如何解决通过 devOps 部署时,Azure 策略不会为托管标识创建角色
我通过 devops 创建了一个 azure 策略。我启用了如下所示的角色(存储贡献者)。为策略创建了身份,但没有为其分配角色。所以我不得不手动创建它来运行修复任务。策略本身不应该创建角色吗?还是部署?
"roleDeFinitionIds": [
"/providers/Microsoft.Authorization/roleDeFinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"
],
我们使用 New-AzDeployment 将其部署为 arm 模板
这是完整的模板
{
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#","contentVersion": "1.0.0.0","parameters": {
"policyDeFinitionName": {
"type": "string"
}
},"resources": [{
"type": "Microsoft.Authorization/policyDeFinitions","name": "[parameters('policyDeFinitionName')]","apiVersion": "2019-09-01","properties": {
"displayName": "Deploy Soft-Delete for Blobs","mode": "All","description": "This policy enables soft-delete for blobs.","parameters": {
"retentionInDays": {
"type": "Integer","Metadata": {
"displayName": "Retention in days","description": "This defines how long the deleted object should be retained for. Allowed values are 1 to 365."
}
}
},"policyRule": {
"if": {
"allOf": [
{
"field": "type","equals": "Microsoft.Storage/storageAccounts"
},{
"field": "kind","in": [
"Storage","StorageV2","BlobStorage","BlockBlobStorage"
]
},{
"field": "Microsoft.Storage/storageAccounts/isHnsEnabled","equals": false
},]
},"then": {
"effect": "DeployIfNotExists","details": {
"type": "Microsoft.Storage/storageAccounts/blobServices","existenceCondition": {
"field": "Microsoft.Storage/storageAccounts/blobServices/default.deleteRetentionPolicy.enabled","equals": true
},"roleDeFinitionIds": [
"/providers/Microsoft.Authorization/roleDeFinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"
],"deployment": {
"properties": {
"mode": "incremental","template": {
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","parameters": {
"storageAccountName": {
"type": "string"
},"retentionInDays": {
"type": "int"
}
},"variables": {},"resources": [
{
"name": "[[concat(parameters('storageAccountName'),'/default')]","type": "Microsoft.Storage/storageAccounts/blobServices","apiVersion": "2019-06-01","properties": {
"deleteRetentionPolicy": {
"enabled": true,"days": "[[parameters('retentionInDays')]"
}
}
}
],"outputs": {}
},"parameters": {
"storageAccountName": {
"value": "[[field('name')]"
},"retentionInDays": {
"value": "[[parameters('retentionInDays')]"
}
}
}
}
}
}
}
}
}]
}
解决方法
- 策略定义部署
- (可选)初始定义部署
- 策略分配部署
必须为策略分配创建的托管标识进行角色分配。如果您从门户创建策略分配,我相信这会自动为您完成。 DevOps 中的 ARM 模板需要手动定义。
因此,策略分配也必须与角色分配一起部署。
由于在定义、计划和分配之间使用“dependsOn”的问题,我建议使用单独的 ARM 模板进行分配。因此,带有角色分配的策略分配模板将是独立的,类似于下面的示例模板。
我知道这与您的问题无关,但提起来很烦人。根据我的经验,我不得不在定义部署和后续计划部署之间延迟 2 分钟,然后在分配部署之前再延迟 2 分钟,以避免出现依赖项的 404 错误。
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#","contentVersion": "1.0.0.0","parameters": {},"variables": {
"scope": "[concat('/subscriptions/',subscription().subscriptionId,'/')]"
},"resources": [
{
"type": "Microsoft.Authorization/policyAssignments","apiVersion": "2019-09-01","name": "my-policy-assignment","location": "westus2","identity": {
"type": "SystemAssigned"
},"properties": {
"displayName": "My Policy Assignment","policyDefinitionId": "[concat(variables('scope'),'providers/Microsoft.Authorization/policySetDefinitions/my-policy-initiative')]","scope": "[variables('scope')]","notScopes": [],"description": "This is an example assignment for a Stack Overflow post.","metadata": {
"category": "My Category"
}
}
},{
"type": "Microsoft.Authorization/roleAssignments","apiVersion": "2019-04-01-preview","name": "b74efc56-19fa-44a3-9665-49b08f7c384d","dependsOn": [
"my-policy-assignment"
],"properties": {
"roleDefinitionId": "[concat(subscription().id,'/providers/Microsoft.Authorization/roleDefinitions/','17d1049b-9a84-46fb-8f53-869881c3d3ab')]","principalType": "ServicePrincipal","delegatedManagedIdentityResourceId": "[concat(subscription().id,'/providers/Microsoft.Authorization/policyAssignments/','my-policy-assignment')]","principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/','my-policy-assignment'),'2018-05-01','Full' ).identity.principalId)]"
}
}
]
}
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。