使用专用端点部署 Keyvault 会出现错误 - 不允许更新现有网卡的名称
问题描述 投票:0回答:1
我正在尝试为现有的 Keyvault 创建 ARM 模板。此 Keyvault 还与专用端点关联。当我尝试再次部署到同一个 keyvault 时,理想情况下它不应该给出任何错误,但在我的情况下,我收到如下错误:
"code": "NameOfExistingPrivateEndpointNicCannotBeChanged",
"message": "Private Endpoint /subscriptions/<subid>/resourceGroups/<resource-group>/providers/Microsoft.Network/privateEndpoints/test-kv-ep contains existing NIC name test-kv-ep-nic which does not match request's custom network interface name . Updating the name of existing nic not allowed."
虽然我没有尝试更新模板中任何位置的 NIC 名称。
以下是我使用的ARM模板:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"keyVaultName": {
"type": "String",
"metadata": {
"description": "Specifies the name of the key vault."
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Specifies the Azure location where the key vault should be created."
}
},
"enabledForDeployment": {
"type": "bool",
"defaultValue": false,
"metadata": {
"description": "Specifies whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault."
}
},
"enabledForDiskEncryption": {
"type": "bool",
"defaultValue": false,
"metadata": {
"description": "Specifies whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys."
}
},
"enabledForTemplateDeployment": {
"type": "bool",
"defaultValue": false,
"metadata": {
"description": "Specifies whether Azure Resource Manager is permitted to retrieve secrets from the key vault."
}
},
"tenantId": {
"type": "string",
"defaultValue": "[subscription().tenantId]",
"metadata": {
"description": "Specifies the Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Get it by using Get-AzSubscription cmdlet."
}
},
"pvtEndpointConnKv": {
"type": "string"
},
"pvtEndpointConnVMSS": {
"type": "string"
},
"subnetId1": {
"type": "string"
},
"subnetId2": {
"type": "string"
},
"privateLinkServiceConnectionName1": {
"type": "string"
},
"privateLinkServiceConnectionName2": {
"type": "string"
},
"deployPrivateEndpoint": {
"type": "bool",
"defaultValue": false,
"metadata": {
"description": "Set to true to deploy the private endpoint."
}
},
"accessPolicies": {
"type": "array",
"metadata": {
"description": "List of Key Vault's access policies"
}
}
},
"resources": [
{
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2024-04-01-preview",
"name": "[parameters('keyVaultName')]",
"location": "[parameters('location')]",
"properties": {
"sku": {
"family": "A",
"name": "Standard"
},
"tenantId": "[parameters('tenantId')]",
"networkAcls": {
"bypass": "AzureServices",
"defaultAction": "Deny",
"ipRules": [],
"virtualNetworkRules": []
},
"accessPolicies": "[parameters('accessPolicies')]",
"enabledForDeployment": "[parameters('enabledForDeployment')]",
"enabledForDiskEncryption": "[parameters('enabledForDiskEncryption')]",
"enabledForTemplateDeployment": "[parameters('enabledForTemplateDeployment')]",
"enableSoftDelete": true,
"softDeleteRetentionInDays": 90,
"enableRbacAuthorization": false,
"enablePurgeProtection": true,
"vaultUri": "[concat('https://', parameters('keyVaultName'), '.vault.azure.net/')]",
"provisioningState": "Succeeded",
"publicNetworkAccess": "Disabled"
}
},
{
"type": "Microsoft.Network/privateEndpoints",
"apiVersion": "2024-01-01",
"name": "[parameters('pvtEndpointConnKv')]",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]"
],
"properties": {
"subnet": {
"id": "[parameters('subnetId1')]"
},
"privateLinkServiceConnections": [
{
"name": "[parameters('privateLinkServiceConnectionName1')]",
"properties": {
"privateLinkServiceId": "[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]",
"groupIds": ["vault"],
"requestMessage": ""
}
}
]
}
}
]
}
我正在尝试部署具有私有端点的密钥库。当您尝试更新 NIC 名称时,我收到错误,但我没有尝试通过 ARM 模板更改它。如何使用私有端点部署此密钥库。
1个回答
0
投票
投票
使用专用端点部署 Keyvault 会出现错误 - 不允许更新现有网卡的名称
根据错误描述,我的要点是您创建了一个密钥库和专用端点。您以某种方式尝试重新部署 keyvault 和私有端点配置。
在执行此操作之前,如果您重新部署专用端点,则会将其视为新部署,因为您使用的是相同的 Arm 配置,并且创建资源后,Azure 不允许修改某些属性,例如 NIC 名称。
ARM部署:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"keyVaultName": {
"type": "string",
"metadata": {
"description": "Name of the Key Vault."
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Location for resources."
}
},
"tenantId": {
"type": "string",
"defaultValue": "[subscription().tenantId]",
"metadata": {
"description": "Azure AD tenant ID for the Key Vault."
