我有一个二头肌模板,其中在参数数组中定义了许多资源,一个用于存储帐户,另一个用于函数应用程序等。然后,它调用特定于资源的模块,循环访问该特定资源的数组并创建资源。
我现在需要使用函数应用程序中的主体 ID 对存储帐户进行一些角色分配。我正在尝试将函数应用程序主体 ID 列表传递给角色分配模块,但无论我尝试什么,我都会遇到问题。
这是我目前拥有的。我试图将函数应用程序主 id 的输出数组传递给 storageRbac 模块,并使用 storageRbac 模块内的索引器引用 id,但这不起作用。如果我尝试引用输出 funcAppsPrincId 我收到错误“在此上下文中不存在”。
main.bicepparam storageAccounts array = [
// Output Index 0
{
name: 'staccount01'
sku: {
name: 'Standard_LRS'
tier: 'Standard'
}
...
}
// Output Index 1
{
name: 'staccount02'
sku: {
name: 'Standard_LRS'
tier: 'Standard'
}
...
}]
param funcApps array = [
// Index 0
{
name: 'funcApp01'
kind: 'functionapp,linux'
...
}
// Index 1
{
name: 'funcApp02'
kind: 'functionapp,linux'
...
}]
module deployStorageAccount 'storageAccount.bicep' = [for storageAccount in storageAccounts: {
scope: resourceGroup(rlrFeRg)
name: storageAccount.name
params: {
...
}
}]
module deployFuncApps 'functionApp.bicep' = [for funcApp in funcApps: {
scope: resourceGroup(rlrFeRg)
name: funcApp.name
params: {
...
}
dependsOn: [
deployStorageAccount
]
}]
output funcAppsPrincId array = [for (funcApp, i) in funcApps: [
deployFuncApps[i].outputs.funcAppPrincipalId
]]
module storageRoleAssignment 'storageRbac.bicep' = {
name: 'storageAccountRbac'
params: {
rlrAdGroup: rlrAdGroup
storageAccounts: storageAccounts
funcAppsPrincipalIds: funcAppsPrincId
}
dependsOn: [
deployStorageAccount
deployFuncApps
]
}
functionApp.bicepoutput funcAppPrincipalId string = functionApp.identity.principalId
storageRbac.bicepparam devsAdGroup string
param storageAccounts array
param funcAppsPrincipalIds array
var storageRoleAssignments = [
{
storageAccountName: storageAccounts[0].name
principalId: funcAppsPrincipalIds[0]
roleDefinition: 'Storage Blob Data Contributor'
principalType: 'ServicePrincipal'
}
{
storageAccountName: storageAccounts[0].name
principalId: funcAppsPrincipalIds[1]
roleDefinition: 'Storage Table Data Contributor'
principalType: 'ServicePrincipal'
}
{
storageAccountName: storageAccounts[1].name
principalId: devsAdGroup
roleDefinition: 'Storage Blob Data Contributor'
principalType: 'Group'
}
{
storageAccountName: storageAccounts[1].name
principalId: devsAdGroup
roleDefinition: 'Storage Table Data Contributor'
principalType: 'Group'
}
]
module storageRoleAssignment 'rbacStorageAccount.bicep' = [for storageRoleAssignment in storageRoleAssignments: {
name: 'rbac-${storageRoleAssignment.storageAccountName}'
params: {
storageAccountName: storageRoleAssignment.storageAccountName
principalId: storageRoleAssignment.principalId
roleDefinition: storageRoleAssignment.roleDefinition
principalType: storageRoleAssignment.principalType
}
}]
我可以将每个单独的主体 id 作为参数传递,如下所示,但理想情况下我希望将整个数组传递到 storageRbac 模块并在那里使用索引器。有什么办法可以达到这个目的吗?
main.bicepmodule storageRoleAssignment 'storageRbac.bicep' = {
name: 'storageAccountRbac'
params: {
rlrAdGroup: rlrAdGroup
storageAccounts: storageAccounts
funcAppsPrincipalId1: deployFuncApps[0].outputs.funcAppPrincipalId
funcAppsPrincipalId2: deployFuncApps[1].outputs.funcAppPrincipalId
}
dependsOn: [
deployStorageAccount
deployFuncApps
]
}
您可以使用中间模块来部署您的功能:
functionApps.bicepparam funcApps array = []
module deployFuncApps 'functionApp.bicep' = [
for funcApp in funcApps: {
scope: resourceGroup()
name: funcApp.name
params: {
functionAppName: funcApp.name
}
}
]
output funcAppsPrincIds array = [
for (funcApp, i) in funcApps: [
deployFuncApps[i].outputs.funcAppPrincipalId
]
]
因此,从您的
main.bicepmodule deployFuncApps 'functionApps.bicep' = {
scope: resourceGroup()
name: 'deploy-function-apps'
params: {
funcApps: funcApps
}
dependsOn: [
deployStorageAccount
]
}
module storageRoleAssignment 'storageRbac.bicep' = {
name: 'storageAccountRbac'
params: {
...
funcAppsPrincipalIds: deployFuncApps.outputs.funcAppsPrincIds
}
dependsOn: [
deployStorageAccount
deployFuncApps
]
}