使用角色分配增量重新部署 ARM 模板会引发错误 [英] Incremental redeployment of an ARM Template with Role Assignments throws an error

问题描述

如果我使用 Azure Pipelines 对包含角色分配的 ARM 模板执行增量"资源组"范围的部署，似乎我无法重新运行/重新部署管道而不在角色分配资源上收到错误:

If I use Azure Pipelines to do an 'Incremental' 'Resource Group' scoped deployment of an ARM template containing Role Assignments, it seems I can't rerun/redeploy the pipeline without receiving an error on the Role Assignment resource:

RoleAssignmentUpdateNotPermitted: Tenant ID, application ID, principal ID, and scope are not allowed to be updated.

这看起来是一个明显的问题，必须有一个通用的解决方法?我是否希望将角色分配分解为一个单独的模板，也许会在每个部署中删除并重新创建角色分配?

This looks like an obvious issue that must have a common workaround? I'm I expected to break-out the Role Assignments into a separate template, and perhaps delete and re-create the role assignments on each deployment?

推荐答案

使用角色分配增量重新部署 ARM 模板会引发错误

Incremental redeployment of an ARM Template with Role Assignments throws an error

正如你所说，这是一个明显的问题.对于相同的范围或资源，您只能将相同的角色分配给服务主体一次.

Just as you said, this is an obvious issue. For the same scope or resource, you can only assign the same role to a service principal once.

因此，存在与您尝试通过此模板创建的名称相同的现有角色分配，但最终会出现RoleAssignmentUpdateNotPermitted"错误.

So, there is existing role assignment with the same name that you are trying to create through this template and it ends up giving the error for "RoleAssignmentUpdateNotPermitted".

要解决此问题，我们需要确保每次部署到不同资源组时使用不同的 GUID 进行角色分配，但同时确保部署到同一资源组时使用相同的 GUID.

To resolve this issue, we need ensure that each deployment to a different resource group uses a different GUID for the role assignment, but at the same time, ensure that the same one is used when deploying to the same resource group.

我们可以使用 guid 函数！它需要一个或多个用于计算散列的字符串，非常类似于 uniquestring 函数；只有这个会生成一个 GUID 格式的字符串:

We could use the guid function! It takes one or more strings that are used to calculate a hash, very much like the uniquestring function; only this one generates a string in GUID format instead:

{
  "type": "Microsoft.Authorization/roleAssignments",
  "name": "[guid(resourceGroup().id, 'monitoringUsers')]"
}

您可以参考文档定义 RBAC 角色分配在 ARM 模板中了解更多详细信息.

You could refer the document Defining RBAC Role Assignments in ARM Templates for some more details.

这篇关于使用角色分配增量重新部署 ARM 模板会引发错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！