通过devOps部署时,Azure策略不为托管身份创建角色
通过devOps部署时,Azure策略不为托管身份创建角色
提问于 2021-07-15 13:54:25
我通过devops创建了一个azure策略。我启用了一个角色,如下所示(存储贡献者)。已为策略创建标识,但没有为其分配角色。所以我不得不手动创建它来运行修复任务。策略不应该创建角色本身吗?还是部署?
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"
],我们使用New-AzDeployment将其部署为arm模板
这是完整的模板
{
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"policyDefinitionName": {
"type": "string"
}
},
"resources": [{
"type": "Microsoft.Authorization/policyDefinitions",
"name": "[parameters('policyDefinitionName')]",
"apiVersion": "2019-09-01",
"properties": {
"displayName": "Deploy Soft-Delete for Blobs",
"mode": "All",
"description": "This policy enables soft-delete for blobs.",
"parameters": {
"retentionInDays": {
"type": "Integer",
"metadata": {
"displayName": "Retention in days",
"description": "This defines how long the deleted object should be retained for. Allowed values are 1 to 365."
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
{
"field": "kind",
"in": [
"Storage",
"StorageV2",
"BlobStorage",
"BlockBlobStorage"
]
},
{
"field": "Microsoft.Storage/storageAccounts/isHnsEnabled",
"equals": false
},
]
},
"then": {
"effect": "DeployIfNotExists",
"details": {
"type": "Microsoft.Storage/storageAccounts/blobServices",
"existenceCondition": {
"field": "Microsoft.Storage/storageAccounts/blobServices/default.deleteRetentionPolicy.enabled",
"equals": true
},
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"
],
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"storageAccountName": {
"type": "string"
},
"retentionInDays": {
"type": "int"
}
},
"variables": {},
"resources": [
{
"name": "[[concat(parameters('storageAccountName'), '/default')]",
"type": "Microsoft.Storage/storageAccounts/blobServices",
"apiVersion": "2019-06-01",
"properties": {
"deleteRetentionPolicy": {
"enabled": true,
"days": "[[parameters('retentionInDays')]"
}
}
}
],
"outputs": {}
},
"parameters": {
"storageAccountName": {
"value": "[[field('name')]"
},
"retentionInDays": {
"value": "[[parameters('retentionInDays')]"
}
}
}
}
}
}
}
}
}]
}回答 1
Stack Overflow用户
发布于 2021-07-16 07:27:05
- 策略定义DEPLOYMENT
- POLICY
- DEFINITION DEPLOYMENT
- POLICY ASSIGNMENT DEPLOYMENT <-这是您添加角色分配的位置。
必须为策略分配创建的托管标识进行角色分配。如果您从门户创建策略分配,我相信这是自动为您完成的。DevOps中的ARM模板需要手动定义。
因此,策略分配还必须与角色分配一起部署。
由于在定义、计划和分配之间使用"dependsOn“存在问题,我建议对分配使用单独的ARM模板。因此,具有角色分配的策略分配模板将是独立的,看起来类似于下面的示例模板。
我知道这与你的问题无关,但提到它已经够烦人的了。根据我的经验,我不得不在定义部署和后续的主动部署之间延迟2分钟,然后在分配部署之前再延迟2分钟,以避免依赖项上的404个错误。
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {
"scope": "[concat('/subscriptions/', subscription().subscriptionId, '/')]"
},
"resources": [
{
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2019-09-01",
"name": "my-policy-assignment",
"location": "westus2",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"displayName": "My Policy Assignment",
"policyDefinitionId": "[concat(variables('scope'), 'providers/Microsoft.Authorization/policySetDefinitions/my-policy-initiative')]",
"scope": "[variables('scope')]",
"notScopes": [],
"parameters": {},
"description": "This is an example assignment for a Stack Overflow post.",
"metadata": {
"category": "My Category"
}
}
},
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2019-04-01-preview",
"name": "b74efc56-19fa-44a3-9665-49b08f7c384d",
"dependsOn": [
"my-policy-assignment"
],
"properties": {
"roleDefinitionId": "[concat(subscription().id, '/providers/Microsoft.Authorization/roleDefinitions/', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]",
"principalType": "ServicePrincipal",
"delegatedManagedIdentityResourceId": "[concat(subscription().id, '/providers/Microsoft.Authorization/policyAssignments/', 'my-policy-assignment')]",
"principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', 'my-policy-assignment'), '2018-05-01', 'Full' ).identity.principalId)]"
}
}
]
}页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/68388609
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号