尝试将自定义证书与 azure bicep 一起使用时出错

Question

这是我如何使用 Bicep 进行部署的演示沙盒代码。我为此使用自定义证书

参数 profileName 字符串 = 'testresearchcdn'

@allowed([
  'Standard_Verizon'
  'Premium_Verizon'
  'Custom_Verizon'
  'Standard_Akamai'
  'Standard_ChinaCdn'
  'Standard_Microsoft'
  'Premium_ChinaCdn'
  'Standard_AzureFrontDoor'
  'Premium_AzureFrontDoor'
  'Standard_955BandWidth_ChinaCdn'
  'Standard_AvgBandWidth_ChinaCdn'
  'StandardPlus_ChinaCdn'
  'StandardPlus_955BandWidth_ChinaCdn'
  'StandardPlus_AvgBandWidth_ChinaCdn'
])
param sku string = 'Standard_Microsoft'


param endpointName string = 'testresearchcdn'

@description('Whether the HTTP traffic is allowed.')
param isHttpAllowed bool = true

@description('Whether the HTTPS traffic is allowed.')
param isHttpsAllowed bool = true

@description('Query string caching behavior.')
@allowed([
  'IgnoreQueryString'
  'BypassCaching'
  'UseQueryString'
])
param queryStringCachingBehavior string = 'IgnoreQueryString'

@description('Content type that is compressed.')
param contentTypesToCompress array = [
  'text/plain'
  'text/html'
  'text/css'
  'application/x-javascript'
  'text/javascript'
]

@description('Whether the compression is enabled')
param isCompressionEnabled bool = true



@description('Location for all resources.')
param location string = 'global'

resource testresearchcdn 'Microsoft.Cdn/profiles@2020-09-01' = {
  name: profileName
  location: location
  properties: {}
  sku: {
    name: sku
  }
}

resource Microsoft_Cdn_profiles_endpoints_testresearchcdn 'Microsoft.Cdn/profiles/endpoints@2020-09-01' = {
  name: endpointName
  parent: testresearchcdn
  location: location
  properties: {
    originHostHeader: 'testresearchcdn.blob.core.windows.net'
    isHttpAllowed: isHttpAllowed
    isHttpsAllowed: isHttpsAllowed
    queryStringCachingBehavior: queryStringCachingBehavior
    contentTypesToCompress: contentTypesToCompress
    isCompressionEnabled: isCompressionEnabled
    origins: [
      {
        name: 'testresearchcdn-blob-core-windows-net'
        properties: {
          hostName: 'testresearchcdn.blob.core.windows.net'
        }
      }
    ]
  }
  
}

resource test_researchcdn_example_com 'Microsoft.Cdn/profiles/endpoints/customDomains@2016-04-02' = {
  name: 'test-researchcdn-example-com'
  parent: Microsoft_Cdn_profiles_endpoints_testresearchcdn
  properties: {
    hostName: 'test-researchcdn.example.com'
  }
  
}

resource example_wildcard_2019 'Microsoft.Cdn/profiles/secrets@2020-09-01' = {
  name: 'DDKeyVault1'
  parent: testresearchcdn
  properties: {
    parameters: {
      type: 'CustomerCertificate'
      certificateAuthority: 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
      secretSource: {
        id: 'https://DDkeyvault1.vault.azure.net/certificates/example-wildcard-2019/xxxxxxxxxxxxxxxxxxxxx'
      }
      secretVersion: ''
      subjectAlternativeNames: [
        '*.example.com'
        'example.com'
      ]
      useLatestVersion: false
    }
  }
  dependsOn: [
    test_researchcdn_example_com
  ]
  
}
     

这是我的错误：

"code": "BadRequest", "message": "SecretSource id 无效。"

我使用了证书标识符、秘密标识符和 kvID，其中秘密位于 SecretSource，但我得到了同样的错误。我错过了什么？

Answer 1

您以错误的方式定义了 Secret SourceId。在 ARM 模板中，我们不能将 id 指定为 https:///certificates/certificateName，而必须指定为 /subscriptions/<SubscriptionID>/resourceGroups/<resourceGroupName>/providers/Microsoft.KeyVault/vaults/<KeyvaultName>/certificates/<CertificateName>

所以在您的代码中而不是下面的代码中：

secretSource: {
id: 'https://DDkeyvault1.vault.azure.net/certificates/example-wildcard-2019/xxxxxxxxxxxxxxxxxxxxx'
}

你必须使用这个：

secretSource: {
id: '/subscriptions/<YOUR-SUBSCRIPTION-ID>/resourceGroups/<YOUR-KEYVAULT-RESOURCE-GROUP-NAME>/providers/Microsoft.KeyVault/vaults/DDkeyvault1/certificates/example-wildcard-2019/xxxxxxxxxxxxxxxxxxxxx'
}

注意：请确保在运行上述操作之前，您必须Grant Azure CDN access to your key vault。