使用 ARM 模板将专用终结点连接与 Azure Keyvault 链接

问题描述 投票:0回答:1

我已经在 Azure 中创建了一个密钥保管库,它包含机密、密钥、证书以及两个专用端点连接。我需要为其创建一个 ARM 模板(用于 IAC)。我从自动化选项卡导出模板并对其进行参数化,但在部署时失败,“更改专用端点连接的状态”。我正在尝试更改 keyvault 的名称。

我相信我需要将这些私有端点链接到我的密钥库,但在下面指定的模板中我没有这样做,我不确定。

主模板如下所示:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "keyVaultName": {
      "type": "String",
      "metadata": {
        "description": "Specifies the name of the key vault."
      }
    },
    "location": {
      "type": "string",
      "defaultValue": "[resourceGroup().location]",
      "metadata": {
        "description": "Specifies the Azure location where the key vault should be created."
      }
    },
    "enabledForDeployment": {
      "type": "bool",
      "defaultValue": false,
      "metadata": {
        "description": "Specifies whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault."
      }
    },
    "enabledForDiskEncryption": {
      "type": "bool",
      "defaultValue": false,
      "metadata": {
        "description": "Specifies whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys."
      }
    },
    "enabledForTemplateDeployment": {
      "type": "bool",
      "defaultValue": false,
      "metadata": {
        "description": "Specifies whether Azure Resource Manager is permitted to retrieve secrets from the key vault."
      }
    },
    "tenantId": {
      "type": "string",
      "defaultValue": "[subscription().tenantId]",
      "metadata": {
        "description": "Specifies the Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Get it by using Get-AzSubscription cmdlet."
      }
    },
    "pvtEndpointConnKv": {
      "type": "string"
    },
    "pvtEndpointConnVMSS": {
      "type": "string"
    },
    "accessPolicies": {
      "type": "array",
      "metadata": {
        "description": "List of Key Vault's access policies"
      }
    }
  },
  "resources": [
    {
      "type": "Microsoft.KeyVault/vaults",
      "apiVersion": "2024-04-01-preview",
      "name": "[parameters('keyVaultName')]",
      "location": "[parameters('location')]",
      "tags": {
        "Created_by": "KeyVaultPOC"
      },
      "properties": {
        "sku": {
          "family": "A",
          "name": "Standard"
        },
        "tenantId": "[parameters('tenantId')]",
        "networkAcls": {
          "bypass": "AzureServices",
          "defaultAction": "Deny",
          "ipRules": [],
          "virtualNetworkRules": []
        },
        "accessPolicies": "[parameters('accessPolicies')]",
        "enabledForDeployment": "[parameters('enabledForDeployment')]",
        "enabledForDiskEncryption": "[parameters('enabledForDiskEncryption')]",
        "enabledForTemplateDeployment": "[parameters('enabledForTemplateDeployment')]",
        "enableSoftDelete": true,
        "softDeleteRetentionInDays": 90,
        "enableRbacAuthorization": false,
        "enablePurgeProtection": true,
        "vaultUri": "[concat('https://', parameters('keyVaultName'), '.vault.azure.net/')]",
        "provisioningState": "Succeeded",
        "publicNetworkAccess": "Disabled"
      }
    },
    {
      "type": "Microsoft.KeyVault/vaults/privateEndpointConnections",
      "apiVersion": "2024-04-01-preview",
      "name": "[concat(parameters('keyVaultName'),'/',parameters('pvtEndpointConnKv'))]",
      "location": "uksouth",
      "dependsOn": [
        "[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]"
      ],
      "properties": {
        "provisioningState": "Succeeded",
        "privateEndpoint": {},
        "privateLinkServiceConnectionState": {
          "status": "Approved",
          "actionsRequired": "None"
        }
      }
    },
    {
      "type": "Microsoft.KeyVault/vaults/privateEndpointConnections",
      "apiVersion": "2024-04-01-preview",
      "name": "[concat(parameters('keyVaultName'),'/',parameters('pvtEndpointConnVMSS'))]",
      "location": "uksouth",
      "dependsOn": [
        "[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]"
      ],
      "properties": {
        "provisioningState": "Succeeded",
        "privateEndpoint": {},
        "privateLinkServiceConnectionState": {
          "status": "Approved",
          "actionsRequired": "None"
        }
      }
    }
  ]
}

PS:上面的模板不起作用。

我对这个领域很陌生,我可能不知道自己在做什么。请帮助我并分享您的知识。

我尝试使用以下命令部署此文件:

az deployment group create 
    --resource-group <resource-group-name> 
    --template-file <path-to-template>.json 
    --parameters <path-to-parameters-file>.json

我的 keyvault 已部署,但当我签入部署时,它处于失败状态,给出的原因是:

操作名称 - 更改专用端点连接的状态
错误代码 - ResourceNotFound
消息 - 指定的资源不存在。请点击此链接了解更多信息:https://go.microsoft.com/fwlink/?linkid=2147446

我正在尝试创建一个 ARM 模板,它可以部署现有 keyvault 的副本。成功后,我将在部署文件中使用该模板,并将使用参数文件进行部署。

azure-devops deployment azure-keyvault azure-rm-template azure-private-link
1个回答
0
投票

使用 ARM 模板将专用终结点连接与 Azure Keyvault 进行链接

ARM 配置缺乏将专用端点 ID 引用到 keyvault 的正确方法,最终导致无法配置,我们需要引用专用端点的正确 ID。

当尝试从部署的 json 中使用 ARM 模板时,其依赖项和引用可能会发生变化,因为您现在的方法是相反的。

演示配置:

{
      "type": "Microsoft.Network/privateEndpoints",
      "apiVersion": "2023-03-01",
      "name": "[parameters('privateEndpoint1Name')]",
      "location": "[parameters('location')]",
      "dependsOn": [
        "[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]"
      ],
      "properties": {
        "subnet": {
          "id": "[parameters('subnetId1')]"
        },
        "privateLinkServiceConnections": [
          {
            "name": "keyVaultPrivateLink1",
            "properties": {
              "privateLinkServiceId": "[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]",
              "groupIds": [
                "vault"
              ],
              "requestMessage": "Requesting connection to Key Vault - Endpoint 1"
            }
          }
        ]
      }
    },
    {
      "type": "Microsoft.Network/privateEndpoints",
      "apiVersion": "2023-03-01",
      "name": "[parameters('privateEndpoint2Name')]",
      "location": "[parameters('location')]",
      "dependsOn": [
        "[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]"
      ],
      "properties": {
        "subnet": {
          "id": "[parameters('subnetId2')]"
        },
        "privateLinkServiceConnections": [
          {
            "name": "keyVaultPrivateLink2",
            "properties": {
              "privateLinkServiceId": "[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]",
              "groupIds": [
                "vault"
              ],
              "requestMessage": "Requesting connection to Key Vault - Endpoint 2"
            }
          }
        ]
      }
    }
  ]

通过这种方式,您可以将 Private 端点引用到 keyvault。您可以以类似的方式设置秘密和密钥的参数。

部署:

enter image description here

enter image description here

参考:

Microsoft.KeyVault/vaults/privateEndpointConnections - Bicep、ARM 模板和 Terraform AzAPI 参考 |微软学习

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.