引用二头肌模块中存在的现有资源

问题描述 投票:0回答:1

我是二头肌新手,所以我可能会在这里遗漏一些简单的东西。我在订阅“sub1”和资源组“rg1”中有一个容器注册表资源。我创建了一个二头肌模块,如下所示:

@description('Name of the registry.')
param regName string

targetScope = 'subscription'

resource myreg 'Microsoft.ContainerRegistry/registries@2023-01-01' existing = {
  name: regName
  scope: resourceGroup('reg1')
}

output acrResource resource = myreg (NOTE: this is asking me to enable experimental features...which I want to avoid)
output acrId string = myreg.id
output acrName string = myreg.name

我正在使用这个二头肌模板,如下所示:

module myreg 'myreg.bicep'= {
  name: 'myreg'
  params: {
    regName: 'foo'
  }
  scope: subscription('sub1')
}


resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' {
  name: 'guid-here'
  properties: {
    roleDefinitionId: acrPullRoleDefinitionId
    principalId: 'principa-id-here'
  }
  scope: myreg.outputs.acrResource (this one does not work as I need to enable experimental feature to make the module file error go away)
}

问题: 一般如何引用来自不同子资源组的现有资源?我在网上也找不到例子。这应该是直截了当的,但我被困在这里。关于如何解锁的任何想法?

感谢您的帮助。

azure azure-resource-manager azure-bicep azure-container-registry
1个回答
0
投票

您可以像这样引用来自不同 sub/rg 的资源(请参阅文档

resource myreg 'Microsoft.ContainerRegistry/registries@2023-01-01' existing = {
  name: regName
  scope: resourceGroup('sub1', 'reg1')
}

对于角色分配,由于作用域是容器注册表,因此您的模块需要将作用域限定为该特定资源。

container-registry-role-assignment.bicep

param containerRegistryName string
param principalId string
param roleId string

// Get a reference to the existing container registry
resource containerRegistry 'Microsoft.ContainerRegistry/registries@2023-11-01-preview' existing = {
  name: containerRegistryName
}

// Create the role assignment
resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
  name: guid(containerRegistry.id, roleId, principalId)
  scope: containerRegistry
  properties: {
    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleId)
    principalId: principalId
  }
}

然后从父模块中,您可以像这样调用它:

@description('Name of the registry.')
param regName string

targetScope = 'subscription'

module containerRegistryRbac 'container-registry-role-assignment.bicep' = {
  scope: resourceGroup('sub1', 'reg1') // scope of the sub-deployment
  name: 'name-of-the-deployment'
  params: {
    containerRegistryName: regName
    principalId: 'principa-id-here'
    roleId: '7f951dda-4ed3-4680-a7ca-43fe172d538d' // AcrPull
  }
}
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.