/Microsoft.KeyVault/2018-02-14/vaults/accessPolicies
我有许多用户希望为其分配相同的权限,并且该用户列表不太可能经常更改,因此我希望在模板本身内对引用这些用户的objectId数组进行硬编码,然后使用复制"功能可创建多个访问策略.本质上,我希望最终结果接近于此,在访问策略之间唯一改变的值是标识用户的objectID:
{
"name": "TestKeyVault/add",
"type": "Microsoft.KeyVault/vaults/accessPolicies",
"apiVersion": "2018-02-14",
"properties": {
"accessPolicies": [
{
"tenantId": "tenantIDStringGoesHere",
"objectId": "guidForUser1GoesHere",
"permissions": {
"keys": ["List"],
"secrets": ["List"],
"certificates": ["List"]
}
},
{
"tenantId": "tenantIDStringGoesHere",
"objectId": "guidForUser2GoesHere",
"permissions": {
"keys": ["List"],
"secrets": ["List"],
"certificates": ["List"]
}
}
]
}
}
我之所以希望通过循环来解决此问题,而不是手工复制访问策略,原因是我认为这将使维护更加容易,因为可以通过在数组中添加或删除值来处理人员变更,而不用复制或删除较大部分的文本.
我试图理解这里概述的复制"语法,但是我没有找到适用于我的用例的正确组合:
https://docs .microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-multiple
我最近的是:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"keyVaultName": {
"type": "string",
"metadata": {
"description": "Name of the Vault"
}
},
"tenantId": {
"type": "string",
"defaultValue": "[subscription().tenantId]",
"metadata": {
"description": "Tenant Id of the subscription. Get using Get-AzureRmSubscription cmdlet or Get Subscription API"
}
},
"objectId": {
"type": "array",
"defaultValue": [
"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy"
],
"metadata": {
"description": "Object Id of the AD user. Get using Get-AzureRmADUser or Get-AzureRmADServicePrincipal cmdlets"
}
},
"secretsPermissions": {
"type": "array",
"defaultValue": [
"list"
],
"metadata": {
"description": "Permissions to secrets in the vault. Valid values are: all, get, set, list, and delete."
}
}
},
"variables": {
"objectIdCount": "[length(parameters('objectId'))]"
},
"resources": [
{
"type": "Microsoft.KeyVault/vaults/accessPolicies",
"name": "TestKeyVault/add",
"apiVersion": "2018-02-14",
"properties": {
"accessPolicies": [{
"tenantId": "[parameters('tenantId')]",
"objectId": "[parameters('objectId')[copyIndex('objectIdCopy')]]",
"permissions": {
"secrets": "[parameters('secretsPermissions')]"
},
"copy": {
"name": "objectIdCopy",
"count": 2
}
}]
}
}
]
}
值得一提的是,虽然我已经用X和Y替换了该SO版本中的objectId,但是如果我替换了"objectId",则代码可以在实际版本中使用:"[parameters('objectId')[copyIndex('objectIdCopy' )]]与"objectId":"[parameters('objectId')[0]]"(换句话说,如果我只是对数组索引进行硬编码,则可以,但是如果我尝试使用copyIndex,则不会)./p>
我曾尝试过使用此模板的各种变体生成各种错误消息,但是通过最新的迭代,尝试通过PowerShell部署模板时收到的错误消息基本上可以概括为模板功能'copyIndex'不在此位置."
我一直在进行测试的PowerShell的谈话,以下是简化版本:
Clear-Host
$deploymentResourceGroupName = 'TestRG'
$templatePath = 'test_template.json'
$templateParameterObject = @{}
$templateParameterObject += @{'keyVaultName' = 'TestKeyVault'}
New-AzureRmResourceGroupDeployment -ResourceGroupName $deploymentResourceGroupName -TemplateFile $templatePath -TemplateParameterObject $templateParameterObject
我意识到这是一个很长的问题,但是我希望我已经提供了足够的信息来帮助对此进行调试.
有什么建议可以使复印功能正常工作吗?
这或多或少是您想要的(如果我正确理解您的话):
{
"type": "Microsoft.KeyVault/vaults/accessPolicies",
"name": "TestKeyVault/add",
"apiVersion": "2018-02-14",
"properties": {
"copy": [
{
"name": "accessPolicies",
"count": "[length(parameters('objectId'))]",
"input": {
"tenantId": "[parameters('tenantId')]",
"objectId": "[parameters('objectId')[copyIndex('accessPolicies')]]",
"permissions": {
"secrets": "[parameters('secretsPermissions')]"
}
}
}
]
}
}
I've been working on an issue I'm having with ARM templates for over a day now, and seem to be stuck, so asking on SO in case anyone can help.