}
},
"accessPolicies": {
"type": "array",
"defaultValue": [],
"metadata": {
"description": "Access policies for the Key Vault."
}
},
"subnetId": {
"type": "string",
"metadata": {
"description": "Resource ID of the subnet for the private endpoint."
}
},
"privateEndpointName": {
"type": "string",
"metadata": {
"description": "Name of the Private Endpoint."
}
},
"privateLinkServiceConnectionName": {
"type": "string",
"metadata": {
"description": "Name of the private link service connection."
}
}
},
"resources": [
{
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2023-07-01",
"name": "[parameters('keyVaultName')]",
"location": "[parameters('location')]",
"properties": {
"sku": {
"family": "A",
"name": "standard"
},
"tenantId": "[parameters('tenantId')]",
"networkAcls": {
"bypass": "AzureServices",
"defaultAction": "Deny",
"ipRules": [],
"virtualNetworkRules": []
},
"accessPolicies": "[parameters('accessPolicies')]",
"enabledForDeployment": false,
"enabledForTemplateDeployment": false,
"enabledForDiskEncryption": false,
"publicNetworkAccess": "Disabled"
}
},
{
"type": "Microsoft.Network/privateEndpoints",
"apiVersion": "2021-08-01",
"name": "[parameters('privateEndpointName')]",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]"
],
"properties": {
"subnet": {
"id": "[parameters('subnetId')]"
},
"privateLinkServiceConnections": [
{
"name": "[parameters('privateLinkServiceConnectionName')]",
"properties": {
"privateLinkServiceId": "[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]",
"groupIds": [
"vault"
],
"requestMessage": "Please approve this connection for the Key Vault."
}
}
]
}
},
{
"type": "Microsoft.Network/privateDnsZones",
"apiVersion": "2024-06-01",
"name": "privatelink.vaultcore.azure.net",
"location": "global",
"properties": {}
},
{
"type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks",
"apiVersion": "2024-06-01",
"name": "[concat('privatelink.vaultcore.azure.net/', parameters('privateEndpointName'), '-vnet-link')]",
"location": "global",
"dependsOn": [
"[resourceId('Microsoft.Network/privateDnsZones', 'privatelink.vaultcore.azure.net')]",
"[resourceId('Microsoft.Network/privateEndpoints', parameters('privateEndpointName'))]"
],
"properties": {
"virtualNetwork": {
"id": "[substring(parameters('subnetId'), 0, indexOf(parameters('subnetId'), '/subnets'))]"
},
"registrationEnabled": false
}
}
]
}
部署:
az deployment group create --name DeployKeyVaultWithPrivateEndpoint --resource-group vinay-rg --template-file main.json --parameters keyVaultName=testsasamk privateEndpointName=testsample privateLinkServiceConnectionName=tesatsample subnetId=/subscriptions/SubID/resourceGroups/vksb-rg/providers/Microsoft.Network/virtualNetworks/testsamplevnet/subnets/default tenantId=tenantId
参考:
将 Key Vault 与 Azure Private Link 集成 |微软学习
Microsoft.KeyVault/vaults - Bicep、ARM 模板和 Terraform AzAPI 参考 |微软学习
最新问题
- 如何修改JavaFX中的ChoiceBox复选标记?
- 在pygame中实时播放带有alpha通道和同步音频的两个混合视频?
- 如何在cypher-shell中使用环境变量NEO4J_PASSWORD
- ASP Classic IPN 侦听器可以工作,但现在不行了
- 如何实际使用 cv2.estimateAffine3D 在 python 中对齐 3d 点?
- 如何在 R 中生成具有跨多个组的 FDR 校正 P 值的分层汇总表
- 我无法使用 Exact Alarm 进行颤振本地通知
- Azure OpenAI Studio Playground:在向任何函数提交输出时,我的助手总是返回未定义的错误
- 如何对Bull.js与Redis服务器的连接实现完整而非部分的TLS保护?
- Nuget 资源从 https 更改为 http
- 不同值时如何在同一行返回结果
- 我可以将 boost::intrusive::rbtree 与 stateful_value_traits 一起使用吗?
- 确定next.js中的客户端/服务器组件
- 按照Ieee-754单精度格式实现浮点加法器但移位错误
- 如何在Python中通过OR-Tools使用sorted()和min()函数?
- 来自 openai python SDK 的 AsyncAzureOpenAI 客户端支持自定义快速 API 端点
- 如果我想使用过去/未来数百万年的日期和时间,我该怎么做?
- 使用 docker-compose 进行 LangGraph 部署
- 如何使用 WebDriver Sampler (JMeter) 中的 JMeter 属性 props.get props.put
- 从 winit 获取 windows-rs HWND?
© www.soinside.com 2019 - 2024. All rights reserved.