在单个 ARM 脚本中创建批处理帐户和 Key Vault答案

【问题标题】：Create Batch Account and Key Vault in single ARM script在单个 ARM 脚本中创建批处理帐户和 Key Vault
【发布时间】：2017-09-04 14:29:37
【问题描述】：

我正在尝试将批处理帐户（在用户订阅模式下）配置添加到 ARM 脚本，但我遇到了循环依赖问题。

批处理帐户需要 KeyVaultReference。
Key Vault 访问策略需要 BatchAccount 对象 ID。

在这种情况下，我无法创建完全配置的服务。你知道如何从同一个 ARM 脚本创建这两个服务吗？

请看下面的例子：

{
  "name": "[variables('keyVaultName')]",
  "type": "Microsoft.KeyVault/vaults",
  "location": "[resourceGroup().location]",
  "apiVersion": "2015-06-01",
  "properties": {
    "sku": {
      "family": "A",
      "name": "Standard"
    },
    "tenantId": "[subscription().tenantId]",
    "accessPolicies": [
      {
        "tenantId": "[subscription().tenantId]",
        "objectId": "[resourceId('Microsoft.Batch/batchAccounts', variables('batchAccountName'))]",
        "permissions": {
          "keys": [
            "Update"
          ]
        }
      }
    ]
  },
  "dependsOn": [
    "[resourceId('Microsoft.Batch/batchAccounts', variables('batchAccountName'))]"
  ]
},
{
  "name": "[variables('batchAccountName')]",
  "type": "Microsoft.Batch/batchAccounts",
  "location": "[resourceGroup().location]",
  "apiVersion": "2017-05-01",
  "properties": {
    "poolAllocationMode": "UserSubscription",
    "autoStorage": {
      "storageAccountId": "[resourceId('Microsoft.Storage/storageAccounts', variables('batchAccountStorageAccountName'))]"
    },
    "keyVaultReference": {
      "id": "[concat(subscription().id, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.KeyVault/vaults/', variables('keyVaultName'))]",
      "url": "[concat('https://', variables('keyVaultName'), '.vault.azure.net/')]"
    }
  },
  "dependsOn": [
    "[resourceId('Microsoft.Storage/storageAccounts', variables('batchAccountStorageAccountName'))]",
    "[resourceId('Microsoft.KeyVault/vaults', variables('keyVaultName'))]"
  ]
}

【问题讨论】：

标签： azure azure-resource-manager azure-keyvault arm-template

【解决方案1】：

Key Vault 访问策略需要 BatchAccount 对象 ID。

对象 id 与批处理帐户无关。对象 ID 是您设置的可以访问密钥保管库的用户对象 ID。用户可以是 Azure AD 帐户、Microsoft 帐户或服务主体。对于 Azure AD 帐户，您可以使用 PowerShell cmdlet Get-AzureRmADUser 获取 ID。这个blog 可能有帮助。

Batch 帐户需要 KeyVaultReference。

正如您所做的那样，您可以在创建批处理帐户时添加依赖密钥库。以下模板适用于我。

{
    "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "location": {
            "defaultValue": "eastus",
            "type": "string"
        },
        "batchAccountName": {
            "defaultValue": "shui568",
            "type": "string"
        },
        "storageAccountName": {
            "defaultValue": "shui41f",
            "type": "string"
        },
        "storageAccountType": {
            "defaultValue": "Standard_LRS",
            "type": "string"
        },
         "vaults_shuibatch_name": {
            "defaultValue": "shui225",
            "type": "String"
        }
    },
    "variables": {},
    "resources": [
        {
            "name": "[parameters('batchAccountName')]",
            "type": "Microsoft.Batch/batchAccounts",
            "apiVersion": "2017-05-01",
            "location": "[parameters('location')]",
            "dependsOn": [
                "[concat('Microsoft.Storage/storageAccounts/', parameters('storageAccountName'))]",
                "[concat('Microsoft.KeyVault/vaults/', parameters('vaults_shuibatch_name'))]"
            ],
            "properties": {
                "poolAllocationMode": "usersubscription",
                "KeyVaultReference": {

                    "id": "[resourceId('Microsoft.KeyVault/vaults', parameters('vaults_shuibatch_name'))]",
                    "url": "[concat('https://',parameters('vaults_shuibatch_name'),'.vault.azure.net/')]"
                },
                "autoStorage": {
                    "storageAccountId": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]"
                }
            }
        },
        {
            "name": "[parameters('storageAccountName')]",
            "type": "Microsoft.Storage/storageAccounts",
            "apiVersion": "2015-06-15",
            "location": "[parameters('location')]",
            "properties": {
                "accountType": "[parameters('storageAccountType')]"
            }
        },
            {
            "comments": "Generalized from resource: '/subscriptions/***************/resourceGroups/shuibatch/providers/Microsoft.KeyVault/vaults/shuibatch'.",
            "type": "Microsoft.KeyVault/vaults",
            "name": "[parameters('vaults_shuibatch_name')]",
            "apiVersion": "2015-06-01",
            "location": "eastus",
            "tags": {},
            "scale": null,
            "properties": {
                "sku": {
                    "family": "A",
                    "name": "Standard"
                },
                "tenantId": "[subscription().tenantId]",
                "accessPolicies": [
                    {
                        "tenantId": "[subscription().tenantId]",
                        "objectId": "3ff89f78-2a60-4fef-8ee5-c249d03549d1",
                        "permissions": {
                            "secrets": [
                                "All"
                            ]
                        }
                    }
                ],
                "enabledForDeployment": true
            },
            "dependsOn": []
        }
    ]
}

【讨论】：

如果我的理解是正确的，你想给用户Microsoft Azure Batch权限，你可以在Azure Portal上获取对象ID。 <subscription>-->Access control(IAM)-->Microsoft Azure Batch-->Properties.
看起来不错。我正在寻找一种通过 arm / ps（Azure 订阅步骤）将所有这些操作包含在自动化脚本中的方法，但这是另一回事。谢谢！