To describe the issue, I've got an existing Azure Key Vault setup, and wish to add a number of access policies to this resource group. For reference purposes, the following is the ARM template reference for adding Key Vault Access Policies:
https://docs.microsoft.com/en-gb/azure/templates/Microsoft.KeyVault/2018-02-14/vaults/accessPolicies
I have a number of users I wish to assign the same permissions to, and this list of users is unlikely to change frequently, so I wish to hardcode an array of objectIds referring to these users within the template itself, and then use the "copy" functionality to create multiple access policy . Essentially I want the end result to be close to this, where the only value that changes between access policies is the objectID identifying the user:
{
"name": "TestKeyVault/add",
"type": "Microsoft.KeyVault/vaults/accessPolicies",
"apiVersion": "2018-02-14",
"properties": {
"accessPolicies": [
{
"tenantId": "tenantIDStringGoesHere",
"objectId": "guidForUser1GoesHere",
"permissions": {
"keys": ["List"],
"secrets": ["List"],
"certificates": ["List"]
}
},
{
"tenantId": "tenantIDStringGoesHere",
"objectId": "guidForUser2GoesHere",
"permissions": {
"keys": ["List"],
"secrets": ["List"],
"certificates": ["List"]
}
}
]
}
}
The reason I want to sort this out with a loop rather than duplicating the access policies by hand is that I believe it'll make maintenance easier, as personnel changes can be handled by adding or removing values from an array rather than having to duplicate or remove larger portions of text.
I've tried to understand the "copy" syntax outlined here, but I haven't found the right combination that works for my use case:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-multiple
The closest I've got is the following:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"keyVaultName": {
"type": "string",
"metadata": {
"description": "Name of the Vault"
}
},
"tenantId": {
"type": "string",
"defaultValue": "[subscription().tenantId]",
"metadata": {
"description": "Tenant Id of the subscription. Get using Get-AzureRmSubscription cmdlet or Get Subscription API"
}
},
"objectId": {
"type": "array",
"defaultValue": [
"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy"
],
"metadata": {
"description": "Object Id of the AD user. Get using Get-AzureRmADUser or Get-AzureRmADServicePrincipal cmdlets"
}
},
"secretsPermissions": {
"type": "array",
"defaultValue": [
"list"
],
"metadata": {
"description": "Permissions to secrets in the vault. Valid values are: all, get, set, list, and delete."
}
}
},
"variables": {
"objectIdCount": "[length(parameters('objectId'))]"
},
"resources": [
{
"type": "Microsoft.KeyVault/vaults/accessPolicies",
"name": "TestKeyVault/add",
"apiVersion": "2018-02-14",
"properties": {
"accessPolicies": [{
"tenantId": "[parameters('tenantId')]",
"objectId": "[parameters('objectId')[copyIndex('objectIdCopy')]]",
"permissions": {
"secrets": "[parameters('secretsPermissions')]"
},
"copy": {
"name": "objectIdCopy",
"count": 2
}
}]
}
}
]
}
Worth noting that whilst I've replaced the objectIds in this SO version with X's and Y's, the code works in the real version if I replace "objectId": "[parameters('objectId')[copyIndex('objectIdCopy')]]" with "objectId": "[parameters('objectId')[0]]" (in other words, if I just hardcode the array index it works, but if I try to use copyIndex it does not).
I've had various error messages with the different variants of this template that I've tried, but with this latest iteration the error message I get when attempting to deploy the template through PowerShell can basically be summarised as "The template function 'copyIndex' is not expected at this location".
Talking of the PowerShell I've been using to test it, the following is a simplified version:
Clear-Host
$deploymentResourceGroupName = 'TestRG'
$templatePath = 'test_template.json'
$templateParameterObject = @{}
$templateParameterObject += @{'keyVaultName' = 'TestKeyVault'}
New-AzureRmResourceGroupDeployment -ResourceGroupName $deploymentResourceGroupName -TemplateFile $templatePath -TemplateParameterObject $templateParameterObject
I realise this is a long question, but I'm hoping I've provided sufficient information to help with debugging this.
Any suggestions what I should change to get the copy functionality working?
This is more or less what you want (if I understand you properly):
{
"type": "Microsoft.KeyVault/vaults/accessPolicies",
"name": "TestKeyVault/add",
"apiVersion": "2018-02-14",
"properties": {
"copy": [
{
"name": "accessPolicies",
"count": "[length(parameters('objectId'))]",
"input": {
"tenantId": "[parameters('tenantId')]",
"objectId": "[parameters('objectId')[copyIndex('accessPolicies')]]",
"permissions": {
"secrets": "[parameters('secretsPermissions')]"
}
}
}
]
}
}
这篇关于遍历ARM模板中的值的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
